v0.81.0 crashing parsing some images

[thespad]

What happened:
Syft v0.81.0 is crashing when parsing some docker images

What you expected to happen:
Syft should not crash parsing images

Steps to reproduce the issue:

docker run --rm -it -v /var/run/docker.sock:/var/run/docker.sock -v ~/syft:/out/ docker.io/anchore/syft:v0.81.0 lscr.io/linuxserver/webtop:alpine-openbox -o json=/out/packages.json

The same image does not exhibit issues when running v0.80.0 against it. Equally, running v0.81.0 against a similar image does not crash:

docker run --rm -it -v /var/run/docker.sock:/var/run/docker.sock -v ~/syft:/out/ docker.io/anchore/syft:v0.81.0 lscr.io/linuxserver/webtop:alpine-mate -o json=/out/packages.json

lscr.io/linuxserver/webtop:alpine-kde is another image that we have seen exhibiting this behaviour.
Anything else we need to know?:

 ✔ Loaded image            
 ✔ Parsed image            
 ✔ Cataloged packages      [604 packages]
2023/05/23 13:20:21 error during command execution: 1 error occurred:
        * runtime error: invalid memory address or nil pointer dereference at:
goroutine 64 [running]:
runtime/debug.Stack()
        /opt/hostedtoolcache/go/1.19.9/x64/src/runtime/debug/stack.go:24 +0x65
github.com/anchore/syft/syft/pkg/cataloger.runCataloger.func1()
        /home/runner/work/syft/syft/syft/pkg/cataloger/catalog.go:57 +0x45
panic({0x1385e80, 0x24b3c20})
        /opt/hostedtoolcache/go/1.19.9/x64/src/runtime/panic.go:884 +0x212
github.com/github/go-spdx/v2/spdxexp.(*tokenStream).parseOperator(...)
        /home/runner/go/pkg/mod/github.com/github/go-spdx/v2@v2.1.2/spdxexp/parse.go:364
github.com/github/go-spdx/v2/spdxexp.(*tokenStream).parseParenthesizedExpression(0xc00056e790?)
        /home/runner/go/pkg/mod/github.com/github/go-spdx/v2@v2.1.2/spdxexp/parse.go:97 +0x64
github.com/github/go-spdx/v2/spdxexp.(*tokenStream).parseAtom(0xc00056e790)
        /home/runner/go/pkg/mod/github.com/github/go-spdx/v2@v2.1.2/spdxexp/parse.go:124 +0x25
github.com/github/go-spdx/v2/spdxexp.(*tokenStream).parseAnd(0xc00056e790)
        /home/runner/go/pkg/mod/github.com/github/go-spdx/v2@v2.1.2/spdxexp/parse.go:238 +0x25
github.com/github/go-spdx/v2/spdxexp.(*tokenStream).parseExpression(0xc00056e790)
        /home/runner/go/pkg/mod/github.com/github/go-spdx/v2@v2.1.2/spdxexp/parse.go:191 +0x25
github.com/github/go-spdx/v2/spdxexp.(*tokenStream).parseParenthesizedExpression(0xc00056e790)
        /home/runner/go/pkg/mod/github.com/github/go-spdx/v2@v2.1.2/spdxexp/parse.go:103 +0x12e
github.com/github/go-spdx/v2/spdxexp.(*tokenStream).parseAtom(0xc00056e790)
        /home/runner/go/pkg/mod/github.com/github/go-spdx/v2@v2.1.2/spdxexp/parse.go:124 +0x25
github.com/github/go-spdx/v2/spdxexp.(*tokenStream).parseAnd(0xc00056e790)
        /home/runner/go/pkg/mod/github.com/github/go-spdx/v2@v2.1.2/spdxexp/parse.go:238 +0x25
github.com/github/go-spdx/v2/spdxexp.(*tokenStream).parseExpression(0xc00056e790)
        /home/runner/go/pkg/mod/github.com/github/go-spdx/v2@v2.1.2/spdxexp/parse.go:191 +0x25
github.com/github/go-spdx/v2/spdxexp.(*tokenStream).parseTokens(0xc00056e790)
        /home/runner/go/pkg/mod/github.com/github/go-spdx/v2@v2.1.2/spdxexp/parse.go:38 +0x7c
github.com/github/go-spdx/v2/spdxexp.parse({0xc00534d622?, 0x76?})
        /home/runner/go/pkg/mod/github.com/github/go-spdx/v2@v2.1.2/spdxexp/parse.go:28 +0x6c
github.com/github/go-spdx/v2/spdxexp.ValidateLicenses({0xc00056e898?, 0x1, 0xc00534d622?})
        /home/runner/go/pkg/mod/github.com/github/go-spdx/v2@v2.1.2/spdxexp/satisfies.go:15 +0xc7
github.com/anchore/syft/syft/license.ParseExpression({0xc00534d622, 0x1})
        /home/runner/work/syft/syft/syft/license/license.go:29 +0x85
github.com/anchore/syft/syft/pkg.NewLicense({0xc00534d622, 0x1})
        /home/runner/work/syft/syft/syft/pkg/license.go:63 +0x53
github.com/anchore/syft/syft/pkg.NewLicenseFromLocations({0xc00534d622?, 0xc00056eef0?}, {0xc00056eef0, 0x1, 0x0?})
        /home/runner/work/syft/syft/syft/pkg/license.go:110 +0x5e
github.com/anchore/syft/syft/pkg.NewLicensesFromLocation(...)
        /home/runner/work/syft/syft/syft/pkg/license.go:104
github.com/anchore/syft/syft/pkg/cataloger/apkdb.newPackage({{0xc00534d622, 0x52}, {{0xc000ac3a2a, 0xf}, {0xc000ac3a5a, 0xf}, {0xc00334d532, 0x23}, {0xc000ac3a42, 0x15}, ...}}, ...)
        /home/runner/work/syft/syft/syft/pkg/cataloger/apkdb/package.go:26 +0x691
github.com/anchore/syft/syft/pkg/cataloger/apkdb.parseApkDB({0x1aa7b08, 0xc0000121c0}, 0xc00019c4a8, {{{{{...}, {...}}, {0xc004294390, 0x15}, {0x2f7f, {...}}}, {0xc00428ba40}}, ...})
        /home/runner/work/syft/syft/syft/pkg/cataloger/apkdb/parse_apk_db.go:131 +0xa85
github.com/anchore/syft/syft/pkg/cataloger/generic.(*Cataloger).Catalog(0xc0053adec0, {0x1aa7b08, 0xc0000121c0})
        /home/runner/work/syft/syft/syft/pkg/cataloger/generic/cataloger.go:129 +0x76e
github.com/anchore/syft/syft/pkg/cataloger.runCataloger({0x1a9c038, 0xc0053adec0}, {0x1aa7b08?, 0xc0000121c0})
        /home/runner/work/syft/syft/syft/pkg/cataloger/catalog.go:65 +0x1fa
github.com/anchore/syft/syft/pkg/cataloger.Catalog.func1()
        /home/runner/work/syft/syft/syft/pkg/cataloger/catalog.go:139 +0x105
created by github.com/anchore/syft/syft/pkg/cataloger.Catalog
        /home/runner/work/syft/syft/syft/pkg/cataloger/catalog.go:134 +0x34a

