sbom-utility
sbom-utility copied to clipboard
Published
20 hours ago •
CycloneDX
CycloneDX
signal SIGSEGV: segmentation violation code=0x1 addr=0x8 pc=0x5f53ae
./sbom-utility vulnerability list -i sbom.json --format md --summary
Welcome to the sbom-utility! Version `v0.16.0` (sbom-utility) (linux/amd64)
===========================================================================
[INFO] Loading (embedded) default schema config file: `config.json`...
[INFO] Loading (embedded) default license policy file: `license.json`...
[INFO] Attempting to load and unmarshal data from: `sbom.json`...
[INFO] Successfully unmarshalled data from: `sbom.json`
[INFO] Determining file's BOM format and version...
[INFO] Determined BOM format, version (variant): `CycloneDX`, `1.5` (latest)
[INFO] Matching BOM schema (for validation): schema/cyclonedx/1.5/bom-1.5.schema.json
[INFO] Scanning document for vulnerabilities...
[WARN] vulnerability (`CVE-2022-3517`) missing `published` date
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x8 pc=0x5f53ae]
goroutine 1 [running]:
github.com/CycloneDX/sbom-utility/schema.(*BOM).HashmapVulnerability(_, {{0xc0007c9f10, 0xd}, 0xc0007d4ec0, 0xc0007c3180, 0xc0007d8ab0, 0xc0007d8a50, 0xc0007d8a20, {0xc0004660e0, 0xd4}, ...}, ...)
/github/workspace/schema/bom_hash.go:392 +0x6ce
github.com/CycloneDX/sbom-utility/schema.(*BOM).HashmapVulnerabilities(0xc0004ac000, {0xc000812008, 0x2b, 0x8e4af5?}, {0x0, 0x0, 0x0})
/github/workspace/schema/bom_hash.go:311 +0x1b8
github.com/CycloneDX/sbom-utility/cmd.loadDocumentVulnerabilities(0xc0004ac000, {0x0, 0x0, 0x0})
/github/workspace/cmd/vulnerability.go:258 +0x165
github.com/CycloneDX/sbom-utility/cmd.ListVulnerabilities({0xafedc0, 0xc0000ee058}, {0x0, 0x0, 0x0, {0x7ffc7e150548, 0x9}, {0x0, 0x0}, {0x7ffc7e15055b, ...}, ...}, ...)
/github/workspace/cmd/vulnerability.go:210 +0x1b0
github.com/CycloneDX/sbom-utility/cmd.vulnerabilityCmdImpl(0xc000177508, {0xc0000fe600, 0x1, 0x6})
/github/workspace/cmd/vulnerability.go:164 +0x35a
github.com/spf13/cobra.(*Command).execute(0xc000177508, {0xc0000fe5a0, 0x6, 0x6})
/go/pkg/mod/github.com/spf13/[email protected]/command.go:940 +0x882
github.com/spf13/cobra.(*Command).ExecuteC(0xdde5c0)
/go/pkg/mod/github.com/spf13/[email protected]/command.go:1068 +0x3a5
github.com/spf13/cobra.(*Command).Execute(...)
/go/pkg/mod/github.com/spf13/[email protected]/command.go:992
github.com/CycloneDX/sbom-utility/cmd.Execute()
/github/workspace/cmd/root.go:284 +0x68
main.main()
/github/workspace/main.go:96 +0x65
I ran into a similar issue when scanning a CycloneDX v1.4 SBOM JSON report:
Welcome to the sbom-utility! Version `v0.16.0` (sbom-utility) (windows/amd64)
=============================================================================
[INFO] Loading (embedded) default schema config file: `config.json`...
[INFO] Loading (embedded) default license policy file: `license.json`...
[INFO] Attempting to load and unmarshal data from: `my-report.json`...
[INFO] Successfully unmarshalled data from: `my-report.json`
[INFO] Determining file's BOM format and version...
[INFO] Determined BOM format, version (variant): `CycloneDX`, `1.4` (latest)
[INFO] Matching BOM schema (for validation): schema/cyclonedx/1.4/bom-1.4.schema.json
[INFO] Scanning document for vulnerabilities...
[WARN] vulnerability (`CVE-2022-26907`) missing `published` date
[WARN] vulnerability (`CVE-2022-26907`) missing `created` date
panic: runtime error: invalid memory address or nil pointer dereference
[signal 0xc0000005 code=0x0 addr=0x18 pc=0x775535]
goroutine 1 [running]:
github.com/CycloneDX/sbom-utility/schema.(*BOM).HashmapVulnerability(_, {{0xc00035dea0, 0xe}, 0xc0004997e0, 0x0, 0x0, 0xc0008d26c0, 0x0, {0x0, 0x0}, ...}, ...)
