Trivy version 0.44 panics with assignment to entry in nil map for npm repository

[fbufler]

Description

I've tried to check one of my internal npm repositories with trivy.
When using version 0.44 trivy panics.
Instead using version 0.43.1 does not mirror this behaviour.
When I switch to a go repository this behaviour does also not occure on 0.44!

Desired Behavior

Scanning my internal repository does work with the newest trivy version available and does not panic.

Actual Behavior

When using version 0.44 I receive the following error:

panic: assignment to entry in nil map

goroutine 1 [running]:
github.com/aquasecurity/go-dep-parser/pkg/nodejs/npm.resolveLinks(0xb?)
        /home/runner/go/pkg/mod/github.com/aquasecurity/[email protected]/pkg/nodejs/npm/parse.go:200 +0x260
github.com/aquasecurity/go-dep-parser/pkg/nodejs/npm.(*Parser).parseV2(0x40030dc000?, 0x40035fc090)
        /home/runner/go/pkg/mod/github.com/aquasecurity/[email protected]/pkg/nodejs/npm/parse.go:85 +0x98
github.com/aquasecurity/go-dep-parser/pkg/nodejs/npm.(*Parser).Parse(0x11?, {0x7b36e70?, 0x40005fe0f0})
        /home/runner/go/pkg/mod/github.com/aquasecurity/[email protected]/pkg/nodejs/npm/parse.go:73 +0x190
github.com/aquasecurity/trivy/pkg/fanal/analyzer/language.Parse({0x65e5d9f, 0x3}, {0x4003634210, 0x11}, {0x7b36e70?, 0x40005fe0f0?}, {0x7a97ca0?, 0xadcb7b8?})
        /home/runner/work/trivy/trivy/pkg/fanal/analyzer/language/analyze.go:48 +0x50
github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/nodejs/npm.npmLibraryAnalyzer.parseNpmPkgLock({{0x7a97ca0?, 0xadcb7b8?}, 0xadcb7b8?}, {0x7a97f20?, 0x400363c690?}, {0x4003634210, 0x11})
        /home/runner/work/trivy/trivy/pkg/fanal/analyzer/language/nodejs/npm/npm.go:121 +0x1bc
github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/nodejs/npm.npmLibraryAnalyzer.PostAnalyze.func2({0x4003634210, 0x11}, {0x40005fe0b0?, 0x4000d845d0?}, {0x57e2560?, 0x400363c120?})
        /home/runner/work/trivy/trivy/pkg/fanal/analyzer/language/nodejs/npm/npm.go:60 +0x118
github.com/aquasecurity/trivy/pkg/utils/fsutils.WalkDir.func1({0x4003634210, 0x11}, {0x7b3b850, 0x40013f05a0}, {0x0?, 0x0?})
        /home/runner/work/trivy/trivy/pkg/utils/fsutils/fs.go:111 +0x21c
io/fs.walkDir({0x7a97f20, 0x400363c690}, {0x4003634210, 0x11}, {0x7b3b850, 0x40013f05a0}, 0x400212c3c0)
        /opt/hostedtoolcache/go/1.19.11/x64/src/io/fs/walk.go:65 +0x5c
io/fs.walkDir({0x7a97f20, 0x400363c690}, {0x65e3c5b, 0x1}, {0x7b3d8e8, 0x4000d840a0}, 0x400212c3c0)
        /opt/hostedtoolcache/go/1.19.11/x64/src/io/fs/walk.go:87 +0x268
io/fs.WalkDir({0x7a97f20, 0x400363c690}, {0x65e3c5b, 0x1}, 0x400212c3c0)
        /opt/hostedtoolcache/go/1.19.11/x64/src/io/fs/walk.go:114 +0xc4
github.com/aquasecurity/trivy/pkg/utils/fsutils.WalkDir({0x7a97f20?, 0x400363c690?}, {0x65e3c5b?, 0x1?}, 0x40035fd680?, 0x400212c400?)
        /home/runner/work/trivy/trivy/pkg/utils/fsutils/fs.go:93 +0x54
github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/nodejs/npm.npmLibraryAnalyzer.PostAnalyze({{0x7a97ca0?, 0xadcb7b8?}, 0xadcb7b8?}, {0x588a020?, 0x400212c4d8?}, {{0x7a97f20?, 0x400363c690?}, {0x3?, 0x0?}})
        /home/runner/work/trivy/trivy/pkg/fanal/analyzer/language/nodejs/npm/npm.go:52 +0x9c
github.com/aquasecurity/trivy/pkg/fanal/analyzer.AnalyzerGroup.PostAnalyze({{0x4000dc8100, 0x10, 0x10}, {0x40035f9280, 0x6, 0x8}, 0x40035fce10}, {0x7b3a858, 0x4000ba7da0}, 0x4003608230, ...)
        /home/runner/work/trivy/trivy/pkg/fanal/analyzer/analyzer.go:488 +0x168
github.com/aquasecurity/trivy/pkg/fanal/artifact/local.Artifact.Inspect({{0x400036a300, 0x20}, {0xffff80a91988, 0x4001604710}, {{{0x0, 0x0, 0x0}, {0x400363a200, 0x3, 0x4}, ...}, ...}, ...}, ...)
        /home/runner/work/trivy/trivy/pkg/fanal/artifact/local/fs.go:171 +0x45c
github.com/aquasecurity/trivy/pkg/fanal/artifact/repo.Artifact.Inspect({{_, _}, {_, _}}, {_, _})
        /home/runner/work/trivy/trivy/pkg/fanal/artifact/repo/git.go:50 +0x88
github.com/aquasecurity/trivy/pkg/scanner.Scanner.ScanArtifact({{_, _}, {_, _}}, {_, _}, {{0x4001604800, 0x1, 0x1}, {0x40014f8ce0, ...}, ...})
        /home/runner/work/trivy/trivy/pkg/scanner/scan.go:145 +0xa0
github.com/aquasecurity/trivy/pkg/commands/artifact.scan({_, _}, {{{0x661cec7, 0xa}, 0x0, 0x1, 0x0, 0x0, 0x45d964b800, {0x4000a3b5a0, ...}, ...}, ...}, ...)
        /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:684 +0x2d4
github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).scanArtifact(_, {_, _}, {{{0x661cec7, 0xa}, 0x0, 0x1, 0x0, 0x0, 0x45d964b800, ...}, ...}, ...)
        /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:266 +0x98
github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).ScanRepository(_, {_, _}, {{{0x661cec7, 0xa}, 0x0, 0x1, 0x0, 0x0, 0x45d964b800, ...}, ...})
        /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:233 +0x22c
github.com/aquasecurity/trivy/pkg/commands/artifact.Run({_, _}, {{{0x661cec7, 0xa}, 0x0, 0x1, 0x0, 0x0, 0x45d964b800, {0x4000a3b5a0, ...}, ...}, ...}, ...)
        /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:437 +0x5f0
github.com/aquasecurity/trivy/pkg/commands.NewRepositoryCommand.func2(0x4000246600, {0x4000ba79e0, 0x1, 0x6})
        /home/runner/work/trivy/trivy/pkg/commands/app.go:476 +0x19c
github.com/spf13/cobra.(*Command).execute(0x4000246600, {0x4000ba7980, 0x6, 0x6})
        /home/runner/go/pkg/mod/github.com/spf13/[email protected]/command.go:940 +0x5e0
github.com/spf13/cobra.(*Command).ExecuteC(0x40001ecc00)
        /home/runner/go/pkg/mod/github.com/spf13/[email protected]/command.go:1068 +0x368
github.com/spf13/cobra.(*Command).Execute(...)
        /home/runner/go/pkg/mod/github.com/spf13/[email protected]/command.go:992
main.run()
        /home/runner/work/trivy/trivy/cmd/trivy/main.go:39 +0x17c
main.main()
        /home/runner/work/trivy/trivy/cmd/trivy/main.go:21 +0x1c