Interestingly the package file is still output, at least in part (attached, JSON):
openbox-packages.txt

Environment:

• Output of syft version:

Application:        syft
Version:            0.81.0
JsonSchemaVersion:  8.0.0
BuildDate:          2023-05-22T14:04:53Z
GitCommit:          334a775cb9cd6bf50033de1bb3aa04f46b669f5d
GitDescription:     v0.81.0
Platform:           linux/amd64
GoVersion:          go1.19.9
Compiler:           gc

• OS (e.g: cat /etc/os-release or similar):
  Ubuntu 22.04

docker version

Client: Docker Engine - Community
 Version:           24.0.1
 API version:       1.43
 Go version:        go1.20.4
 Git commit:        6802122
 Built:             Fri May 19 18:06:21 2023
 OS/Arch:           linux/amd64
 Context:           default

Server: Docker Engine - Community
 Engine:
  Version:          24.0.1
  API version:      1.43 (minimum version 1.12)
  Go version:       go1.20.4
  Git commit:       463850e
  Built:            Fri May 19 18:06:21 2023
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          1.6.21
  GitCommit:        3dce8eb055cbb6872793272b4f20ed16117344f8
 runc:
  Version:          1.1.7
  GitCommit:        v1.1.7-0-g860f061
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0

[spiffcs]

Thanks @thespad for filing the issue quickly on this one. It looks like the panic is happening when using github.com/github/go-spdx/v2 to parse a license expression from this image.

I'll take two actions here and try to turn them around ASAP.

1. Now that we know this function can panic in this way I'll add some defer and recover logic to get a patch out first thing
2. I'll investigate the image and see which statement is causing the panic and try to get a patch filed downstream

Sorry for the inconvenience here and I really appreciate the report!

[spiffcs]

@thespad just a quick follow up since this was closed by our bot - we have released a new version of syft that fixes this panic and you should not see this behavior going forward with the newest release

[thespad]

Thanks for the quick turnaround, I'll run some tests against the affected images and make sure everything looks good.