Hi, getting this constantly: Error: Unexpected end of JSON input

[hed95]

Hi We have a github repo using the following:

      - uses: anchore/scan-action@2.0.3
        with:
          image: "${{ env.IMAGE }}:latest"
          fail-build: false
          severity-cutoff: critical

It was originally using:

      - uses: anchore/scan-action@v2
        with:
          image: "${{ env.IMAGE }}:latest"
          fail-build: false
          severity-cutoff: critical

I changed to 2.0.3 today to see if it makes a difference it was working fine about 1 or 2 months ago since then this constant error is seen:

 DEBUG cataloger 'rpmdb-cataloger' discovered '0' packages from-lib=syft
[0011]  INFO Updated vulnerability DB to version=1 built="2021-02-05 08:25:54 +0000 UTC"
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x10 pc=0xd9aa56]
<cut>
goroutine 25 [running]:
github.com/anchore/syft/syft/cataloger/java.(*archiveParser).discoverPkgsFromPomProperties(0xc01f205c80, 0x0, 0x0, 0x0, 0x117e160, 0xc02019a801, 0xc01f205c80)

	/Users/runner/work/grype/grype/cmd/root.go:197 +0xd9
created by github.com/anchore/grype/cmd.startWorker.func1
	/Users/runner/work/grype/grype/cmd/root.go:195 +0x227
Error: Unexpected end of JSON input

Not sure what is causing this, any clues ?

[alfredodeza]

Behind the scenes, the scan-action is using the grype analyzer and the syft SBOM tool. It looks like syft is encountering an error that it can't recover from.

Could you tell me what image you are scanning so that I can try to reproduce this locally?

[luhring]

@alfredodeza In case this is any help, there's a possibility that this is related to anchore/syft#252, which was resolved in syft v0.12.4 (which was brought into grype v0.7.0). It's not the same exact error message, but the fix in Syft involved adding a nil check to prevent nil pointer dereferences in discoverPkgsFromPomProperties. You can check out that syft issue if you want more details on that particular problem, including how to reproduce.

[hed95]

Hi, the image in question is from: https://github.com/UKHomeOffice/workflow-service

[alfredodeza]

@hed95 do you have a pre-built version of it? I can't get it to work with docker build to scan the image. I looked at the README but wasn't able to find what I was missing:

 => ERROR [3/3] ADD ./build/libs/workflow-service.jar /app/                                                                                                                                                                                                                0.0s
------
 > [3/3] ADD ./build/libs/workflow-service.jar /app/:
------
failed to compute cache key: "/build/libs/workflow-service.jar" not found: not found

[hed95]

Hi @alfredodeza unfortunately not - if you look at https://github.com/UKHomeOffice/workflow-service/blob/master/.github/workflows/build-docker.yml you can see how to build. (The jar needs to be created first)

[alfredodeza]

@hed95 since I can't build this to reproduce, it would be helpful if you could try reproducing the failure using syft directly. Like @luhring mentioned, we believe this is fixed in a newer release, but it would be great to confirm that suspicion.

To install the latest version of syft:

$ curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b bin
$ ./bin/syft version

And to install what we think is having a problem:

$ curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b 012/bin v0.12.0
$ ./012/bin/syft version

If you could scan your image with those two, and confirm that it works with the latest version (and broken with 0.12.0) that would be fantastic. This would mean we can bump those versions here, and cut a release

[hed95]

Hi,

Yeah it is this:

./012/bin/syft test-service:latest
New version of syft is available: 0.12.6
 ✔ Loaded image
 ✔ Parsed image
 ⠙ Cataloging image     [packages 0]panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x10 pc=0xaac966]

goroutine 66 [running]:
github.com/anchore/syft/syft/cataloger/java.(*archiveParser).discoverPkgsFromPomProperties(0xc01f665700, 0x0, 0x0, 0x0, 0xd325c0, 0xc021204101, 0xc01f665700)
        /Users/runner/work/syft/syft/syft/cataloger/java/archive_parser.go:187 +0x366
github.com/anchore/syft/syft/cataloger/java.(*archiveParser).parse(0xc01f665700, 0x3f, 0xecb060, 0xc013592540, 0x1, 0xc01f665700)
        /Users/runner/work/syft/syft/syft/cataloger/java/archive_parser.go:101 +0xb4
github.com/anchore/syft/syft/cataloger/java.parseJavaArchive(0xc021204180, 0x3f, 0xecb060, 0xc013592540, 0x0, 0x0, 0x0, 0x0, 0x0)
        /Users/runner/work/syft/syft/syft/cataloger/java/archive_parser.go:45 +0xf1
github.com/anchore/syft/syft/cataloger/java.(*archiveParser).discoverPkgsFromNestedArchives(0xc015ea7880, 0xc000123380, 0x0, 0x0, 0x14a0208, 0x0, 0x0)
        /Users/runner/work/syft/syft/syft/cataloger/java/archive_parser.go:266 +0x542
github.com/anchore/syft/syft/cataloger/java.(*archiveParser).parse(0xc015ea7880, 0x19, 0x7f6192afc7c8, 0xc015f69860, 0x40e401, 0xc015ea7880)
        /Users/runner/work/syft/syft/syft/cataloger/java/archive_parser.go:108 +0x147
github.com/anchore/syft/syft/cataloger/java.parseJavaArchive(0xc015429d20, 0x19, 0x7f6192afc7c8, 0xc015f69860, 0x0, 0x0, 0x0, 0x0, 0x0)
        /Users/runner/work/syft/syft/syft/cataloger/java/archive_parser.go:45 +0xf1
github.com/anchore/syft/syft/cataloger/common.(*GenericCataloger).catalog(0xc01946c6c0, 0xc01dd065a0, 0x0, 0x0, 0x0, 0x0, 0x0)
        /Users/runner/work/syft/syft/syft/cataloger/common/generic_cataloger.go:104 +0x3f4
github.com/anchore/syft/syft/cataloger/common.(*GenericCataloger).Catalog(0xc01946c6c0, 0xee0480, 0xc0135503a8, 0xc01e818080, 0x2, 0x2, 0x0, 0x0)
        /Users/runner/work/syft/syft/syft/cataloger/common/generic_cataloger.go:61 +0xe8
github.com/anchore/syft/syft/cataloger.Catalog(0xee0480, 0xc0135503a8, 0xc01946c600, 0xc0178bc280, 0x8, 0x8, 0xc, 0xd83937, 0xb)
        /Users/runner/work/syft/syft/syft/cataloger/catalog.go:48 +0x107
github.com/anchore/syft/syft.Catalog(0x7ffec9afa122, 0x13, 0xd81cac, 0x8, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, ...)
        /Users/runner/work/syft/syft/syft/lib.go:65 +0x4e5
github.com/anchore/syft/cmd.startWorker.func1(0xc0136eb680, 0x7ffec9afa122, 0x13)
        /Users/runner/work/syft/syft/cmd/root.go:115 +0xe1
created by github.com/anchore/syft/cmd.startWorker
        /Users/runner/work/syft/syft/cmd/root.go:95 +0x6c

The 0.12.6 succesfully runs& catalogs:

 ✔ Loaded image         
 ✔ Parsed image         
 ✔ Cataloged image      [464 packages]
 <cut output>

[alfredodeza]

Perfect! Thanks for double checking @hed95 , I will make an update and cut a new release