/github/workspace/schema/bom_hash.go:424 +0xd15
github.com/CycloneDX/sbom-utility/schema.(*BOM).HashmapVulnerabilities(0xc000059340, {0xc0008e0008, 0x15, 0xa69195?}, {0x0, 0x0, 0x0})
/github/workspace/schema/bom_hash.go:311 +0x1b8
github.com/CycloneDX/sbom-utility/cmd.loadDocumentVulnerabilities(0xc000059340, {0x0, 0x0, 0x0})
/github/workspace/cmd/vulnerability.go:258 +0x165
github.com/CycloneDX/sbom-utility/cmd.ListVulnerabilities({0xc879a0, 0xc000062060}, {0x0, 0x0, 0x0, {0xc0000260a0, 0x4c}, {0x0, 0x0}, {0xc00000a168, ...}, ...}, ...)
/github/workspace/cmd/vulnerability.go:210 +0x1b0
github.com/CycloneDX/sbom-utility/cmd.vulnerabilityCmdImpl(0xc0000dd508, {0xc0000746e0, 0x1, 0x5})
/github/workspace/cmd/vulnerability.go:164 +0x35a
github.com/spf13/cobra.(*Command).execute(0xc0000dd508, {0xc000074690, 0x5, 0x5})
/go/pkg/mod/github.com/spf13/[email protected]/command.go:940 +0x882
github.com/spf13/cobra.(*Command).ExecuteC(0xf7a100)
/go/pkg/mod/github.com/spf13/[email protected]/command.go:1068 +0x3a5
github.com/spf13/cobra.(*Command).Execute(...)
/go/pkg/mod/github.com/spf13/[email protected]/command.go:992
github.com/CycloneDX/sbom-utility/cmd.Execute()
/github/workspace/cmd/root.go:284 +0x68
main.main()
/github/workspace/main.go:96 +0x65
The issue was due to this line. There are no prior checks to ensure that rating.Source and rating.Source.Name are not nil. Current unmarshalling logic allows these fields to be unset here.
An example of a vulnerability entry that would cause this exception is below:
{
"id": "CVE-2024-0056",
"source": {
"name": "NVD",
"url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-0056"
},
"ratings": [
{
"score": 8.7,
"severity": "high"
}
],
"affects": [
{
"ref": "system.data.sqlclient.4.5.0.nupkg"
}
]
}
@prockallsyms Thanks for this issue and pinpointing the exact problem; will attempt to look at and fix tomorrow if work allows.
I also face a SIGSEGV when I run "sbom-utility vulnerability list" on the attached VEX file.
$ ./sbom-utility vulnerability list -i cepe-aux.vex.json
Welcome to the sbom-utility! Version `v0.16.0` (sbom-utility) (linux/amd64)
===========================================================================
[INFO] Loading (embedded) default schema config file: `config.json`...
[INFO] Loading (embedded) default license policy file: `license.json`...
[INFO] Attempting to load and unmarshal data from: `cepe-aux.vex.json`...
[INFO] Successfully unmarshalled data from: `cepe-aux.vex.json`
[INFO] Determining file's BOM format and version...
[INFO] Determined BOM format, version (variant): `CycloneDX`, `1.5` (latest)
[INFO] Matching BOM schema (for validation): schema/cyclonedx/1.5/bom-1.5.schema.json
[INFO] Scanning document for vulnerabilities...
[WARN] vulnerability (`CVE-2023-2064`) missing `created` date
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x18 pc=0x5f59f5]
goroutine 1 [running]:
github.com/CycloneDX/sbom-utility/schema.(*BOM).HashmapVulnerability(_, {{0xc0002edf50, 0xd}, 0x0, 0x0, 0x0, 0xc000602930, 0x0, {0xc0002120d0, 0xc1}, ...}, ...)
/github/workspace/schema/bom_hash.go:424 +0xd15
:
:
I am not sure if the cause is the same as @prockallsyms has already pointed out. Anyway, @mrutkows wrote:
Thanks for this issue and pinpointing the exact problem; will attempt to look at and fix tomorrow if work allows.
Did you have time to look at it?
@snooyen Thanks so much for getting this back on my radar again and esp. thanks for providing a test file (i.e., cepe-aux.vex.json). I will create a point release shortly with this fix.