trivy icon indicating copy to clipboard operation
trivy copied to clipboard

Published 20 hours ago verified publisher icon aquasecurity

Panic when loading custom policies from specific directory

Open NitroCao opened this issue 2 years ago • 2 comments

Description

Run this command:

trivy config --trace --format json --exit-code 23 --policy /tmp Dockerfile

/tmp directory contains only one valid rego file, the others are invalid rego files.

What did you expect to happen?

Print error message when failing to load custom policies.

What happened instead?

Paniced directly.

Output of run with -debug:

panic: runtime error: slice bounds out of range [5:4]

goroutine 1 [running]:
golang.org/x/mod/sumdb/dirhash.DirFiles.func1({0xc001ca1638, 0x4}, {0x3ddef80?, 0xc0009ec1a0?}, {0x0?, 0x0?})
        /home/runner/go/pkg/mod/golang.org/x/[email protected]/sumdb/dirhash/hash.go:96 +0x228
path/filepath.walk({0xc001ca1638, 0x4}, {0x3ddef80, 0xc0009ec1a0}, 0xc002a193f0)
        /opt/hostedtoolcache/go/1.18.2/x64/src/path/filepath/path.go:418 +0x123
path/filepath.Walk({0xc001ca1638, 0x4}, 0xc002a193f0)
        /opt/hostedtoolcache/go/1.18.2/x64/src/path/filepath/path.go:505 +0x6c
golang.org/x/mod/sumdb/dirhash.DirFiles({0xc001ca1638?, 0x100a88b?}, {0x0, 0x0})
        /home/runner/go/pkg/mod/golang.org/x/[email protected]/sumdb/dirhash/hash.go:87 +0x9b
golang.org/x/mod/sumdb/dirhash.HashDir({0xc001ca1638, 0x4}, {0x0, 0x0}, 0x39259a0)
        /home/runner/go/pkg/mod/golang.org/x/[email protected]/sumdb/dirhash/hash.go:71 +0x36
github.com/aquasecurity/fanal/cache.CalcKey({_, _}, _, _, {{0x0, 0x0}, {0xc001e43c00, 0x36, 0x40}, {0x0, ...}, ...})
        /home/runner/go/pkg/mod/github.com/aquasecurity/[email protected]/cache/key.go:37 +0x35a
github.com/aquasecurity/fanal/artifact/local.Artifact.calcCacheKey({{0x7ff7bfeff5f8, 0xa}, {0xe389dd8, 0xc000a95c80}, {{{0x0, 0x0, 0x0}, {0xc00124d480, 0x3, 0x4}}}, ...}, ...)
        /home/runner/go/pkg/mod/github.com/aquasecurity/[email protected]/artifact/local/fs.go:166 +0x253
github.com/aquasecurity/fanal/artifact/local.Artifact.Inspect({{0x7ff7bfeff5f8, 0xa}, {0xe389dd8, 0xc000a95c80}, {{{0x0, 0x0, 0x0}, {0xc00124d480, 0x3, 0x4}}}, ...}, ...)
        /home/runner/go/pkg/mod/github.com/aquasecurity/[email protected]/artifact/local/fs.go:128 +0x538
github.com/aquasecurity/trivy/pkg/scanner.Scanner.ScanArtifact({{_, _}, {_, _}}, {_, _}, {{0x0, 0x0, 0x0}, {0xc000a95bd0, ...}, ...})
        /home/runner/work/trivy/trivy/pkg/scanner/scan.go:110 +0x103
github.com/aquasecurity/trivy/pkg/commands/artifact.scan({_, _}, {{0xc00124d200, 0xc0014a1780, {0x3db17d0, 0x6}, 0x0, 0x0, {0xc001d58480, 0x26}}, ...}, ...)
        /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:462 +0x3fe
github.com/aquasecurity/trivy/pkg/commands/artifact.(*Runner).Scan(_, {_, _}, {{0xc00124d200, 0xc0014a1780, {0x3db17d0, 0x6}, 0x0, 0x0, {0xc001d58480, ...}}, ...}, ...)
        /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:180 +0xc7
github.com/aquasecurity/trivy/pkg/commands/artifact.(*Runner).scanFS(_, {_, _}, {{0xc00124d200, 0xc0014a1780, {0x3db17d0, 0x6}, 0x0, 0x0, {0xc001d58480, ...}}, ...})
        /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:166 +0xcd
github.com/aquasecurity/trivy/pkg/commands/artifact.(*Runner).ScanFilesystem(...)
        /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:146
github.com/aquasecurity/trivy/pkg/commands/artifact.run({_, _}, {{0xc00124d200, 0xc0014a1780, {0x3db17d0, 0x6}, 0x0, 0x0, {0xc001d58480, 0x26}}, ...}, ...)
        /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:325 +0x450
github.com/aquasecurity/trivy/pkg/commands/artifact.ConfigRun(0xc00124d200)
        /home/runner/work/trivy/trivy/pkg/commands/artifact/config.go:26 +0x2a5
github.com/urfave/cli/v2.(*Command).Run(0xc0010e3c20, 0xc0003b0240)
        /home/runner/go/pkg/mod/github.com/urfave/cli/[email protected]/command.go:163 +0x5bb
github.com/urfave/cli/v2.(*App).RunContext(0xc0003be9c0, {0x3dd9920?, 0xc00012c008}, {0xc000138000, 0xa, 0xa})
        /home/runner/go/pkg/mod/github.com/urfave/cli/[email protected]/app.go:313 +0xb48
github.com/urfave/cli/v2.(*App).Run(...)
        /home/runner/go/pkg/mod/github.com/urfave/cli/[email protected]/app.go:224
main.main()
        /home/runner/work/trivy/trivy/cmd/trivy/main.go:16 +0x4f

Output of trivy -v:

0.28.1

Additional details (base image name, container registry info...):

NitroCao avatar Jun 07 '22 09:06 NitroCao

@NitroCao thanks for your report. I can't reproduce this issue. could you show your custom rego file? thanks a lot!

afdesk avatar Jun 14 '22 18:06 afdesk

This issue is stale because it has been labeled with inactivity.

github-actions[bot] avatar Sep 13 '22 00:09 github-actions[bot]

@NitroCao could you confirm that this issue is still actual? thanks!

afdesk avatar Nov 13 '22 17:11 afdesk

@NitroCao could you confirm that this issue is still actual? thanks!

Confirmed that Trivy now exits with error messages when specifying invalid rego files in latest version 0.34.0. Thanks for your work!

NitroCao avatar Nov 14 '22 02:11 NitroCao