Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

fix panic scanning binaries without symtab #2736

Closed
rplessl opened this issue Mar 27, 2024 · 2 comments · Fixed by #2739
Closed

fix panic scanning binaries without symtab #2736

rplessl opened this issue Mar 27, 2024 · 2 comments · Fixed by #2739
Labels
bug Something isn't working

Comments

@rplessl
Copy link

rplessl commented Mar 27, 2024

What happened:

The newest version of syft 1.1.0 has a invalid memory address or nil pointer reference, in the version v1.0.1 this was not part of our execution path.

syft scan ourregistry.azurecr.io/go-cli-builder-image:1234 --output cyclonedx-json=./reports/sbom/sbom-img.json
 ✔ Loaded image                                                                   ourregistry.azurecr.io/go-cli-builder-image:1234
 ✔ Parsed image                                                  sha256:56e8be30cd6105ba27f70c4fa9035c76517fc2147f0fe857cc06927f9d1085f1
 ⠹ Cataloging contents             ━━━━━━━━━━━━━━━━━━━━                 239092030bccce5d9fbeeeda6101ac90ec9a9109f31992bc90828be14483aa4c
   ├── ⠹ Packages                        [2,078 packages]
   ├── ✔ File digests                    [2,510 files]
   ├── ✔ File metadata                   [2,510 locations]
   └── ⠸ Executables                     ━━━━━━━━━━━━━━━━━━━━  [/go/pkg/mod/golang.org/x/tools@v0.8.0/cmd/splitdwarf/internal/macho/testda
[0026]  WARN cataloger failed cataloger=java-archive-cataloger error=unable to read files from java archive: unable to open zip archive (/
[0026]  WARN cataloger failed cataloger=java-archive-cataloger error=unable to read files from java archive: unable to open zip archive (/
[0027]  WARN cataloger failed cataloger=linux-kernel-cataloger error=unable to get magic type for file: EOF location=/usr/local/go/src/deb
[0029]  WARN unable to process executable "/go/pkg/mod/golang.org/x/tools@v0.8.0/cmd/splitdwarf/internal/macho/testdata/clang-386-darwin.o
failed to run tasks: 1 error occurred:
	* failed to run task: runtime error: invalid memory address or nil pointer dereference at:
goroutine 14053 [running]:
runtime/debug.Stack()
	/opt/hostedtoolcache/go/1.21.8/x64/src/runtime/debug/stack.go:24 +0x5e
github.com/anchore/syft/internal/task.runTaskSafely.func1()
	/home/runner/work/syft/syft/internal/task/executor.go:67 +0x3d
panic({0x16a1600?, 0x2b8b7e0?})
	/opt/hostedtoolcache/go/1.21.8/x64/src/runtime/panic.go:914 +0x21f
github.com/anchore/syft/syft/file/cataloger/executable.machoHasExports(...)
	/home/runner/work/syft/syft/syft/file/cataloger/executable/macho.go:60
github.com/anchore/syft/syft/file/cataloger/executable.findMachoFeatures(0xc01e1a6a80, {0x7fffb7a06c00?, 0xc01e5eba10})
	/home/runner/work/syft/syft/syft/file/cataloger/executable/macho.go:35 +0x19e
github.com/anchore/syft/syft/file/cataloger/executable.processExecutable({{{{0xc00291a540, 0x68}, {0xc0016b5130, 0x47}}, {0xc01dfbe690, 0x68}, {0x541e, {0xc00291a540, 0x68}}}, {0xc01e1d1500}}, ...)
	/home/runner/work/syft/syft/syft/file/cataloger/executable/cataloger.go:168 +0x3cc
github.com/anchore/syft/syft/file/cataloger/executable.(*Cataloger).Catalog(0xc00678b080, {0x1eacee0, 0xc004390740})
	/home/runner/work/syft/syft/syft/file/cataloger/executable/cataloger.go:77 +0x51a
github.com/anchore/syft/internal/task.NewExecutableCatalogerTask.func1({0x1ea4fa0?, 0xc0000d1eb0?}, {0x1eacee0, 0xc004390740}, {0x1ea26e0?, 0xc003f4d420})
	/home/runner/work/syft/syft/internal/task/file_tasks.go:114 +0x57
github.com/anchore/syft/internal/task.task.Execute(...)
	/home/runner/work/syft/syft/internal/task/task.go:64
github.com/anchore/syft/internal/task.runTaskSafely({0x1ea4fa0?, 0xc00003ec80?}, {0x1e9ddb0?, 0xc000a08ba0?}, {0x1eacee0?, 0xc004390740?}, {0x1ea26e0?, 0xc003f4d420?})
	/home/runner/work/syft/syft/internal/task/executor.go:71 +0xa7
github.com/anchore/syft/internal/task.(*Executor).Execute.func1()
	/home/runner/work/syft/syft/internal/task/executor.go:49 +0x131
created by github.com/anchore/syft/internal/task.(*Executor).Execute in goroutine 36
	/home/runner/work/syft/syft/internal/task/executor.go:40 +0x8a

