Closed
Description
While running Scorecard at scale, I came across a pnpm lockfile which caused osv-scanner to panic.
https://github.com/kne-union/react-form/blob/9dc3135f7d3d08ac7311871640590de4d1d223aa/example/pnpm-lock.yaml
The initial panic was found at commit 8aef177, but it can be reproduced at v1.2.0 as well:
osv-scanner --lockfile=./example/pnpm-lock.yaml
Which results in the panic of:
panic: runtime error: index out of range [0] with length 0
goroutine 1 [running]:
github.com/google/osv-scanner/pkg/lockfile.extractPnpmPackageNameAndVersion({0xc0009426f0?, 0x72fa3b?})
~/go/pkg/mod/github.com/google/osv-scanner@v1.2.0/pkg/lockfile/parse-pnpm-lock.go:46 +0x218
github.com/google/osv-scanner/pkg/lockfile.parsePnpmLock({0xc000280000?, 0xc0009fef90?})
~/go/pkg/mod/github.com/google/osv-scanner@v1.2.0/pkg/lockfile/parse-pnpm-lock.go:77 +0x158
github.com/google/osv-scanner/pkg/lockfile.ParsePnpmLock({0xc0001cb650, 0x30})
~/go/pkg/mod/github.com/google/osv-scanner@v1.2.0/pkg/lockfile/parse-pnpm-lock.go:133 +0x1b6
github.com/google/osv-scanner/pkg/lockfile.Parse({0xc0001cb650, 0x30}, {0xc00002ef20, 0x0})
~/go/pkg/mod/github.com/google/osv-scanner@v1.2.0/pkg/lockfile/parse.go:141 +0x29f
github.com/google/osv-scanner/pkg/osvscanner.scanLockfile(0xc0001d8a80, 0xc000012cf0, {0xc0001cb650, 0x30}, {0xc00002ef20, 0x0})
~/go/pkg/mod/github.com/google/osv-scanner@v1.2.0/pkg/osvscanner/osvscanner.go:191 +0x20d
github.com/google/osv-scanner/pkg/osvscanner.DoScan({{0xc0001cf950, 0x1, 0x1}, {0x0, 0x0, 0x0}, {0xf45650, 0x0, 0x0}, {0x0, ...}, ...}, ...)
~/go/pkg/mod/github.com/google/osv-scanner@v1.2.0/pkg/osvscanner/osvscanner.go:413 +0x2d1
main.run.func3(0xc0001d8500)
~/go/pkg/mod/github.com/google/osv-scanner@v1.2.0/cmd/osv-scanner/main.go:108 +0x45d
github.com/urfave/cli/v2.(*Command).Run(0xc000190840, 0xc0001d8500, {0xc000024040, 0x2, 0x2})
~/go/pkg/mod/github.com/urfave/cli/v2@v2.24.4/command.go:273 +0xa42
github.com/urfave/cli/v2.(*App).RunContext(0xc000234000, {0xb76e90?, 0xc0000260f0}, {0xc000024040, 0x2, 0x2})
~/go/pkg/mod/github.com/urfave/cli/v2@v2.24.4/app.go:332 +0x616
github.com/urfave/cli/v2.(*App).Run(...)
~/go/pkg/mod/github.com/urfave/cli/v2@v2.24.4/app.go:309
main.run({0xc000024040, 0x2, 0x2}, {0xb72d60?, 0xc000014018}, {0xb72d60?, 0xc000014020})
~/go/pkg/mod/github.com/google/osv-scanner@v1.2.0/cmd/osv-scanner/main.go:127 +0x99e
main.main()
~/go/pkg/mod/github.com/google/osv-scanner@v1.2.0/cmd/osv-scanner/main.go:153 +0x46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Metadata
Assignees
Labels
No labels