syft erlang cataloger can segfault when analyzing an erlang project containing rebar.lock with nested deps #1621

nurmi · 2023-02-24T17:40:26Z

What happened:

using syft 0.73.0 to analyze an erlang project that contains a rebar.lock with some nested dependencies included, the erlang-rebar-lock-cataloger segfaults. below is an example against a checkout of https://github.com/vernemq/vernemq

# syft .
 ⠋ Indexing .              [file: /root/vernemq/.travis.yml]
 ⠋ Cataloging packages     [packages 0]panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0xc0 pc=0xd2b0ba]

goroutine 13 [running]:
github.com/anchore/syft/syft/pkg/cataloger/erlang.parseRebarLock({0x2000?, 0xc000873970?}, 0x4ef5c5?, {{{{0xc000706c3e, 0xa}, {0x0, 0x0}}, {0x0, 0x0}, {0x21e, ...}}, ...})
	/home/runner/work/syft/syft/syft/pkg/cataloger/erlang/parse_rebar_lock.go:46 +0x31a
github.com/anchore/syft/syft/pkg/cataloger/generic.(*Cataloger).Catalog(0xc000f39410, {0x14df300, 0xc000054300})
	/home/runner/work/syft/syft/syft/pkg/cataloger/generic/cataloger.go:129 +0x7ee
github.com/anchore/syft/syft/pkg/cataloger.runCataloger({0x14d5ca8, 0xc000f39410}, {0x14df300?, 0xc000054300})
	/home/runner/work/syft/syft/syft/pkg/cataloger/catalog.go:57 +0x188
github.com/anchore/syft/syft/pkg/cataloger.Catalog.func1()
	/home/runner/work/syft/syft/syft/pkg/cataloger/catalog.go:127 +0x105
created by github.com/anchore/syft/syft/pkg/cataloger.Catalog
	/home/runner/work/syft/syft/syft/pkg/cataloger/catalog.go:122 +0x2b0

What you expected to happen:

safe handling of any cataloger failures (no segfault), if not enhancement to the cataloger to support nested dep lines in rebar.lock files.

Steps to reproduce the issue:

git clone https://github.com/vernemq/vernemq
cd vernemq
syft .

Anything else we need to know?:

removal of all lines like this from the rebar.lock file:

 {<<"eleveldb">>,
  {git,"https://github.com/vernemq/eleveldb.git",
       {ref,"061405f34cd4a0780ff22c550c256ad8fcffa861"}},
  0},

leaving only lines like this:

 {<<"goldrush">>,{pkg,<<"goldrush">>,<<"0.1.9">>},1},

results in successful analysis.

Environment:

Output of syft version:
OS (e.g: cat /etc/os-release or similar):

# syft version
Application:        syft
Version:            0.73.0
JsonSchemaVersion:  7.0.0
BuildDate:          2023-02-22T19:21:46Z
GitCommit:          aa151da5fe2a1b11502c852fd2d3ad462c1d245f
GitDescription:     v0.73.0
Platform:           linux/amd64
GoVersion:          go1.19.6
Compiler:           gc

# cat /etc/os-release
NAME="CentOS Stream"
VERSION="8"
ID="centos"
ID_LIKE="rhel fedora"
VERSION_ID="8"
PLATFORM_ID="platform:el8"
PRETTY_NAME="CentOS Stream 8"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:centos:centos:8"
HOME_URL="https://centos.org/"
BUG_REPORT_URL="https://bugzilla.redhat.com/"
REDHAT_SUPPORT_PRODUCT="Red Hat Enterprise Linux 8"
REDHAT_SUPPORT_PRODUCT_VERSION="CentOS Stream"

The text was updated successfully, but these errors were encountered:

nurmi added the bug Something isn't working label Feb 24, 2023

kzantow self-assigned this Feb 24, 2023

This was referenced Feb 24, 2023

Handle cataloger panics #1624

Closed

fix: rebar lock file decoding panic #1628

Merged

kzantow closed this as completed in #1628 Mar 1, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

syft erlang cataloger can segfault when analyzing an erlang project containing rebar.lock with nested deps #1621

syft erlang cataloger can segfault when analyzing an erlang project containing rebar.lock with nested deps #1621

nurmi commented Feb 24, 2023

syft erlang cataloger can segfault when analyzing an erlang project containing rebar.lock with nested deps #1621

syft erlang cataloger can segfault when analyzing an erlang project containing rebar.lock with nested deps #1621

Comments

nurmi commented Feb 24, 2023