Skip to content

panic while resolving maven properties in archive parser #4288

@noahbailey

Description

@noahbailey

Our pipeline started returning SIGSEGV when we upgraded to 0.101.0. Rolling back fixed this.
This environment uses self-hosted Bitbucket runners, all on X64 Intel boxes.

Command line:

docker run -v $BITBUCKET_CLONE_DIR:/src anchore/grype:${GRYPE_VERSION} /src -o json --exclude **/node_modules > TestResults/vulnerabilities.json

Error log:

[0000]  WARN no explicit name and version provided for directory source, deriving artifact ID from the given path (which is not ideal)
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x38 pc=0x1e85afb]
goroutine 2449 [running]:
github.com/anchore/syft/syft/pkg/cataloger/java/internal/maven.(*Resolver).resolveProperty(0x0, {0x36e52b0, 0xc000aef980}, {0xc000ca2bd0, 0x1, 0x1}, {0xc0090007e6, 0x13}, {0x0, 0x0, ...})
	/home/runner/go/pkg/mod/github.com/anchore/[email protected]/syft/pkg/cataloger/java/internal/maven/resolver.go:146 +0x45b
github.com/anchore/syft/syft/pkg/cataloger/java/internal/maven.(*Resolver).resolveExpression.func1({0xc0090007e4, 0x16})
	/home/runner/go/pkg/mod/github.com/anchore/[email protected]/syft/pkg/cataloger/java/internal/maven/resolver.go:109 +0x22b
regexp.(*Regexp).ReplaceAllStringFunc.func1({0xc0068e8ed0, 0x14, 0x18}, {0xc009040380?, 0x1?, 0x0?})
	/opt/hostedtoolcache/go/1.24.7/x64/src/regexp/regexp.go:598 +0x85
regexp.(*Regexp).replaceAll(0xc0003e8b40, {0x0, 0x0, 0x0}, {0xc0090007d0, 0x41}, 0x2, 0xc00903ef40)
	/opt/hostedtoolcache/go/1.24.7/x64/src/regexp/regexp.go:636 +0x3e3
regexp.(*Regexp).ReplaceAllStringFunc(0xc000468f00?, {0xc0090007d0?, 0x1?}, 0xc0068eb620?)
	/opt/hostedtoolcache/go/1.24.7/x64/src/regexp/regexp.go:597 +0x4b
github.com/anchore/syft/syft/pkg/cataloger/java/internal/maven.(*Resolver).resolveExpression(0x0, {0x36e52b0, 0xc000aef980}, {0xc000ca2bd0, 0x1, 0x1}, {0xc0090007d0, 0x41}, {0x0, 0x0, ...})
	/home/runner/go/pkg/mod/github.com/anchore/[email protected]/syft/pkg/cataloger/java/internal/maven/resolver.go:106 +0x21b
github.com/anchore/syft/syft/pkg/cataloger/java/internal/maven.(*Resolver).resolvePropertyValue(0x0?, {0x36e52b0?, 0xc000aef980?}, 0xc006891940, {0x0?, 0x1?, 0xc000aef980?}, {0xc000ca2bd0, 0x1, 0x1})
	/home/runner/go/pkg/mod/github.com/anchore/[email protected]/syft/pkg/cataloger/java/internal/maven/resolver.go:93 +0x75
github.com/anchore/syft/syft/pkg/cataloger/java/internal/maven.(*Resolver).ResolveProperty(...)
	/home/runner/go/pkg/mod/github.com/anchore/[email protected]/syft/pkg/cataloger/java/internal/maven/resolver.go:83
github.com/anchore/syft/syft/pkg/cataloger/java.newPomProject({0x36e52b0, 0xc000aef980}, 0x0, {0xc009000640, 0x48}, 0xc001f68c30)
	/home/runner/go/pkg/mod/github.com/anchore/[email protected]/syft/pkg/cataloger/java/parse_pom_xml.go:214 +0x198
github.com/anchore/syft/syft/pkg/cataloger/java.(*archiveParser).discoverMainPackage(0xc0068d4200, {0x36e52b0, 0xc000aef980})
	/home/runner/go/pkg/mod/github.com/anchore/[email protected]/syft/pkg/cataloger/java/archive_parser.go:266 +0x531
github.com/anchore/syft/syft/pkg/cataloger/java.(*archiveParser).parse(0xc0068d4200, {0x36e52b0, 0xc000aef980}, 0x0)
	/home/runner/go/pkg/mod/github.com/anchore/[email protected]/syft/pkg/cataloger/java/archive_parser.go:140 +0x45
github.com/anchore/syft/syft/pkg/cataloger/java.genericArchiveParserAdapter.processJavaArchive({{{0x1, 0x0}, 0x0, 0x0, {0xc000a8c9e0, 0xf}, {0x2eeef4d, 0x1e}, 0x0, 0x0}}, ...)
	/home/runner/go/pkg/mod/github.com/anchore/[email protected]/syft/pkg/cataloger/java/archive_parser.go:88 +0x1a8
github.com/anchore/syft/syft/pkg/cataloger/java.genericArchiveParserAdapter.parseJavaArchive(...)
	/home/runner/go/pkg/mod/github.com/anchore/[email protected]/syft/pkg/cataloger/java/archive_parser.go:77
github.com/anchore/syft/syft/pkg/cataloger/generic.invokeParser({0x36e52b0, 0xc000aef980}, {0x36f4698, 0xc000ad1a70}, {{{{0xc000aa6b44, 0x42}, {0x0, 0x0}}, {0xc000aa6b44, 0x42}, ...}, ...}, ...)
	/home/runner/go/pkg/mod/github.com/anchore/[email protected]/syft/pkg/cataloger/generic/cataloger.go:217 +0x3fe
github.com/anchore/syft/syft/pkg/cataloger/generic.(*Cataloger).Catalog.func1({{{{{...}, {...}}, {0xc000aa6b44, 0x42}, {0xf8c, {...}}}, {0xc000958ae0}}, 0xc000aae100})
	/home/runner/go/pkg/mod/github.com/anchore/[email protected]/syft/pkg/cataloger/generic/cataloger.go:186 +0x208
github.com/anchore/go-sync.Collect[...].func1()
	/home/runner/go/pkg/mod/github.com/anchore/[email protected]/collector.go:36 +0xfa
github.com/anchore/go-sync.(*errGroupExecutor).Go.func1()
	/home/runner/go/pkg/mod/github.com/anchore/[email protected]/executor_errgroup.go:37 +0x83
golang.org/x/sync/errgroup.(*Group).Go.func1()
	/home/runner/go/pkg/mod/golang.org/x/[email protected]/errgroup/errgroup.go:93 +0x50
created by golang.org/x/sync/errgroup.(*Group).Go in goroutine 180
	/home/runner/go/pkg/mod/golang.org/x/[email protected]/errgroup/errgroup.go:78 +0x93

Happy to provide more info if needed.
Cheers

Metadata

Metadata

Assignees

Labels

bugSomething isn't working

Type

No type

Projects

Status

Done

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions