trivy: Error: runtime error: invalid memory address or nil pointer dereference on running trivy conf

Description

Running command trivy conf --severity HIGH,CRITICAL . causes nil pointer exception. I am running it against my repository:

What did you expect to happen?

Should not fail with exception and give the scanning results.

What happened instead?

Received Error: `WARNING: Failed to load module: missing module with source ‘terraform-aws-modules/s3-bucket/aws’ - try to ‘terraform init’ first WARNING: Failed to load module: missing module with source ‘terraform-aws-modules/vpc/aws’ - try to ‘terraform init’ first WARNING: Failed to load module: missing module with source ‘terraform-aws-modules/vpc/aws’ - try to ‘terraform init’ first WARNING: Failed to load module: missing module with source ‘terraform-aws-modules/s3-bucket/aws’ - try to ‘terraform init’ first WARNING: skipped general-secrets-sensitive-in-attribute due to error(s): value is null panic: runtime error: invalid memory address or nil pointer dereference [signal SIGSEGV: segmentation violation code=0x1 addr=0x20 pc=0x19f142a]

goroutine 1 [running]: github.com/aquasecurity/tfsec/internal/app/tfsec/scanner.(*Scanner).scanModule(0xc004db0230, {0x2852b90, 0xc007aeb0c0}, {0xc0007a0000, 0xff, 0xc003351d00}) /home/runner/go/pkg/mod/github.com/aquasecurity/tfsec@v0.58.11/internal/app/tfsec/scanner/scanner.go:77 +0x36a github.com/aquasecurity/tfsec/internal/app/tfsec/scanner.(*Scanner).Scan(0xc00a4e9e30, {0xc00adb3c00, 0xe, 0xc00f86e000}) /home/runner/go/pkg/mod/github.com/aquasecurity/tfsec@v0.58.11/internal/app/tfsec/scanner/scanner.go:55 +0x2b9 github.com/aquasecurity/tfsec/pkg/externalscan.(*ExternalScanner).Scan(0xc00075c5a0) /home/runner/go/pkg/mod/github.com/aquasecurity/tfsec@v0.58.11/pkg/externalscan/external_scan.go:60 +0x2c5 github.com/aquasecurity/fanal/config/scanner.Scanner.scanTerraformByTFSec({{0x7ffeefbff964, 0x1}, {0xc0007548e0, 0x2, 0x2}, 0xc000a61a00, 0xc00075c5a0}, {0xc0012ac000, 0x188, 0x200}) /home/runner/go/pkg/mod/github.com/aquasecurity/fanal@v0.0.0-20211014152324-29fbacfbfca4/config/scanner/scanner.go:113 +0x136 github.com/aquasecurity/fanal/config/scanner.Scanner.ScanConfigs({{0x7ffeefbff964, 0x1}, {0xc0007548e0, 0x2, 0x2}, 0xc000a61a00, 0xc00075c5a0}, {0x28478d8, 0xc00004f620}, {0xc0010f8000, …}) /home/runner/go/pkg/mod/github.com/aquasecurity/fanal@v0.0.0-20211014152324-29fbacfbfca4/config/scanner/scanner.go:66 +0x26e github.com/aquasecurity/fanal/artifact/local.Artifact.Inspect({{0x7ffeefbff964, 0x1}, {0x3f9d178, 0xc000119050}, {{{0x0, 0x0, 0x0}, {0xc000a61ac0, 0x3, 0x4}}}, …}, …) /home/runner/go/pkg/mod/github.com/aquasecurity/fanal@v0.0.0-20211014152324-29fbacfbfca4/artifact/local/fs.go:94 +0x330 github.com/aquasecurity/trivy/pkg/scanner.Scanner.ScanArtifact({{_, }, {, }}, {, }, {{0x0, 0x0, 0x0}, {0xc000118f90, …}, …}) /home/runner/work/trivy/trivy/pkg/scanner/scan.go:96 +0xce github.com/aquasecurity/trivy/pkg/commands/artifact.scan({, }, {{0xc000756040, 0xc00030c5a8, {0x27f0090, 0x6}, 0x0, 0x0, {0xc0003171d0, 0x21}}, …}, …) /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:214 +0x87e github.com/aquasecurity/trivy/pkg/commands/artifact.runWithTimeout({, }, {{0xc000756040, 0xc00030c5a8, {0x27f0090, 0x6}, 0x0, 0x0, {0xc0003171d0, 0x21}}, …}, …) /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:69 +0x425 github.com/aquasecurity/trivy/pkg/commands/artifact.Run({, _}, {{0xc000756040, 0xc00030c5a8, {0x27f0090, 0x6}, 0x0, 0x0, {0xc0003171d0, 0x21}}, …}, …) /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:41 +0xc8 github.com/aquasecurity/trivy/pkg/commands/artifact.ConfigRun(0xc000756040) /home/runner/work/trivy/trivy/pkg/commands/artifact/config.go:29 +0x266 github.com/urfave/cli/v2.(*Command).Run(0xc0004b7d40, 0xc000661900) /home/runner/go/pkg/mod/github.com/urfave/cli/v2@v2.3.0/command.go:163 +0x64a github.com/urfave/cli/v2.(*App).RunContext(0xc000103d40, {0x28478a0, 0xc0000400b0}, {0xc00003a0a0, 0x5, 0x5}) /home/runner/go/pkg/mod/github.com/urfave/cli/v2@v2.3.0/app.go:313 +0x81e github.com/urfave/cli/v2.(*App).Run(…) /home/runner/go/pkg/mod/github.com/urfave/cli/v2@v2.3.0/app.go:224 main.main() /home/runner/work/trivy/trivy/cmd/trivy/main.go:16 +0x4f`

Output of run with -debug:

(paste your output here)

Output of trivy -v:

Version: 0.20.2
Vulnerability DB:
  Type: Full
  Version: 1
  UpdatedAt: 2021-11-03 18:07:05.68475629 +0000 UTC
  NextUpdate: 2021-11-04 00:07:05.68475599 +0000 UTC
  DownloadedAt: 2021-11-03 18:43:02.128159 +0000 UTC

Additional details (base image name, container registry info…):

Mac OS BigSur

About this issue

  • Original URL
  • State: closed
  • Created 3 years ago
  • Comments: 16 (9 by maintainers)

Most upvoted comments

Thank you @afdesk . The scan succeeded after I updated trivy version to v0.21.1. I am closing the issue.

+2
pritamstyz4ever on Dec 2, 2021

With latest image, it got fixed. Thanks @afdesk for the pointers.

+1
thangamani-arun on Mar 24, 2022

I saw that your trivy uses fsec@v0.58.11. it’s an old version. could we try to update?

+1
afdesk on Dec 1, 2021

@afdesk please have a look at this issue.

+1
knqyf263 on Nov 11, 2021
Read more comments on GitHub
← trivy: Critical CVEs for Python-Pillow Not Detected
trivy: failed to download vulnerability DB in trivy 0.32.0+ →