Panic issue while scanning Docker image since 7.0.1 #531
Description
Our Docker Scan actions are failing since the upgrade of the action to 7.0.1, we get a panic error.
Logs
Run anchore/scan-action@v7
with:
image: docker.platform.dev.nuxeo.com/nuxeo/nuxeo:2025.10.4
severity-cutoff: medium
output-format: table
fail-build: true
only-fixed: false
add-cpes-if-none: false
by-cve: false
env:
DOCKER_REGISTRY: docker.platform.dev.nuxeo.com
DOCKER_REGISTRY_USERNAME: ***
DOCKER_REGISTRY_PASSWORD: ***
Installing grype v0.101.0
Downloading grype v0.101.0 via https://raw.githubusercontent.com/anchore/grype/main/install.sh
sh /home/runner/work/_temp/c42ac799-4e4e-4194-8034-aa7cfbbdfd4b -d -b /tmp/grype-download-Jd7o64 v0.101.0
[info] checking github for release tag='v0.101.0'
[debug] http_download(url=https://github.com/anchore/grype/releases/v0.101.0)
[info] fetching release script for tag='v0.101.0'
[debug] http_download(url=https://get.anchore.io/grype/v0.101.0/install.sh)
[info] checking github for release tag='v0.101.0'
[debug] http_download(url=https://github.com/anchore/grype/releases/v0.101.0)
[info] using release tag='v0.101.0' version='0.101.0' os='linux' arch='amd64'
[debug] downloading files into /tmp/tmp.3XxVZevjg3
[debug] http_download(url=https://github.com/anchore/grype/releases/download/v0.101.0/grype_0.101.0_checksums.txt)
[debug] http_download(url=https://github.com/anchore/grype/releases/download/v0.101.0/grype_0.101.0_linux_amd64.tar.gz)
[info] installed /tmp/grype-download-Jd7o64/grype
/opt/hostedtoolcache/grype/0.101.0/x64/grype -v -o table --file /tmp/grype-Lvfkoh/output --fail-on medium docker.platform.dev.nuxeo.com/nuxeo/nuxeo:2025.10.4
[0000] INFO grype version: 0.101.0
[0000] INFO docker pulling image image=docker.platform.dev.nuxeo.com/nuxeo/nuxeo:2025.10.4
[0000] INFO docker pulled image image=docker.platform.dev.nuxeo.com/nuxeo/nuxeo:2025.10.4 time=3.49948ms
[0000] INFO downloading new vulnerability DB
[0010] INFO downloaded vulnerability DB time=10.320603337s url=https://grype.anchore.io/databases/v6/vulnerability-db_v6.1.1_2025-10-15T01:31:38Z_1760508614.tar.zst?checksum=sha256%3A4293ed84e7dd233bddad4ddb766ec42413ce11c55f4c2f8c5e157e47eff9f2cc
[0029] INFO docker saved image image=docker.platform.dev.nuxeo.com/nuxeo/nuxeo:2025.10.4 path=/tmp/stereoscope-1403556011/docker-daemon-image-3526900079/image.tar time=29.350574767s
[0044] INFO completed image read digest=sha256:06c8f5922088f3971e455c49665770e2c2a11dff448a5afd8f7193b0c7138c00 mediaType=application/vnd.docker.distribution.manifest.v2+json tags=[docker.platform.dev.nuxeo.com/nuxeo/nuxeo:2025.10.4] time=15.298144277s
[0047] INFO task completed elapsed=433.617µs task=environment-cataloger
[0047] INFO task completed elapsed=1.050389ms task=php-composer-installed-cataloger
[0047] INFO task completed elapsed=93.554µs task=r-package-cataloger
[0047] INFO task completed elapsed=115.415µs task=javascript-package-cataloger
[0047] INFO task completed elapsed=10.718846ms task=ruby-installed-gemspec-cataloger
[0047] INFO task completed elapsed=76.021µs task=php-pear-serialized-cataloger
[0047] INFO task completed elapsed=10.928196ms task=alpm-db-cataloger
[0047] INFO task completed elapsed=11.013454ms task=apk-db-cataloger
[0047] INFO task completed elapsed=11.432044ms task=dpkg-db-cataloger
[0047] INFO task completed elapsed=11.540997ms task=portage-cataloger
[0047] INFO task completed elapsed=11.735759ms task=conan-info-cataloger
[0047] INFO task completed elapsed=104.559627ms task=dotnet-deps-binary-cataloger
[0047] INFO task completed elapsed=115.022757ms task=dotnet-packages-lock-cataloger
[0047] INFO task completed elapsed=114.163µs task=lua-rock-cataloger
[0047] INFO task completed elapsed=341.096135ms task=cargo-auditable-binary-cataloger
[0048] INFO task completed elapsed=848.752908ms task=python-installed-package-cataloger
[0048] INFO task completed elapsed=43.94185ms task=pe-binary-package-cataloger
[0048] INFO task completed elapsed=73.872932ms task=java-jvm-cataloger
[0048] INFO task completed elapsed=915.631147ms task=binary-classifier-cataloger
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x38 pc=0x1e85afb]
goroutine 4466 [running]:
github.com/anchore/syft/syft/pkg/cataloger/java/internal/maven.(*Resolver).resolveProperty(0x0, {0x36e52b0, 0xc02a0fc810}, {
0xc0169a3878, 0x1, 0x1}, {0xc0187e9ea2, 0xc}, {0x0, 0x0, ...})
/home/runner/go/pkg/mod/github.com/anchore/[email protected]/syft/pkg/cataloger/java/internal/maven/resolver.go:146 +0x45b
github.com/anchore/syft/syft/pkg/cataloger/java/internal/maven.(*Resolver).resolveExpression.func1({0xc0187e9ea0, 0xf})
/home/runner/go/pkg/mod/github.com/anchore/[email protected]/syft/pkg/cataloger/java/internal/maven/resolver.go:109 +0x22b
regexp.(*Regexp).ReplaceAllStringFunc.func1({0xc02777e6a8, 0x17, 0x18}, {0xc01e33af60?, 0x1?, 0x0?})
/opt/hostedtoolcache/go/1.24.7/x64/src/regexp/regexp.go:598 +0x85
regexp.(*Regexp).replaceAll(0xc0004068c0, {0x0, 0x0, 0x0}, {0xc0187e9e90, 0x2d}, 0x2, 0xc0187fef40)
/opt/hostedtoolcache/go/1.24.7/x64/src/regexp/regexp.go:636 +0x3e3
regexp.(*Regexp).ReplaceAllStringFunc(0xc00036ec40?, {0xc0187e9e90?, 0x1?}, 0xc01c63d260?)
