bug(npm): runtime: out of memory

[nikpivkin]

Discussed in #6853

^{Originally posted by gobardhan June 4, 2024}

Description

For a npm project with following configuration of workspace inside package.json Trivy not able to perform the scan for any scanners.
"workspaces": [ "./" ]

After debugging it I found that it's due the below code inside package-lock.json
"node_modules/@ffdev/bryntum-components": { "resolved": "", "link": true },
It's started working fine if I remove the above part of code from package-lock.json.

Desired Behavior

Trivy should able to scan the repository with such kind of configuration for package.json & package-lock.json without throwing any error.

Actual Behavior

Trvivy scan throw's fatal error: runtime: out of memory. Command trivy fs .
And running trivy in debug mode hang-up my system and in last killed by system. Command trvy fs . -d

Reproduction Steps

1. For any npm project inside the package.json file define workspace like ` "workspaces": ["./"] `
2. Do npm install
3. Execute trivy scanning by command `trivy fs .` OR `trivy fs . -d`

Target

Filesystem

Scanner

None

Output Format

None

Mode

Standalone

Debug Output

trivy fs .
2024/06/04 15:58:56 INFO Loaded file_path=trivy.yaml
2024-06-04T15:58:56+05:30       INFO    Vulnerability scanning is enabled
2024-06-04T15:58:56+05:30       INFO    [npm] To collect the license information of packages, "npm install" needs to be performed beforehand dir="node_modules"
fatal error: runtime: out of memory

runtime stack:
runtime.throw({0x8423caf?, 0x2037cb?})
        /opt/hostedtoolcache/go/1.22.3/x64/src/runtime/panic.go:1023 +0x5c fp=0xc000613e10 sp=0xc000613de0 pc=0x43e67c
runtime.sysMapOS(0xc279000000, 0x1cacc00000)
        /opt/hostedtoolcache/go/1.22.3/x64/src/runtime/mem_linux.go:167 +0x11b fp=0xc000613e50 sp=0xc000613e10 pc=0x41c5bb
runtime.sysMap(0xc279000000, 0x1cacc00000, 0xd5ecaa8?)
.
.
.

Operating System

Ubuntu 22.04.4 LTS

Version

Version: 0.51.2
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-06-04 06:11:34.940587192 +0000 UTC
  NextUpdate: 2024-06-04 12:11:34.940586981 +0000 UTC
  DownloadedAt: 2024-06-04 08:58:30.997724006 +0000 UTC
Check Bundle:
  Digest: sha256:274208f3b043e73d2f1e5d9baed30d77c33bb164b8f2e580020e9c5931c71df4
  DownloadedAt: 2024-06-03 09:58:55.819249061 +0000 UTC

Checklist

• Run trivy image --reset
• Read the troubleshooting

[DmitriyLewen]

Hello @gobardhan
Thanks for your report!

I investigated your package-lock.json file. It seems that file incorrect:

    "node_modules/test": {
      "resolved": "",
      "link": true
    },

Link doesn't have resolved field.

Can you write steps to reproduce this case?

Regards, Dmitriy

[gobardhan]

Hi @DmitriyLewen
You can follow this step for any npm project

1. Inside the package.json add a new line to define workspace like "workspaces": ["./"]
2. Do npm Install (It will add "node_modules/pkg_name": {"resolved": "", "link": true} )
3. Run trivy fs .

[DmitriyLewen]

@gobardhan I can't reproduce this case:

root@a8ac21a6d13a:/app2# ls -hl function/
total 4.0K
-rw-r--r-- 1 root root 204 Jun  5 07:15 package.json

root@a8ac21a6d13a:/app2# cat package.json 
{
  "name": "app2",
  "version": "1.0.0",
  "main": "index.js",
  "scripts": {
    "test": "echo \"Error: no test specified\" && exit 1"
  },
  "keywords": [],
  "author": "",
  "license": "ISC",
  "description": "",
  "workspaces": ["./"]
}
root@a8ac21a6d13a:/app2# npm install

up to date, audited 1 package in 308ms

found 0 vulnerabilities
root@a8ac21a6d13a:/app2# cat package-lock.json 
{
  "name": "app2",
  "version": "1.0.0",
  "lockfileVersion": 3,
  "requires": true,
  "packages": {
    "": {
      "name": "app2",
      "version": "1.0.0",
      "license": "ISC",
      "workspaces": [
        "./"
      ]
    }
  }
}

npm adds dependency from function/package.json only for "workspaces": ["./function"]

or ./*:

root@a8ac21a6d13a:/app2# cat package-lock.json 
{
  "name": "app2",
  "version": "1.0.0",
  "lockfileVersion": 3,
  "requires": true,
  "packages": {
    "": {
      "name": "app2",
      "version": "1.0.0",
      "license": "ISC",
      "workspaces": [
        "./*"
      ]
    },
    "function": {
      "version": "1.0.0",
      "license": "ISC"
    },
    "node_modules/function": {
      "resolved": "function",
      "link": true
    }
  }
}

[gobardhan]

I tried with your package.json and I am able to reproduce it Indeed.
It might be due to the different node version, I am using v18.15.0.
I have attached a screenshot for the same.

[DmitriyLewen]

Can you post your test directory structure?
Does the directory contain a subproject?

[gobardhan]

Test project doesn't contain any subproject, You can check at here as well: https://github.com/gobardhan/test

[DmitriyLewen]

This looks like a bug in npm
npm creates link without package.

anyway I created #6858 to fix the out of memory error.