Invalid memory address or nil pointer dereference

[nikpivkin]

Discussed in #7351

^{Originally posted by smeckert August 19, 2024}

Question

Description

I hope the issue didn't exist yet, because at least I couldn't find it. I use trivy for scanning Terraform files locally and in a CICD pipeline for Terraform. I use the following versions:

local => trivy 0.53.0
CICD => trivy 0.54.0

The pipeline is built with AWS Code* tools. According to this, trivy runs in a CodeBuild project. I built my own container image for the pipeline based on Alpine and Amazon Linux 2 (just for testing). Here is the content, almost everything irrelevant is removed.

Alpine:

FROM --platform=linux/arm64 public.ecr.aws/docker/library/alpine:3.20.1

# -- Define build arguments for the versions

ARG TERRAFORM_VERSION=1.9.0
ARG TRIVY_VERSION=0.54.0
ARG USER=automation

# -- Update the package list and install the specified packages

RUN apk update && \
    apk upgrade && \
    apk add --no-cache \
    bash \
    unzip \
    wget \
    git \
    curl \
    jq \
    python3 \
    py3-pip \
    py3-boto3 \
    aws-cli \
    sudo \
    && rm -rf /var/cache/apk/*

RUN adduser -D $USER \
        && echo "$USER ALL=(ALL) NOPASSWD: ALL" > /etc/sudoers.d/$USER \
        && chmod 0440 /etc/sudoers.d/$USER

USER $USER
WORKDIR /home/$USER

RUN unzip -v && \
    wget --version && \
    git --version && \
    curl --version && \
    jq --version && \
    python3 --version && \
    pip3 --version && \
    aws --version

RUN wget https://releases.hashicorp.com/terraform/${TERRAFORM_VERSION}/terraform_${TERRAFORM_VERSION}_linux_arm64.zip && \
    unzip terraform_${TERRAFORM_VERSION}_linux_arm64.zip && \
    sudo mv terraform /usr/local/bin/ && \
    touch .terraformrc && \
    rm terraform_${TERRAFORM_VERSION}_linux_arm64.zip

RUN wget https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-ARM64.tar.gz && \
    tar zxvf trivy_${TRIVY_VERSION}_Linux-ARM64.tar.gz && \
    sudo mv trivy /usr/local/bin/ && \
    rm trivy_${TRIVY_VERSION}_Linux-ARM64.tar.gz

As already mentioned, trivy runs in a container (AWS CodeBuild Project) and here is the content of the buildspec.yaml.

version: 0.2

run-as: automation

env:
  shell: bash

phases:
  install:
    on-failure: ABORT
    commands:
      - echo "Set ENV variables..."
      - export TF_TRIVY_REPORT=${CODEBUILD_SRC_DIR}/trivy_report.json
      - export TRIVY_CACHE_DIR=${CODEBUILD_SRC_DIR}/trivy_cache
      - export TRIVY_MODULE_DIR=${CODEBUILD_SRC_DIR}/trivy_modules
    finally:
      - echo "ENV variables set"
      - echo $TF_TRIVY_REPORT
      - echo $TRIVY_CACHE_DIR
      - echo $TRIVY_MODULE_DIR
  build:
    on-failure: ABORT
    commands:
      - cd terraform/
      - trivy config . --debug

Desired Behavior

If I build an image locally and run it locally, then create a main.tf with content inside the container and use trviy for a scan, then it works without problems (applies to the Alpine and Amazon Linux version of the image). If I use the same image in a CodeBuild project, then I get an error. At first I thought it had something to do with the sizing of the container in terms of CPU/memory, but changes did not help.

Actual Behavior

This is the error I get with all the images I have tested so far.