/opt/hostedtoolcache/go/1.24.7/x64/src/regexp/regexp.go:597 +0x4b
github.com/anchore/syft/syft/pkg/cataloger/java/internal/maven.(*Resolver).resolveExpression(0x0, {0x36e52b0, 0xc02a0fc810}, {0xc0169a3878, 0x1, 0x1}, {0xc0187e9e90, 0x2d}, {0x0, 0x0, ...})
/home/runner/go/pkg/mod/github.com/anchore/[email protected]/syft/pkg/cataloger/java/internal/maven/resolver.go:106 +0x21b
github.com/anchore/syft/syft/pkg/cataloger/java/internal/maven.(*Resolver).resolvePropertyValue(0xc028184960?, {0x36e52b0?, 0xc02a0fc810?}, 0xc027efca70, {0x0?, 0x1?, 0xc02a0fc810?}, {0xc0169a3878, 0x1, 0x1})
/home/runner/go/pkg/mod/github.com/anchore/[email protected]/syft/pkg/cataloger/java/internal/maven/resolver.go:93 +0x75
github.com/anchore/syft/syft/pkg/cataloger/java/internal/maven.(*Resolver).ResolveProperty(...)
/home/runner/go/pkg/mod/github.com/anchore/[email protected]/syft/pkg/cataloger/java/internal/maven/resolver.go:83
github.com/anchore/syft/syft/pkg/cataloger/java.newPomProject({0x36e52b0, 0xc02a0fc810}, 0x0, {0xc0231d49c0, 0x40}, 0xc028184960)
/home/runner/go/pkg/mod/github.com/anchore/[email protected]/syft/pkg/cataloger/java/parse_pom_xml.go:225 +0x4d8
github.com/anchore/syft/syft/pkg/cataloger/java.(*archiveParser).discoverMainPackage(0xc01832c000, {0x36e52b0, 0xc02a0fc810})
/home/runner/go/pkg/mod/github.com/anchore/[email protected]/syft/pkg/cataloger/java/archive_parser.go:266 +0x531
github.com/anchore/syft/syft/pkg/cataloger/java.(*archiveParser).parse(0xc01832c000, {0x36e52b0, 0xc02a0fc810}, 0x0)
/home/runner/go/pkg/mod/github.com/anchore/[email protected]/syft/pkg/cataloger/java/archive_parser.go:140 +0x45
github.com/anchore/syft/syft/pkg/cataloger/java.genericArchiveParserAdapter.processJavaArchive({{{0x1, 0x0}, 0x0, 0x0, {0xc0001536e0, 0x1b}, {0x2eeef4d, 0x1e}, 0x0, 0x0}}, ...)
/home/runner/go/pkg/mod/github.com/anchore/[email protected]/syft/pkg/cataloger/java/archive_parser.go:88 +0x1a8
github.com/anchore/syft/syft/pkg/cataloger/java.genericArchiveParserAdapter.parseJavaArchive(...
)
/home/runner/go/pkg/mod/github.com/anchore/[email protected]/syft/pkg/cataloger/java/archive_parser.go:77
github.com/anchore/syft/syft/pkg/cataloger/generic.invokeParser({0x36e52b0, 0xc02a0fc810}, {0x36f47a0, 0xc01105e2b0}, {{{{0xc004c08fc0, 0x36}, {0xc004f8b130, 0x47}}, {0xc004c08fc0, 0x36},
...}, ...}, ...)
/home/runner/go/pkg/mod/github.com/anchore/[email protected]/syft/pkg/cataloger/generic/cataloger.go:217 +0x3fe
github.com/anchore/syft/syft/pkg/cataloger/generic.(*Cataloger).Catalog.func1({{{{{...}, {...}}, {0xc004c08fc0, 0x36}, {0xe354, {...}}}, {0xc02a07ec90}}, 0xc00771bd40})
/home/runner/go/pkg/mod/github.com/anchore/[email protected]/syft/pkg/cataloger/generic/cataloger.go:186 +0x208
github.com/anchore/go-sync.Collect[...].func1()
/home/runner/go/pkg/mod/github.com/anchore/[email protected]/collector.go
:36 +0xfa
github.com/anchore/go-sync.(*errGroupExecutor).Go.func1()
/home/runner/go/pkg/mod/github.com/anchore/[email protected]/executor_errgroup.go:37 +0x83
golang.org/x/sync/errgroup.(*Group).Go.func1()
/home/runner/go/pkg/mod/golang.org/x/[email protected]/errgroup/errgroup.go:93 +0x50
created by golang.org/x/sync/errgroup.(*Group).Go in goroutine 172
/home/runner/go/pkg/mod/golang.org/x/[email protected]/errgroup/errgroup.go:78 +0x93