segmentation violation when running trivy in convert mode

[nikpivkin]

Discussed in #6775

^{Originally posted by scott-boost May 25, 2024}

Description

When I try to convert a Trivy JSON to CycloneDX, I get the following error:

panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x2 addr=0x28 pc=0x10941ea6c]

Desired Behavior

a cyclonedx json file

Actual Behavior

segmentation violation error

Reproduction Steps

1. `trivy image --format cyclonedx ubuntu:latest --output /tmp/cdx_without_vulns.json`
2. `trivy sbom --format json --output /tmp/trivy_with_vulns.json /tmp/cdx_without_vulns.json`
3. `trivy convert --format cyclonedx  /tmp/trivy_with_vulns.json`

Target

SBOM

Scanner

Vulnerability

Output Format

CycloneDX

Mode

Standalone

Debug Output

2024-05-24T14:06:54-04:00       DEBUG   ["cyclonedx" "spdx" "spdx-json" "github"] automatically enables '--list-all-pkgs'.
2024-05-24T14:06:54-04:00       DEBUG   Parsed severities       severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2024-05-24T14:06:54-04:00       INFO    "--format cyclonedx" disables security scanning. Specify "--scanners vuln" explicitly if you want to include vulnerabilities in the CycloneDX report.
2024-05-24T14:06:54-04:00       DEBUG   Writing report to output...
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x2 addr=0x28 pc=0x106772a6c]

goroutine 1 [running]:
github.com/aquasecurity/trivy/pkg/sbom/core.(*BOM).Root(0x0)
        github.com/aquasecurity/trivy/pkg/sbom/core/bom.go:279 +0x1c
github.com/aquasecurity/trivy/pkg/sbom/io.(*Encoder).rootComponent(_, {0x2, {0x137f2660, 0xedde2cb7d, 0x10f5ce840}, {0x14001720ca0, 0x1b}, {0x14002cdc9a7, 0x9}, {0x0, ...}, ...})
        github.com/aquasecurity/trivy/pkg/sbom/io/encode.go:86 +0x140
github.com/aquasecurity/trivy/pkg/sbom/io.(*Encoder).Encode(_, {0x2, {0x137f2660, 0xedde2cb7d, 0x10f5ce840}, {0x14001720ca0, 0x1b}, {0x14002cdc9a7, 0x9}, {0x0, ...}, ...})
        github.com/aquasecurity/trivy/pkg/sbom/io/encode.go:31 +0x4c
github.com/aquasecurity/trivy/pkg/sbom/cyclonedx.(*Marshaler).MarshalReport(_, {_, _}, {0x2, {0x137f2660, 0xedde2cb7d, 0x10f5ce840}, {0x14001720ca0, 0x1b}, {0x14002cdc9a7, ...}, ...})
        github.com/aquasecurity/trivy/pkg/sbom/cyclonedx/marshal.go:52 +0x6c
github.com/aquasecurity/trivy/pkg/report/cyclonedx.Writer.Write({{_, _}, _, {{_, _}, _, _}}, {_, _}, {0x2, ...})
        github.com/aquasecurity/trivy/pkg/report/cyclonedx/cyclonedx.go:31 +0x78
github.com/aquasecurity/trivy/pkg/report.Write({_, _}, {0x2, {0x137f2660, 0xedde2cb7d, 0x10f5ce840}, {0x14001720ca0, 0x1b}, {0x14002cdc9a7, 0x9}, ...}, ...)
        github.com/aquasecurity/trivy/pkg/report/writer.go:99 +0x778
github.com/aquasecurity/trivy/pkg/commands/convert.Run({_, _}, {{{0x108856773, 0xa}, 0x0, 0x0, 0x1, 0x0, 0x45d964b800, {0x1400281a8a0, ...}, ...}, ...})
        github.com/aquasecurity/trivy/pkg/commands/convert/run.go:43 +0x498
github.com/aquasecurity/trivy/pkg/commands.NewConvertCommand.func2(0x140028eb208, {0x14002b6e840, 0x1, 0x4})
        github.com/aquasecurity/trivy/pkg/commands/app.go:525 +0x154
github.com/spf13/cobra.(*Command).execute(0x140028eb208, {0x14002b6e800, 0x4, 0x4})
        github.com/spf13/cobra@v1.8.0/command.go:983 +0x840
github.com/spf13/cobra.(*Command).ExecuteC(0x14000205208)
        github.com/spf13/cobra@v1.8.0/command.go:1115 +0x344
github.com/spf13/cobra.(*Command).Execute(0x1088c4026?)
        github.com/spf13/cobra@v1.8.0/command.go:1039 +0x1c
main.run()
        github.com/aquasecurity/trivy/cmd/trivy/main.go:41 +0x158
main.main()
        github.com/aquasecurity/trivy/cmd/trivy/main.go:19 +0x20

Operating System

macOS Sonoma 14.4.1

Version

Version: 0.51.4

Checklist

• Run trivy image --reset
• Read the troubleshooting