What you expected to happen:

syft-1.0.1 scan ourregistry.azurecr.io/go-cli-builder-image:1234 --output cyclonedx-json=./reports/sbom/sbom-img.json
 ✔ Loaded image                                                                   ourregistry.azurecr.io/go-cli-builder-image:1234
 ✔ Parsed image                                                  sha256:56e8be30cd6105ba27f70c4fa9035c76517fc2147f0fe857cc06927f9d1085f1
 ✔ Cataloged contents                                                   239092030bccce5d9fbeeeda6101ac90ec9a9109f31992bc90828be14483aa4c
   ├── ✔ Packages                        [2,074 packages]
   ├── ✔ File digests                    [2,510 files]
   ├── ✔ File metadata                   [2,510 locations]
   └── ✔ Executables                     [342 executables]
[0025]  WARN cataloger failed cataloger=java-archive-cataloger error=unable to read files from java archive: unable to open zip archive (/
[0025]  WARN cataloger failed cataloger=java-archive-cataloger error=unable to read files from java archive: unable to open zip archive (/
[0025]  WARN cataloger failed cataloger=linux-kernel-cataloger error=unable to get magic type for file: EOF location=/usr/local/go/src/deb
[0027]  WARN unable to process executable "/go/pkg/mod/golang.org/x/tools@v0.8.0/cmd/splitdwarf/internal/macho/testdata/clang-386-darwin.o
[0028]  WARN unable to process executable "/usr/local/go/src/debug/pe/testdata/vmlinuz-4.15.0-47-generic" error=unable to determine execut
/Users/rplessl/Checkouts/gitlab.com/diemobiliar/it/gol/cli/gol-cli-stack/gol-cli-builder-image #

Steps to reproduce the issue:

see above

Anything else we need to know?:

Environment:

  • Output of syft version:
syft-1.1.0 version
Application: syft
Version:    1.1.0
BuildDate:  2024-03-25T21:41:42Z
GitCommit:  f4e18961b979f5e6d0cc3b1e4fce608c8ceb29d8
GitDescription: v1.1.0
Platform:   linux/amd64
GoVersion:  go1.21.8
Compiler:   gc
syft-1.0.1 version
Application: syft
Version:    1.0.1
BuildDate:  2024-03-06T19:51:27Z
GitCommit:  1b121ac3f4d589060ddf1fac0bcd6871ea4731e3
GitDescription: v1.0.1
Platform:   linux/amd64
GoVersion:  go1.21.7
Compiler:   gc
  • OS (e.g: cat /etc/os-release or similar):
cat /etc/os-release
NAME="Alpine Linux"
ID=alpine
VERSION_ID=3.19.1
PRETTY_NAME="Alpine Linux v3.19"
HOME_URL="https://alpinelinux.org/"
BUG_REPORT_URL="https://gitlab.alpinelinux.org/alpine/aports/-/issues"
@rplessl rplessl added the bug Something isn't working label Mar 27, 2024
@tgerla
Copy link
Contributor

tgerla commented Mar 27, 2024

Hi @rplessl, thank you for the report. I am trying to reproduce this in my environment (MacOS) and failing. I've tried setting up a go.mod to include just the package referenced in the error message and I've also tried scanning just the offending binary (clang-386-darwin.obj) separately, but I can't get the same crash. Do you by chance have a public container that we could look at to reproduce? Alternatively would you be able to run this scan on a different system to see if it reproduces there, too? Thanks!

@rplessl
Copy link
Author

rplessl commented Mar 27, 2024
edited
Loading

Hi @tgerla!

It was not so easy to reproduce this image with public images, but I get a dockerfile snippet with exactly the same behavior.

