trivy icon indicating copy to clipboard operation
trivy copied to clipboard
Published 3 weeks ago verified publisher icon aquasecurity

fix: julia parser panicing

Open SuperSandro2000 opened this issue 7 months ago • 1 comments 

panic: runtime error: index out of range [0] with length 0

goroutine 60 [running]:
github.com/aquasecurity/trivy/pkg/dependency/parser/julia/manifest.decodeDependency(0xc009103b90, {{{0x83faa00, 0xc0091516b0}, {0xc009190b20, 0x2, 0x2}}, {0xc0085fa245, 0x24}, {0x0, 0x0}, ...}, ...)
        github.com/aquasecurity/trivy/pkg/dependency/parser/julia/manifest/parse.go:146 +0x66d
github.com/aquasecurity/trivy/pkg/dependency/parser/julia/manifest.decodeManifest(0xc009103b90, 0xc00582bbc0)
        github.com/aquasecurity/trivy/pkg/dependency/parser/julia/manifest/parse.go:122 +0x25e
github.com/aquasecurity/trivy/pkg/dependency/parser/julia/manifest.(*Parser).Parse(0xa6a0f40?, {0xa704f00, 0xc006cc4388})
        github.com/aquasecurity/trivy/pkg/dependency/parser/julia/manifest/parse.go:59 +0x32d
github.com/aquasecurity/trivy/pkg/fanal/analyzer/language.Parse({0x92fd8db, 0x5}, {0xc000fcec00, 0x54}, {0xa6a0f40?, 0xc006cc4388?}, {0xa6a9600, 0xe1bee80})
        github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/analyze.go:55 +0xd7
github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/julia/pkg.juliaAnalyzer.parseJuliaManifest(...)
        github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/julia/pkg/pkg.go:102
github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/julia/pkg.juliaAnalyzer.PostAnalyze.func2({0xc000fcec00, 0x54}, {0x54?, 0xc00917c2d0?}, {0xa6a0f40?, 0xc006cc4388?})
        github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/julia/pkg/pkg.go:62 +0x8a
github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/julia/pkg.juliaAnalyzer.PostAnalyze.WalkDir.func3({0xc000fcec00, 0x54}, {0xa71be98, 0xc000cff310}, {0x0?, 0x0?})
        github.com/aquasecurity/trivy/pkg/utils/fsutils/fs.go:88 +0x214
io/fs.walkDir({0xa6a1940, 0xc003ebf008}, {0xc000fcec00, 0x54}, {0xa71be98, 0xc000cff310}, 0xc00582c9a0)
        io/fs/walk.go:73 +0x6c
io/fs.walkDir({0xa6a1940, 0xc003ebf008}, {0xc00917c280, 0x46}, {0xa71be98, 0xc00458e2a8}, 0xc00582c9a0)
        io/fs/walk.go:95 +0x2bc
io/fs.walkDir({0xa6a1940, 0xc003ebf008}, {0xc00540eac0, 0x32}, {0xa71be98, 0xc004421068}, 0xc00582c9a0)
        io/fs/walk.go:95 +0x2bc
io/fs.walkDir({0xa6a1940, 0xc003ebf008}, {0xc00371b1a0, 0x29}, {0xa71be98, 0xc004420c08}, 0xc00582c9a0)
        io/fs/walk.go:95 +0x2bc
io/fs.walkDir({0xa6a1940, 0xc003ebf008}, {0xc00371b110, 0x24}, {0xa71be98, 0xc004420668}, 0xc00582c9a0)
        io/fs/walk.go:95 +0x2bc
io/fs.walkDir({0xa6a1940, 0xc003ebf008}, {0xc006bc90e0, 0x1e}, {0xa71be98, 0xc0044202a8}, 0xc00582c9a0)
        io/fs/walk.go:95 +0x2bc
io/fs.walkDir({0xa6a1940, 0xc003ebf008}, {0xc0038b7380, 0x12}, {0xa71be98, 0xc0036ea708}, 0xc00582c9a0)
        io/fs/walk.go:95 +0x2bc
io/fs.walkDir({0xa6a1940, 0xc003ebf008}, {0xc00657dab0, 0x9}, {0xa71be98, 0xc001182b68}, 0xc00582c9a0)
        io/fs/walk.go:95 +0x2bc
io/fs.walkDir({0xa6a1940, 0xc003ebf008}, {0xc00657da5a, 0x3}, {0xa71be98, 0xc001182848}, 0xc00582c9a0)
        io/fs/walk.go:95 +0x2bc
io/fs.walkDir({0xa6a1940, 0xc003ebf008}, {0xa66d8d8, 0x1}, {0xa71b268, 0xc000ae9650}, 0xc00582c9a0)
        io/fs/walk.go:95 +0x2bc
io/fs.WalkDir({0xa6a1940, 0xc003ebf008}, {0xa66d8d8, 0x1}, 0xc00582c9a0)
        io/fs/walk.go:122 +0x9a
github.com/aquasecurity/trivy/pkg/utils/fsutils.WalkDir(...)
        github.com/aquasecurity/trivy/pkg/utils/fsutils/fs.go:75
github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/julia/pkg.juliaAnalyzer.PostAnalyze({{0xa6a9600?, 0xe1bee80?}, 0xc0012129e0?}, {0x2c?, 0x47?}, {{0xa6a1940, 0xc003ebf008}, {0x0, 0x0, 0x0}, ...})
        github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/julia/pkg/pkg.go:60 +0x186
github.com/aquasecurity/trivy/pkg/fanal/analyzer.AnalyzerGroup.PostAnalyze({0xc001212480, {0xc00078f800, 0x1d, 0x20}, {0xc0003ff980, 0x6, 0x8}, 0xc0017baf60, {0x9309192, 0x7}}, ...)
        github.com/aquasecurity/trivy/pkg/fanal/analyzer/analyzer.go:521 +0x399
github.com/aquasecurity/trivy/pkg/fanal/artifact/image.Artifact.inspectLayer({0xc001212e20, {0xa74afa0, 0xc000464dc0}, {0x7f39f846d008, 0xc000eb2210}, {{0xe1bee80, 0x0, 0x0}, {0xe1bee80, 0x0, ...}}, ...}, ...)
        github.com/aquasecurity/trivy/pkg/fanal/artifact/image/image.go:415 +0x7a9
github.com/aquasecurity/trivy/pkg/fanal/artifact/image.Artifact.inspect.func1({0xa71b038, 0xc000d3e460}, {0xc000f23f40, 0x47})
        github.com/aquasecurity/trivy/pkg/fanal/artifact/image/image.go:332 +0x23c
github.com/aquasecurity/trivy/pkg/parallel.(*Pipeline[...]).Do.func2()
        github.com/aquasecurity/trivy/pkg/parallel/pipeline.go:82 +0xa4
golang.org/x/sync/errgroup.(*Group).Go.func1()
        golang.org/x/[email protected]/errgroup/errgroup.go:78 +0x50
created by golang.org/x/sync/errgroup.(*Group).Go in goroutine 1
        golang.org/x/[email protected]/errgroup/errgroup.go:75 +0x93