[Container] 2024/08/16 13:55:36.070225 Running command trivy config . --debug
2024-08-16T13:55:36Z    DEBUG   Cache dir   dir="/codebuild/output/src58333712/src/trivy_cache"
2024-08-16T13:55:36Z    DEBUG   Parsed severities   severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2024-08-16T13:55:36Z    INFO    [misconfig] Misconfiguration scanning is enabled
2024-08-16T13:55:36Z    DEBUG   Failed to open the check metadata   err="open /codebuild/output/src58333712/src/trivy_cache/policy/metadata.json: no such file or directory"
2024-08-16T13:55:36Z    INFO    Need to update the built-in policies
2024-08-16T13:55:36Z    INFO    Downloading the built-in policies...
2024-08-16T13:55:36Z    DEBUG   Loading check bundle    repository="ghcr.io/aquasecurity/trivy-checks:0"
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-08-16T13:55:37Z    DEBUG   Digest of the built-in policies digest="sha256:ef2d9ad4fce0f933b20a662004d7e55bf200987c180e7f2cd531af631f408bb3"
2024-08-16T13:55:37Z    DEBUG   [misconfig] Policies successfully loaded from disk
2024-08-16T13:55:37Z    DEBUG   Enabling misconfiguration scanners  scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2024-08-16T13:55:37Z    DEBUG   Initializing scan cache...  type="memory"
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x18 pc=0x2a29e64]
goroutine 1 [running]:
github.com/aquasecurity/trivy/pkg/utils/fsutils.DirExists({0x40015c7500?, 0x4?})
    /home/runner/work/trivy/trivy/pkg/utils/fsutils/fs.go:62 +0x54
github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/dotnet/nuget.newNuspecParser()
    /home/runner/work/trivy/trivy/pkg/fanal/analyzer/language/dotnet/nuget/nuspec.go:42 +0x94
github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/dotnet/nuget.newNugetLibraryAnalyzer({{0x0, 0x0}, 0x0, {0x75b3d00, 0x0, 0x0}, {0x4002a03c08, 0x5f, 0x6f}, {0x1, ...}, ...})
    /home/runner/work/trivy/trivy/pkg/fanal/analyzer/language/dotnet/nuget/nuget.go:50 +0x1c
github.com/aquasecurity/trivy/pkg/fanal/analyzer.NewAnalyzerGroup({{0x0, 0x0}, 0x0, {0x75b3d00, 0x0, 0x0}, {0x4002a03c08, 0x5f, 0x6f}, {0x1, ...}, ...})
    /home/runner/work/trivy/trivy/pkg/fanal/analyzer/analyzer.go:359 +0x568
github.com/aquasecurity/trivy/pkg/fanal/artifact/local.NewArtifact({_, _}, {_, _}, {_, _}, {{0x0, 0x0}, {0x4002a03c08, 0x5f, ...}, ...})
    /home/runner/work/trivy/trivy/pkg/fanal/artifact/local/fs.go:56 +0x17c
github.com/aquasecurity/trivy/pkg/commands/artifact.initializeFilesystemScanner({_, _}, {_, _}, {{_, _}, {_, _}, {_, _}, ...}, ...)
    /home/runner/work/trivy/trivy/pkg/commands/artifact/wire_gen.go:106 +0x24c
github.com/aquasecurity/trivy/pkg/commands/artifact.filesystemStandaloneScanner({_, _}, {{0xffffe1d335a2, 0x1}, {{0x3c78ce4, 0x6}, {0x4000074010, 0x2d}, {0x0, 0x0}, ...}, ...})
    /home/runner/work/trivy/trivy/pkg/commands/artifact/scanner.go:56 +0x80
github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).scan(_, {_, _}, {{{0x3c95846, 0xa}, 0x0, 0x0, 0x1, 0x0, 0x45d964b800, ...}, ...}, ...)
    /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:636 +0x1d4
github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).scanArtifact(_, {_, _}, {{{0x3c95846, 0xa}, 0x0, 0x0, 0x1, 0x0, 0x45d964b800, ...}, ...}, ...)
    /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:259 +0x94
github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).scanFS(_, {_, _}, {{{0x3c95846, 0xa}, 0x0, 0x0, 0x1, 0x0, 0x45d964b800, ...}, ...})
    /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:204 +0xa4
github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).ScanFilesystem(_, {_, _}, {{{0x3c95846, 0xa}, 0x0, 0x0, 0x1, 0x0, 0x45d964b800, ...}, ...})
    /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:184 +0x1b0
github.com/aquasecurity/trivy/pkg/commands/artifact.Run({_, _}, {{{0x3c95846, 0xa}, 0x0, 0x0, 0x1, 0x0, 0x45d964b800, {0x4000074010, ...}, ...}, ...}, ...)
    /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:369 +0x40c
github.com/aquasecurity/trivy/pkg/commands.NewConfigCommand.func2(0x4000345b08, {0x40026100e0, 0x1, 0x2})
    /home/runner/work/trivy/trivy/pkg/commands/app.go:717 +0x278
github.com/spf13/cobra.(*Command).execute(0x4000345b08, {0x40026100c0, 0x2, 0x2})
    /home/runner/go/pkg/mod/github.com/spf13/[email protected]/command.go:985 +0x840
github.com/spf13/cobra.(*Command).ExecuteC(0x4000aeb508)
    /home/runner/go/pkg/mod/github.com/spf13/[email protected]/command.go:1117 +0x344
github.com/spf13/cobra.(*Command).Execute(0x3cea271?)
    /home/runner/go/pkg/mod/github.com/spf13/[email protected]/command.go:1041 +0x1c
main.run()
    /home/runner/work/trivy/trivy/cmd/trivy/main.go:39 +0x124
main.main()
    /home/runner/work/trivy/trivy/cmd/trivy/main.go:19 +0x20

[Container] 2024/08/16 13:55:37.044256 Command did not exit successfully trivy config . --debug exit status 2
[Container] 2024/08/16 13:55:37.048419 Phase complete: BUILD State: FAILED_WITH_ABORT
[Container] 2024/08/16 13:55:37.048435 Phase context status code: COMMAND_EXECUTION_ERROR Message: Error while executing command: trivy config . --debug. Reason: exit status 2

Question

I can't get into the CodeBuild container in AWS and check what is failing there. The --debug logs are certainly helpful, but I can't tell exactly where the error is coming from. Does anyone have an idea?

Target

Filesystem

Scanner

Misconfiguration

Output Format

JSON

Mode

None

Operating System

No response

Version

local => trivy 0.53.0
CICD => trivy 0.54.0