Trvivy scan throw's fatal error: runtime: out of memory. OR hang-up the entire system for few min and got killed at last

[gobardhan]

Description

For a npm project with following configuration of workspace inside package.json Trivy not able to perform the scan for any scanners.
"workspaces": [ "./" ]

After debugging it I found that it's due the below code inside package-lock.json
"node_modules/@ffdev/bryntum-components": { "resolved": "", "link": true },
It's started working fine if I remove the above part of code from package-lock.json.

Desired Behavior

Trivy should able to scan the repository with such kind of configuration for package.json & package-lock.json without throwing any error.

Actual Behavior

Trvivy scan throw's fatal error: runtime: out of memory. Command trivy fs .
And running trivy in debug mode hang-up my system and in last killed by system. Command trvy fs . -d

Reproduction Steps

1. For any npm project inside the package.json file define workspace like ` "workspaces": ["./"] `
2. Do npm install
3. Execute trivy scanning by command `trivy fs .` OR `trivy fs . -d`

Target

Filesystem

Scanner

None

Output Format

None

Mode

Standalone

Debug Output

trivy fs .
2024/06/04 15:58:56 INFO Loaded file_path=trivy.yaml
2024-06-04T15:58:56+05:30       INFO    Vulnerability scanning is enabled
2024-06-04T15:58:56+05:30       INFO    [npm] To collect the license information of packages, "npm install" needs to be performed beforehand dir="node_modules"
fatal error: runtime: out of memory

runtime stack:
runtime.throw({0x8423caf?, 0x2037cb?})
        /opt/hostedtoolcache/go/1.22.3/x64/src/runtime/panic.go:1023 +0x5c fp=0xc000613e10 sp=0xc000613de0 pc=0x43e67c
runtime.sysMapOS(0xc279000000, 0x1cacc00000)
        /opt/hostedtoolcache/go/1.22.3/x64/src/runtime/mem_linux.go:167 +0x11b fp=0xc000613e50 sp=0xc000613e10 pc=0x41c5bb
runtime.sysMap(0xc279000000, 0x1cacc00000, 0xd5ecaa8?)
.
.
.

Operating System

Ubuntu 22.04.4 LTS

Version

Version: 0.51.2
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-06-04 06:11:34.940587192 +0000 UTC
  NextUpdate: 2024-06-04 12:11:34.940586981 +0000 UTC
  DownloadedAt: 2024-06-04 08:58:30.997724006 +0000 UTC
Check Bundle:
  Digest: sha256:274208f3b043e73d2f1e5d9baed30d77c33bb164b8f2e580020e9c5931c71df4
  DownloadedAt: 2024-06-03 09:58:55.819249061 +0000 UTC

Checklist

• Run trivy image --reset
• Read the troubleshooting

[gobardhan]

You can use this test repository as ref: https://github.com/gobardhan/test

[nikpivkin]

Hi @gobardhan !

Track #6854