Description

Related issues

  • Close #XXX

Related PRs

  • [ ] #XXX
  • [ ] #YYY

Remove this section if you don't have related PRs.

Checklist

  • [ ] I've read the guidelines for contributing to this repository.
  • [x] I've followed the conventions in the PR title.
  • [ ] I've added tests that prove my fix is effective or that my feature works.
  • [ ] I've updated the documentation with the relevant information (if needed).
  • [ ] I've added usage information (if the PR introduces new options)
  • [ ] I've included a "before" and "after" example to the description (if the PR is a user interface change).

SuperSandro2000 avatar May 16 '25 10:05 SuperSandro2000

I did some digging if I can find the relevant Manifest.toml, I couldn't but the image I scanned is based on a public one and with that the crash happens, too.

 ➜ trivy image --scanners vuln quay.io/jupyter/datascience-notebook:latest
2025-05-16T13:09:41+02:00       INFO    [vuln] Vulnerability scanning is enabled
2025-05-16T13:09:48+02:00       INFO    [python] Licenses acquired from one or more METADATA files may be subject to additional terms. Use `--debug` flag to see all affected packages.
2025-05-16T13:09:53+02:00       INFO    [javadb] Downloading Java DB...
2025-05-16T13:09:53+02:00       INFO    [javadb] Downloading artifact...        repo="mirror.gcr.io/aquasec/trivy-java-db:1"
519.64 MiB / 735.91 MiB [------------------------------------------------------------------------>_____________________________] 70.61% 103.87 MiB p/s ETA 2spanic: runtime error: index out of range [0] with length 0

goroutine 79 [running]:
github.com/aquasecurity/trivy/pkg/dependency/parser/julia/manifest.decodeDependency(0xc004eb36e0, {{{0x83faa00, 0xc004ec9c38}, {0xc004f12520, 0x2, 0x2}}, {0xc00044daa5, 0x24}, {0x0, 0x0}, ...}, ...)
        github.com/aquasecurity/trivy/pkg/dependency/parser/julia/manifest/parse.go:146 +0x66d
github.com/aquasecurity/trivy/pkg/dependency/parser/julia/manifest.decodeManifest(0xc004eb36e0, 0xc003e05bc0)
        github.com/aquasecurity/trivy/pkg/dependency/parser/julia/manifest/parse.go:122 +0x25e
github.com/aquasecurity/trivy/pkg/dependency/parser/julia/manifest.(*Parser).Parse(0xa6a0f40?, {0xa704f00, 0xc00250b130})
        github.com/aquasecurity/trivy/pkg/dependency/parser/julia/manifest/parse.go:59 +0x32d
github.com/aquasecurity/trivy/pkg/fanal/analyzer/language.Parse({0x92fd8db, 0x5}, {0xc005db8c00, 0x54}, {0xa6a0f40?, 0xc00250b130?}, {0xa6a9600, 0xe1bee80})
        github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/analyze.go:55 +0xd7
github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/julia/pkg.juliaAnalyzer.parseJuliaManifest(...)
        github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/julia/pkg/pkg.go:102
github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/julia/pkg.juliaAnalyzer.PostAnalyze.func2({0xc005db8c00, 0x54}, {0x54?, 0xc004da9630?}, {0xa6a0f40?, 0xc00250b130?})
        github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/julia/pkg/pkg.go:62 +0x8a
github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/julia/pkg.juliaAnalyzer.PostAnalyze.WalkDir.func3({0xc005db8c00, 0x54}, {0xa71be98, 0xc00093bdb0}, {0x0?, 0x0?})
        github.com/aquasecurity/trivy/pkg/utils/fsutils/fs.go:88 +0x214
io/fs.walkDir({0xa6a1940, 0xc00085f1e8}, {0xc005db8c00, 0x54}, {0xa71be98, 0xc00093bdb0}, 0xc003e069a0)
        io/fs/walk.go:73 +0x6c
io/fs.walkDir({0xa6a1940, 0xc00085f1e8}, {0xc004da95e0, 0x46}, {0xa71be98, 0xc0070e2ca8}, 0xc003e069a0)