In our pipeline we are running linux/amd64 (and locally myself Docker Desktop on an arm mac using the virtualization not resetta).

With the Dockerfile

FROM golang:1.22.1-alpine as golang

FROM alpine:3.19.1
LABEL maintainer="Delivery Platform"

# install used tools from system packages
RUN apk add --no-cache bash ca-certificates openssl curl grep git docker-cli \
            gettext unzip jq yq ruby ruby-bundler

# Add docker settings (so this runs on build runners)
ENV DOCKER_HOST=tcp://docker:2376
ENV DOCKER_CERT_PATH=/certs/client
ENV DOCKER_TLS_VERIFY=1

# Prepare Go installation
ENV GOPATH /go
ENV GOPRIVATE=github.com/rplessl
ENV PATH="/go/bin:/usr/local/go/bin:${PATH}"

# Use this for cgo compilation
RUN apk add --no-cache libc6-compat gcc libc-dev

# Install golang
COPY --from=golang /usr/local/go/ /usr/local/go/

# Converter tool to create Cobertura reports from gocover
RUN go install github.com/avbm/gocover-cobertura@latest

USER root

I will get the same error with syft 1.1.0 (but not on syft 1.0.1):

syft-1.1.0 scan github.com/rplessl/syft-test-go-docker:1.0.005  --output cycloned
x-json=./reports/sbom/sbom-img.json
 ✔ Loaded image                                                                                                       github.com/rplessl/syft-test-go-docker:1.0.005
 ✔ Parsed image                                                                              sha256:4094810592e59c7eeb9dcb78bc1f22516e3a39afb6b4ccf5c04b01ee672c880b
 ⠏ Cataloging contents             ━━━━━━━━━━━━━━━━━━━━                                             8653b3db7b05b78c9e0ac2791a3353b34f1aa00d4a64e4cdb1d50433342b9246
   ├── ⠏ Packages                        [208 packages]
   ├── ✔ File digests                    [2,569 files]
   ├── ✔ File metadata                   [2,569 locations]
   └── ⠹ Executables                     ━━━━━━━━━━━━━━━━━━━━  [/go/pkg/mod/golang.org/x/tools@v0.8.0/cmd/splitdwarf/internal/macho/testdata/gcc-amd64-darwin-exec-deb
[0011]  WARN cataloger failed cataloger=java-archive-cataloger error=unable to read files from java archive: unable to open zip archive (/tmp/syft-archive-contents-25
[0011]  WARN cataloger failed cataloger=java-archive-cataloger error=unable to read files from java archive: unable to open zip archive (/tmp/syft-archive-contents-35
[0012]  WARN cataloger failed cataloger=linux-kernel-cataloger error=unable to get magic type for file: EOF location=/usr/local/go/src/debug/pe/testdata/vmlinuz-4.15.
[0013]  WARN unable to process executable "/go/pkg/mod/golang.org/x/tools@v0.8.0/cmd/splitdwarf/internal/macho/testdata/clang-386-darwin.obj" error=unable to determin
failed to run tasks: 1 error occurred:
	* failed to run task: runtime error: invalid memory address or nil pointer dereference at:
goroutine 6054 [running]:
runtime/debug.Stack()
	/opt/hostedtoolcache/go/1.21.8/x64/src/runtime/debug/stack.go:24 +0x5e
github.com/anchore/syft/internal/task.runTaskSafely.func1()
	/home/runner/work/syft/syft/internal/task/executor.go:67 +0x3d
panic({0x16a1600?, 0x2b8b7e0?})
	/opt/hostedtoolcache/go/1.21.8/x64/src/runtime/panic.go:914 +0x21f
github.com/anchore/syft/syft/file/cataloger/executable.machoHasExports(...)
	/home/runner/work/syft/syft/syft/file/cataloger/executable/macho.go:60
github.com/anchore/syft/syft/file/cataloger/executable.findMachoFeatures(0xc004ebd3c0, {0x7fffb825cca0?, 0xc0028ccf00})
	/home/runner/work/syft/syft/syft/file/cataloger/executable/macho.go:35 +0x19e
github.com/anchore/syft/syft/file/cataloger/executable.processExecutable({{{{0xc00238e230, 0x68}, {0xc001166e10, 0x47}}, {0xc002f98620, 0x68}, {0x4b53, {0xc00238e230, 0x68}}}, {0xc002893050}}, ...)
	/home/runner/work/syft/syft/syft/file/cataloger/executable/cataloger.go:168 +0x3cc
github.com/anchore/syft/syft/file/cataloger/executable.(*Cataloger).Catalog(0xc0032b8030, {0x1eacee0, 0xc00022e780})
	/home/runner/work/syft/syft/syft/file/cataloger/executable/cataloger.go:77 +0x51a
github.com/anchore/syft/internal/task.NewExecutableCatalogerTask.func1({0x1ea4fa0?, 0xc000657eb0?}, {0x1eacee0, 0xc00022e780}, {0x1ea26e0?, 0xc0039de860})
	/home/runner/work/syft/syft/internal/task/file_tasks.go:114 +0x57
github.com/anchore/syft/internal/task.task.Execute(...)
	/home/runner/work/syft/syft/internal/task/task.go:64
github.com/anchore/syft/internal/task.runTaskSafely({0x1ea4fa0?, 0xc00003f180?}, {0x1e9ddb0?, 0xc000223ec0?}, {0x1eacee0?, 0xc00022e780?}, {0x1ea26e0?, 0xc0039de860?})
	/home/runner/work/syft/syft/internal/task/executor.go:71 +0xa7
github.com/anchore/syft/internal/task.(*Executor).Execute.func1()
	/home/runner/work/syft/syft/internal/task/executor.go:49 +0x131
created by github.com/anchore/syft/internal/task.(*Executor).Execute in goroutine 65
	/home/runner/work/syft/syft/internal/task/executor.go:40 +0x8a

