google
Error when analyzing the bom.json file in the Docker container.
When scanning the generated cdxgen file, I get an error. The project itself is built in the go language. The scanner itself works inside a docker container in Jenkins. The scanner version is 2.0.1. There is no error when scanning the same bom.json locally. I am attaching an error below.
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x8 pc=0xfcce10]
goroutine 1 [running]:
github.com/google/osv-scanner/v2/internal/clients/clientimpl/osvmatcher.(*OSVMatcher).MatchVulnerabilities(0xc000148b40, {0x1e2bcb0, 0x2b79200}, {0xc0000ccd88, 0x46, 0x46})
github.com/google/osv-scanner/v2/internal/clients/clientimpl/osvmatcher/osvmatcher.go:60 +0x1f0
github.com/google/osv-scanner/v2/pkg/osvscanner.makeVulnRequestWithMatcher({0xc000668008, 0x46, 0x0?}, {0x1e194e0, 0xc000148b40})
github.com/google/osv-scanner/v2/pkg/osvscanner/osvscanner.go:473 +0x173
github.com/google/osv-scanner/v2/pkg/osvscanner.DoScan({{0x0, 0x0, 0x0}, {0xc0005039c0, 0x1, 0x1}, {0x2b79200, 0x0, 0x0}, {0x0, ...}, ...})
github.com/google/osv-scanner/v2/pkg/osvscanner/osvscanner.go:232 +0x55a
github.com/google/osv-scanner/v2/cmd/osv-scanner/scan/source.action(0xc0004771c0, {0x1e18f40, 0xc000194048}, {0x1e18f40, 0xc000194050})
github.com/google/osv-scanner/v2/cmd/osv-scanner/scan/source/command.go:138 +0x9d8
github.com/google/osv-scanner/v2/cmd/osv-scanner/scan/source.Command.func1(0xc0004771c0?)
github.com/google/osv-scanner/v2/cmd/osv-scanner/scan/source/command.go:84 +0x25
github.com/urfave/cli/v2.(*Command).Run(0xc00016d8c0, 0xc0004771c0, {0xc0004265b0, 0x7, 0x7})
github.com/urfave/cli/[email protected]/command.go:276 +0x7be
github.com/urfave/cli/v2.(*Command).Run(0xc00016db80, 0xc0004770c0, {0xc0004ed680, 0x8, 0x8})
github.com/urfave/cli/[email protected]/command.go:269 +0xa45
github.com/urfave/cli/v2.(*Command).Run(0xc00032c2c0, 0xc000476f80, {0xc0001d5050, 0x9, 0x9})
github.com/urfave/cli/[email protected]/command.go:269 +0xa45
github.com/urfave/cli/v2.(*App).RunContext(0xc00003f600, {0x1e2bcb0, 0x2b79200}, {0xc0001d5050, 0x9, 0x9})
github.com/urfave/cli/[email protected]/app.go:333 +0x5a5
github.com/urfave/cli/v2.(*App).Run(...)
github.com/urfave/cli/[email protected]/app.go:307
github.com/google/osv-scanner/v2/cmd/osv-scanner/internal/cmd.Run({0xc0001bc150, 0x7, 0x7}, {0x1e18f40, 0xc000194048}, {0x1e18f40, 0xc000194050})
github.com/google/osv-scanner/v2/cmd/osv-scanner/internal/cmd/run.go:64 +0x6ad
main.main()
github.com/google/osv-scanner/v2/cmd/osv-scanner/main.go:11 +0x45
osv-scanner rc=2
Any chance you could provide a sample sbom reproducing it, or some more info about the dependency(s) you suspect might be involved?
bom.json Additionally, I want to say about the bug: the scanner accepts a sbom file called bom.json. I previously tried to transmit bom_appsec.json, but the scanner returns an error.
Failed to parse SBOM "/home/test/fix/bom_appsec.json" with error: could not determine extractor suitable to this file
If you believe this is a valid SBOM, make sure the filename follows format per your SBOMs specification.
could not determine extractor suitable to this file
After several attempts, it was still possible to scan this sbom, but the cause of the error is still unknown.
After several attempts, it was still possible to scan this sbom, but the cause of the error is still unknown.
Are you saying that you managed to scan it with the filename bom_appsec.json? because the error is that the filename is incorrect - per https://cyclonedx.org/specification/overview/#recognized-file-patterns CycloneDX BOM files must either be named bom.json or bom.xml, or be suffixed with .cdx.json or .cdx.xml; bom_appsec.json does not meet either of those.
If you managed to have the scanner accept your file with that name, then that's actually a bug 😅
This issue has not had any activity for 60 days and will be automatically closed in two weeks
See https://github.com/google/osv-scanner/blob/main/CONTRIBUTING.md for how to contribute a PR if you're interested in helping out.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}