Comments (2)
tgerla
commented on June 2, 2024
Hi @rplessl, thank you for the report. I am trying to reproduce this in my environment (MacOS) and failing. I've tried setting up a go.mod to include just the package referenced in the error message and I've also tried scanning just the offending binary (clang-386-darwin.obj) separately, but I can't get the same crash. Do you by chance have a public container that we could look at to reproduce? Alternatively would you be able to run this scan on a different system to see if it reproduces there, too? Thanks!
from syft.
rplessl
commented on June 2, 2024
Hi @tgerla!
It was not so easy to reproduce this image with public images, but I get a dockerfile snippet with exactly the same behavior.
In our pipeline we are running linux/amd64 (and locally myself Docker Desktop on an arm mac using the virtualization not resetta).
With the Dockerfile
FROM golang:1.22.1-alpine as golang
FROM alpine:3.19.1
LABEL maintainer="Delivery Platform"
# install used tools from system packages
RUN apk add --no-cache bash ca-certificates openssl curl grep git docker-cli \
gettext unzip jq yq ruby ruby-bundler
# Add docker settings (so this runs on build runners)
ENV DOCKER_HOST=tcp://docker:2376
ENV DOCKER_CERT_PATH=/certs/client
ENV DOCKER_TLS_VERIFY=1
# Prepare Go installation
ENV GOPATH /go
ENV GOPRIVATE=github.com/rplessl
ENV PATH="/go/bin:/usr/local/go/bin:${PATH}"
# Use this for cgo compilation
RUN apk add --no-cache libc6-compat gcc libc-dev
# Install golang
COPY --from=golang /usr/local/go/ /usr/local/go/
# Converter tool to create Cobertura reports from gocover
RUN go install github.com/avbm/gocover-cobertura@latest
USER root
I will get the same error with syft 1.1.0 (but not on syft 1.0.1):
syft-1.1.0 scan github.com/rplessl/syft-test-go-docker:1.0.005 --output cycloned
x-json=./reports/sbom/sbom-img.json
✔ Loaded image github.com/rplessl/syft-test-go-docker:1.0.005
✔ Parsed image sha256:4094810592e59c7eeb9dcb78bc1f22516e3a39afb6b4ccf5c04b01ee672c880b
⠏ Cataloging contents ━━━━━━━━━━━━━━━━━━━━ 8653b3db7b05b78c9e0ac2791a3353b34f1aa00d4a64e4cdb1d50433342b9246
├── ⠏ Packages [208 packages]
├── ✔ File digests [2,569 files]
├── ✔ File metadata [2,569 locations]
└── ⠹ Executables ━━━━━━━━━━━━━━━━━━━━ [/go/pkg/mod/golang.org/x/[email protected]/cmd/splitdwarf/internal/macho/testdata/gcc-amd64-darwin-exec-deb
[0011] WARN cataloger failed cataloger=java-archive-cataloger error=unable to read files from java archive: unable to open zip archive (/tmp/syft-archive-contents-25
[0011] WARN cataloger failed cataloger=java-archive-cataloger error=unable to read files from java archive: unable to open zip archive (/tmp/syft-archive-contents-35
[0012] WARN cataloger failed cataloger=linux-kernel-cataloger error=unable to get magic type for file: EOF location=/usr/local/go/src/debug/pe/testdata/vmlinuz-4.15.
[0013] WARN unable to process executable "/go/pkg/mod/golang.org/x/[email protected]/cmd/splitdwarf/internal/macho/testdata/clang-386-darwin.obj" error=unable to determin
failed to run tasks: 1 error occurred:
* failed to run task: runtime error: invalid memory address or nil pointer dereference at:
goroutine 6054 [running]:
runtime/debug.Stack()
/opt/hostedtoolcache/go/1.21.8/x64/src/runtime/debug/stack.go:24 +0x5e
github.com/anchore/syft/internal/task.runTaskSafely.func1()
/home/runner/work/syft/syft/internal/task/executor.go:67 +0x3d
panic({0x16a1600?, 0x2b8b7e0?})
/opt/hostedtoolcache/go/1.21.8/x64/src/runtime/panic.go:914 +0x21f
github.com/anchore/syft/syft/file/cataloger/executable.machoHasExports(...)
/home/runner/work/syft/syft/syft/file/cataloger/executable/macho.go:60
github.com/anchore/syft/syft/file/cataloger/executable.findMachoFeatures(0xc004ebd3c0, {0x7fffb825cca0?, 0xc0028ccf00})
/home/runner/work/syft/syft/syft/file/cataloger/executable/macho.go:35 +0x19e
github.com/anchore/syft/syft/file/cataloger/executable.processExecutable({{{{0xc00238e230, 0x68}, {0xc001166e10, 0x47}}, {0xc002f98620, 0x68}, {0x4b53, {0xc00238e230, 0x68}}}, {0xc002893050}}, ...)