        io/fs/walk.go:95 +0x2bc
io/fs.walkDir({0xa6a1940, 0xc00085f1e8}, {0xc00656be00, 0x32}, {0xa71be98, 0xc002c55888}, 0xc003e069a0)
        io/fs/walk.go:95 +0x2bc
io/fs.walkDir({0xa6a1940, 0xc00085f1e8}, {0xc0018a56e0, 0x29}, {0xa71be98, 0xc002c54f28}, 0xc003e069a0)
        io/fs/walk.go:95 +0x2bc
io/fs.walkDir({0xa6a1940, 0xc00085f1e8}, {0xc0018a5650, 0x24}, {0xa71be98, 0xc002c545c8}, 0xc003e069a0)
        io/fs/walk.go:95 +0x2bc
io/fs.walkDir({0xa6a1940, 0xc00085f1e8}, {0xc002438440, 0x1e}, {0xa71be98, 0xc006f05ec8}, 0xc003e069a0)
        io/fs/walk.go:95 +0x2bc
io/fs.walkDir({0xa6a1940, 0xc00085f1e8}, {0xc0010e0030, 0x12}, {0xa71be98, 0xc0035c88e8}, 0xc003e069a0)
        io/fs/walk.go:95 +0x2bc
io/fs.walkDir({0xa6a1940, 0xc00085f1e8}, {0xc006761820, 0x9}, {0xa71be98, 0xc00110ec08}, 0xc003e069a0)
        io/fs/walk.go:95 +0x2bc
io/fs.walkDir({0xa6a1940, 0xc00085f1e8}, {0xc00676180a, 0x3}, {0xa71be98, 0xc00110e3e8}, 0xc003e069a0)
        io/fs/walk.go:95 +0x2bc
io/fs.walkDir({0xa6a1940, 0xc00085f1e8}, {0xa66d8d8, 0x1}, {0xa71b268, 0xc005cd80e0}, 0xc003e069a0)
        io/fs/walk.go:95 +0x2bc
io/fs.WalkDir({0xa6a1940, 0xc00085f1e8}, {0xa66d8d8, 0x1}, 0xc0018589a0)
        io/fs/walk.go:122 +0x9a
github.com/aquasecurity/trivy/pkg/utils/fsutils.WalkDir(...)
        github.com/aquasecurity/trivy/pkg/utils/fsutils/fs.go:75
github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/julia/pkg.juliaAnalyzer.PostAnalyze({{0xa6a9600?, 0xe1bee80?}, 0xc00126ace0?}, {0x18?, 0x20?}, {{0xa6a1940, 0xc00085f1e8}, {0x0, 0x0, 0x0}, ...})
        github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/julia/pkg/pkg.go:60 +0x186
github.com/aquasecurity/trivy/pkg/fanal/analyzer.AnalyzerGroup.PostAnalyze({0xc00126a980, {0xc000a4a000, 0x1d, 0x20}, {0xc000524580, 0x6, 0x8}, 0xc00170a540, {0x9309192, 0x7}}, ...)
        github.com/aquasecurity/trivy/pkg/fanal/analyzer/analyzer.go:521 +0x399
github.com/aquasecurity/trivy/pkg/fanal/artifact/image.Artifact.inspectLayer({0xc00126b370, {0xa74afa0, 0xc000a94880}, {0x7f7996790d18, 0xc00082ce40}, {{0xe1bee80, 0x0, 0x0}, {0xe1bee80, 0x0, ...}}, ...}, ...)
        github.com/aquasecurity/trivy/pkg/fanal/artifact/image/image.go:415 +0x7a9
github.com/aquasecurity/trivy/pkg/fanal/artifact/image.Artifact.inspect.func1({0xa71b038, 0xc00107e000}, {0xc001805b80, 0x47})
        github.com/aquasecurity/trivy/pkg/fanal/artifact/image/image.go:332 +0x23c
github.com/aquasecurity/trivy/pkg/parallel.(*Pipeline[...]).Do.func2()
        github.com/aquasecurity/trivy/pkg/parallel/pipeline.go:82 +0xa4
golang.org/x/sync/errgroup.(*Group).Go.func1()
        golang.org/x/[email protected]/errgroup/errgroup.go:78 +0x50
created by golang.org/x/sync/errgroup.(*Group).Go in goroutine 1
        golang.org/x/[email protected]/errgroup/errgroup.go:75 +0x93

SuperSandro2000 avatar May 16 '25 11:05 SuperSandro2000

Hello @SuperSandro2000 Thanks for your work!

Can you add small testcase for this panic?

DmitriyLewen avatar May 19 '25 05:05 DmitriyLewen

I have no idea which of the 20 or so Julia dependency files this issue is coming from...

SuperSandro2000 avatar May 19 '25 08:05 SuperSandro2000

@SuperSandro2000 I added test cases - https://github.com/aquasecurity/trivy/pull/8883/commits/c5eca7ed3f7a8094809f97b1ae3b2e5482e85612

Thanks for your contribution!

DmitriyLewen avatar May 19 '25 09:05 DmitriyLewen

Nice! Thanks!

SuperSandro2000 avatar May 19 '25 09:05 SuperSandro2000