BUG: osv-scanner panic: runtime error: index out of range [0] with length 0

[Zxilly]

Describe the bug

osv-scanner panics on https://scorecard.dev/viewer/?uri=github.com/Zxilly/go-size-analyzer, but I can't reproduce it while run it locally with osv-scanner -r .

Reproduction steps

Failed to reproduce.

Expected behavior

Process correctly.

[spencerschrock]

I also can't reproduce it locally with Scorecard

go run main.go --repo Zxilly/go-size-analyzer --checks Vulnerabilities

I've seen this panic before in our weekly cron infrastructure, but I've never been able to reproduce it locally.
The panic is in osv-scanner, but likely in an error handling pathway when it receives some error or empty response from osv.dev, as it's not easily triggered.

[Zxilly]

So I created a PR to produce the stack info while we met the error. Please review it at #4172

[AdamKorcz]

Can this be closed given that #4172 has been merged?

[Zxilly]

@AdamKorcz It is only helpful to identify the real bug, did not resolve it.
In fact I'm waiting for a new release to apply this to my real production environment. I can't reproduce it locally, but it always happen in the github actions.

[spencerschrock]

In fact I'm waiting for a new release to apply this to my real production environment. I can't reproduce it locally, but it always happen in the github actions.

I had assumed this was a different panic, and was occurring in the cron. But looking again at your Scorecard Action, I see now what it is.

The latest scorecard action currently is v2.3.3 which uses v5.0.0-rc2 of scorecard. If you use that tag locally to analyze the repo you can reproduce it. Cherry picking #4172 shows the stack trace.

osv-scanner is struggling to parse your pnpm lockfile. This was fixed in osv-scanner v1.7.3, which is why we're not seeing it at scorecard HEAD. This will be picked up at the next scorecard action release.

Click for trace

runtime/debug.Stack()
        ~/sdk/go1.22.4/src/runtime/debug/stack.go:24 +0x5e
github.com/ossf/scorecard/v5/clients.osvClient.ListUnfixedVulnerabilities.func1()
        ~/go/src/github.com/spencerschrock/scorecard.git/clients/osv.go:44 +0xb9
panic({0x1633ce0?, 0xc0009255d8?})
        ~/sdk/go1.22.4/src/runtime/panic.go:770 +0x132
github.com/google/osv-scanner/pkg/lockfile.extractPnpmPackageNameAndVersion({0xc0003df3c8?, 0x14?})
        ~/go/pkg/mod/github.com/google/osv-scanner@v1.7.2/pkg/lockfile/parse-pnpm-lock.go:81 +0x26f
github.com/google/osv-scanner/pkg/lockfile.parsePnpmLock({0xc0007341d0?, 0xc000665c20?})
        ~/go/pkg/mod/github.com/google/osv-scanner@v1.7.2/pkg/lockfile/parse-pnpm-lock.go:127 +0x13b
github.com/google/osv-scanner/pkg/lockfile.PnpmLockExtractor.Extract({}, {0x7f756830d940, 0xc000490400})
        ~/go/pkg/mod/github.com/google/osv-scanner@v1.7.2/pkg/lockfile/parse-pnpm-lock.go:194 +0x25b
github.com/google/osv-scanner/pkg/lockfile.ExtractDeps({0x7f756830d940, 0xc000490400}, {0x0, 0x0})
        ~/go/pkg/mod/github.com/google/osv-scanner@v1.7.2/pkg/lockfile/extract.go:61 +0x24a
github.com/google/osv-scanner/pkg/osvscanner.scanLockfile({0x1975790, 0xc000680bc7}, {0xc000635b90, 0x25}, {0x0, 0x0})
        ~/go/pkg/mod/github.com/google/osv-scanner@v1.7.2/pkg/osvscanner/osvscanner.go:362 +0x7fa
github.com/google/osv-scanner/pkg/osvscanner.scanDir.func1({0xc000635b90?, 0x1?}, {0x196de30, 0xc000494f00}, {0x0?, 0x0?})
        ~/go/pkg/mod/github.com/google/osv-scanner@v1.7.2/pkg/osvscanner/osvscanner.go:163 +0x745
path/filepath.walkDir({0xc000635b90, 0x25}, {0x196de30, 0xc000494f00}, 0xc000734a38)
        ~/sdk/go1.22.4/src/path/filepath/path.go:443 +0x50
path/filepath.walkDir({0xc000142be8, 0x16}, {0x196de30, 0xc0000cc200}, 0xc000734a38)
        ~/sdk/go1.22.4/src/path/filepath/path.go:465 +0x285
path/filepath.walkDir({0xc0003dec60, 0x13}, {0x196e060, 0xc0006ec3d0}, 0xc000734a38)
        ~/sdk/go1.22.4/src/path/filepath/path.go:465 +0x285
path/filepath.WalkDir({0xc0003dec60, 0x13}, 0xc00005ea38)
        ~/sdk/go1.22.4/src/path/filepath/path.go:533 +0x7b
github.com/google/osv-scanner/pkg/osvscanner.scanDir({0x1975790?, 0xc000680bc7?}, {0xc0003dec60?, 0x13?}, 0x1?, 0x1?, 0x1?, 0x0?)
        ~/go/pkg/mod/github.com/google/osv-scanner@v1.7.2/pkg/osvscanner/osvscanner.go:121 +0x212
github.com/google/osv-scanner/pkg/osvscanner.DoScan({{0x0, 0x0, 0x0}, {0x0, 0x0, 0x0}, {0xc0006ec010, 0x1, 0x1}, {0xc0006ec030, ...}, ...}, ...)
        ~/go/pkg/mod/github.com/google/osv-scanner@v1.7.2/pkg/osvscanner/osvscanner.go:789 +0xe3f
github.com/ossf/scorecard/v5/clients.osvClient.ListUnfixedVulnerabilities({0x2c?}, {0xc69443257995636e?, 0xc73a87ef7c377b2c?}, {0xc00044e420, 0x28}, {0xc0003dec60?, 0x13?})
        ~/go/src/github.com/spencerschrock/scorecard.git/clients/osv.go:55 +0x29f
github.com/ossf/scorecard/v5/checks/raw.Vulnerabilities(0xc0004b4cf0)
        ~/go/src/github.com/spencerschrock/scorecard.git/checks/raw/vulnerabilities.go:36 +0x14a
github.com/ossf/scorecard/v5/checks.Vulnerabilities(0xc0004b4cf0)
        ~/go/src/github.com/spencerschrock/scorecard.git/checks/vulnerabilities.go:43 +0x58
github.com/ossf/scorecard/v5/checker.(*Runner).Run(0xc000735f18, {0x196ddc0, 0x2563060}, {0x17f3e60?, {0xc000014410?, 0x0?, 0x0?}})
        ~/go/src/github.com/spencerschrock/scorecard.git/checker/check_runner.go:118 +0x8f1
github.com/ossf/scorecard/v5/pkg.runEnabledChecks.func1()
        ~/go/src/github.com/spencerschrock/scorecard.git/pkg/scorecard.go:61 +0x1b0
created by github.com/ossf/scorecard/v5/pkg.runEnabledChecks in goroutine 43
        ~/go/src/github.com/spencerschrock/scorecard.git/pkg/scorecard.go:53 +0x106

[Zxilly]

@spencerschrock Is there a plan for the next release of ossf/scorecard-action?

[spencerschrock]

The original estimate was by the end of June but we missed it slightly. The PRs should be wrapping up in this repo in the next day or two, and v5 could be cut then. Which would take another day or two for the next scorecard-action to be cut

[spencerschrock]

https://github.com/ossf/scorecard-action/releases/tag/v2.4.0