/home/runner/work/syft/syft/syft/file/cataloger/executable/cataloger.go:168 +0x3cc
github.com/anchore/syft/syft/file/cataloger/executable.(*Cataloger).Catalog(0xc0032b8030, {0x1eacee0, 0xc00022e780})
/home/runner/work/syft/syft/syft/file/cataloger/executable/cataloger.go:77 +0x51a
github.com/anchore/syft/internal/task.NewExecutableCatalogerTask.func1({0x1ea4fa0?, 0xc000657eb0?}, {0x1eacee0, 0xc00022e780}, {0x1ea26e0?, 0xc0039de860})
/home/runner/work/syft/syft/internal/task/file_tasks.go:114 +0x57
github.com/anchore/syft/internal/task.task.Execute(...)
/home/runner/work/syft/syft/internal/task/task.go:64
github.com/anchore/syft/internal/task.runTaskSafely({0x1ea4fa0?, 0xc00003f180?}, {0x1e9ddb0?, 0xc000223ec0?}, {0x1eacee0?, 0xc00022e780?}, {0x1ea26e0?, 0xc0039de860?})
/home/runner/work/syft/syft/internal/task/executor.go:71 +0xa7
github.com/anchore/syft/internal/task.(*Executor).Execute.func1()
/home/runner/work/syft/syft/internal/task/executor.go:49 +0x131
created by github.com/anchore/syft/internal/task.(*Executor).Execute in goroutine 65
/home/runner/work/syft/syft/internal/task/executor.go:40 +0x8a
syft-1.0.1 scan github.com/rplessl/syft-test-go-docker:1.0.005 --output cycloned
x-json=./reports/sbom/sbom-img.json
✔ Loaded image github.com/rplessl/syft-test-go-docker:1.0.005
✔ Parsed image sha256:4094810592e59c7eeb9dcb78bc1f22516e3a39afb6b4ccf5c04b01ee672c880b
✔ Cataloged contents 8653b3db7b05b78c9e0ac2791a3353b34f1aa00d4a64e4cdb1d50433342b9246
├── ✔ Packages [208 packages]
├── ✔ File digests [2,569 files]
├── ✔ File metadata [2,569 locations]
└── ✔ Executables [327 executables]
[0012] WARN cataloger failed cataloger=java-archive-cataloger error=unable to read files from java archive: unable to open zip archive (/tmp/syft-archive-contents-18
[0012] WARN cataloger failed cataloger=java-archive-cataloger error=unable to read files from java archive: unable to open zip archive (/tmp/syft-archive-contents-24
[0012] WARN cataloger failed cataloger=linux-kernel-cataloger error=unable to get magic type for file: EOF location=/usr/local/go/src/debug/pe/testdata/vmlinuz-4.15.
[0013] WARN unable to process executable "/go/pkg/mod/golang.org/x/[email protected]/cmd/splitdwarf/internal/macho/testdata/clang-386-darwin.obj" error=unable to determin
[0014] WARN unable to process executable "/usr/local/go/src/debug/pe/testdata/vmlinuz-4.15.0-47-generic" error=unable to determine executable kind: unable to read en
I have created the docker container locally using the Dockerfile above and
docker buildx build -t github.com/rplessl/syft-test-go-docker:1.0.005 .
(If I remove the installation of gocover-cobertura, the symptom disappears ... but is another vector of solution besides my syft problem)
from syft.
Related Issues (20)
- Syft reports some fw* pckages, which are nowhere to find HOT 4
- Add support for dnf packages HOT 1
- Support Swift Package Manager Package.resolved schema version 3 HOT 2
- Catalog TiDB binary
- Redis not listed in the artifact lists of the bitnami/redis image HOT 2
- License not pickedup for binaries like java (openjdk), node (nodejs) HOT 4
- Ignore Go compiler affecting CVE when Docker image only contains a binary compiled with Go HOT 2
- Pom parser not resolving all dependency versions
- SBOM is generated with empty name HOT 4
- components inside tar.gz / tgz not picked up HOT 2
- Golang: Search remote licenses not working in a CI pipeline when scanning Docker image HOT 4
- Clearly document the fact that CPE strings could be made up HOT 1
- Recognition of files in a folder works inconsistently between Linux distributions. HOT 1
- New version 1.3.0 leads to "too many open files" while scanning bigger images HOT 1
- Add `bun-lock-cataloger` & `bun-binary-cataloger` catalogers HOT 1
- Improve linting for `defer Close` type issues HOT 2
- Binary copied to image omitted from SBOM HOT 4
- Relationships / Dependencies are present in Syft json and SPDX json files but not in Cyclonedx json file format HOT 3
- Not all the packages are getting imported in Blackduck scanner HOT 5
- Scanning a git repository folder present in /tmp produce an empty sbom HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from syft.