syft-1.0.1 scan github.com/rplessl/syft-test-go-docker:1.0.005  --output cycloned
x-json=./reports/sbom/sbom-img.json
 ✔ Loaded image                                                                                                       github.com/rplessl/syft-test-go-docker:1.0.005
 ✔ Parsed image                                                                              sha256:4094810592e59c7eeb9dcb78bc1f22516e3a39afb6b4ccf5c04b01ee672c880b
 ✔ Cataloged contents                                                                               8653b3db7b05b78c9e0ac2791a3353b34f1aa00d4a64e4cdb1d50433342b9246
   ├── ✔ Packages                        [208 packages]
   ├── ✔ File digests                    [2,569 files]
   ├── ✔ File metadata                   [2,569 locations]
   └── ✔ Executables                     [327 executables]
[0012]  WARN cataloger failed cataloger=java-archive-cataloger error=unable to read files from java archive: unable to open zip archive (/tmp/syft-archive-contents-18
[0012]  WARN cataloger failed cataloger=java-archive-cataloger error=unable to read files from java archive: unable to open zip archive (/tmp/syft-archive-contents-24
[0012]  WARN cataloger failed cataloger=linux-kernel-cataloger error=unable to get magic type for file: EOF location=/usr/local/go/src/debug/pe/testdata/vmlinuz-4.15.
[0013]  WARN unable to process executable "/go/pkg/mod/golang.org/x/tools@v0.8.0/cmd/splitdwarf/internal/macho/testdata/clang-386-darwin.obj" error=unable to determin
[0014]  WARN unable to process executable "/usr/local/go/src/debug/pe/testdata/vmlinuz-4.15.0-47-generic" error=unable to determine executable kind: unable to read en

I have created the docker container locally using the Dockerfile above and

docker buildx build -t github.com/rplessl/syft-test-go-docker:1.0.005 .

(If I remove the installation of gocover-cobertura, the symptom disappears ... but is another vector of solution besides my syft problem)

@kzantow kzantow mentioned this issue Mar 27, 2024
Merged
@kzantow kzantow moved this to In Review in OSS Mar 27, 2024
@github-project-automation github-project-automation bot moved this from In Review to Done in OSS Mar 27, 2024
@spiffcs spiffcs changed the title syft 1.1.0 runtime error: invalid memory address or nil pointer dereference fix: panic scanning binaries without symtab Apr 4, 2024
@spiffcs spiffcs changed the title fix: panic scanning binaries without symtab fix panic scanning binaries without symtab Apr 4, 2024
@BrewTestBot BrewTestBot mentioned this issue Apr 4, 2024
Merged
@ivangonzalezacuna ivangonzalezacuna mentioned this issue Jul 15, 2024
Closed
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
OSS
Archived in project
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: panic scanning binaries without symtab kzantow-anchore/syft
2 participants
@rplessl @tgerla