Reproduction Steps

1. configure trivy with a npm repository
2. run trivy
3. receive a panic

Target

Git Repository

Scanner

Vulnerability

Output Format

JSON

Mode

Standalone

Debug Output

Same output as without debug!

panic: assignment to entry in nil map

goroutine 1 [running]:
github.com/aquasecurity/go-dep-parser/pkg/nodejs/npm.resolveLinks(0xb?)
        /home/runner/go/pkg/mod/github.com/aquasecurity/[email protected]/pkg/nodejs/npm/parse.go:200 +0x260
github.com/aquasecurity/go-dep-parser/pkg/nodejs/npm.(*Parser).parseV2(0x40027ae000?, 0x40006a2180)
        /home/runner/go/pkg/mod/github.com/aquasecurity/[email protected]/pkg/nodejs/npm/parse.go:85 +0x98
github.com/aquasecurity/go-dep-parser/pkg/nodejs/npm.(*Parser).Parse(0x11?, {0x7b36e70?, 0x400060e148})
        /home/runner/go/pkg/mod/github.com/aquasecurity/[email protected]/pkg/nodejs/npm/parse.go:73 +0x190
github.com/aquasecurity/trivy/pkg/fanal/analyzer/language.Parse({0x65e5d9f, 0x3}, {0x40037d8288, 0x11}, {0x7b36e70?, 0x400060e148?}, {0x7a97ca0?, 0xadcb7b8?})
        /home/runner/work/trivy/trivy/pkg/fanal/analyzer/language/analyze.go:48 +0x50
github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/nodejs/npm.npmLibraryAnalyzer.parseNpmPkgLock({{0x7a97ca0?, 0xadcb7b8?}, 0xadcb7b8?}, {0x7a97f20?, 0x40037dab88?}, {0x40037d8288, 0x11})
        /home/runner/work/trivy/trivy/pkg/fanal/analyzer/language/nodejs/npm/npm.go:121 +0x1bc
github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/nodejs/npm.npmLibraryAnalyzer.PostAnalyze.func2({0x40037d8288, 0x11}, {0x400060e128?, 0x40007c8ff0?}, {0x57e2560?, 0x40037da180?})
        /home/runner/work/trivy/trivy/pkg/fanal/analyzer/language/nodejs/npm/npm.go:60 +0x118
github.com/aquasecurity/trivy/pkg/utils/fsutils.WalkDir.func1({0x40037d8288, 0x11}, {0x7b3b850, 0x40006ec500}, {0x0?, 0x0?})
        /home/runner/work/trivy/trivy/pkg/utils/fsutils/fs.go:111 +0x21c
io/fs.walkDir({0x7a97f20, 0x40037dab88}, {0x40037d8288, 0x11}, {0x7b3b850, 0x40006ec500}, 0x4001e9a3c0)
        /opt/hostedtoolcache/go/1.19.11/x64/src/io/fs/walk.go:65 +0x5c
io/fs.walkDir({0x7a97f20, 0x40037dab88}, {0x65e3c5b, 0x1}, {0x7b3d8e8, 0x40007c80c0}, 0x4001e9a3c0)
        /opt/hostedtoolcache/go/1.19.11/x64/src/io/fs/walk.go:87 +0x268
io/fs.WalkDir({0x7a97f20, 0x40037dab88}, {0x65e3c5b, 0x1}, 0x4001e9a3c0)
        /opt/hostedtoolcache/go/1.19.11/x64/src/io/fs/walk.go:114 +0xc4
github.com/aquasecurity/trivy/pkg/utils/fsutils.WalkDir({0x7a97f20?, 0x40037dab88?}, {0x65e3c5b?, 0x1?}, 0x40037dd040?, 0x4001e9a498?)
        /home/runner/work/trivy/trivy/pkg/utils/fsutils/fs.go:93 +0x54
github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/nodejs/npm.npmLibraryAnalyzer.PostAnalyze({{0x7a97ca0?, 0xadcb7b8?}, 0xadcb7b8?}, {0x588a020?, 0x4001e9a4d8?}, {{0x7a97f20?, 0x40037dab88?}, {0x3?, 0x0?}})
        /home/runner/work/trivy/trivy/pkg/fanal/analyzer/language/nodejs/npm/npm.go:52 +0x9c
github.com/aquasecurity/trivy/pkg/fanal/analyzer.AnalyzerGroup.PostAnalyze({{0x40006ca100, 0x10, 0x10}, {0x400379d100, 0x6, 0x8}, 0x40037a4a50}, {0x7b3a858, 0x4000fe01e0}, 0x40037a8280, ...)
        /home/runner/work/trivy/trivy/pkg/fanal/analyzer/analyzer.go:488 +0x168
github.com/aquasecurity/trivy/pkg/fanal/artifact/local.Artifact.Inspect({{0x400036f820, 0x20}, {0xffff9709b078, 0x4001272660}, {{{0x0, 0x0, 0x0}, {0x40037de080, 0x3, 0x4}, ...}, ...}, ...}, ...)
        /home/runner/work/trivy/trivy/pkg/fanal/artifact/local/fs.go:171 +0x45c
github.com/aquasecurity/trivy/pkg/fanal/artifact/repo.Artifact.Inspect({{_, _}, {_, _}}, {_, _})
        /home/runner/work/trivy/trivy/pkg/fanal/artifact/repo/git.go:50 +0x88
github.com/aquasecurity/trivy/pkg/scanner.Scanner.ScanArtifact({{_, _}, {_, _}}, {_, _}, {{0x4001272780, 0x1, 0x1}, {0x4001178cc0, ...}, ...})
        /home/runner/work/trivy/trivy/pkg/scanner/scan.go:145 +0xa0
github.com/aquasecurity/trivy/pkg/commands/artifact.scan({_, _}, {{{0x661cec7, 0xa}, 0x0, 0x1, 0x1, 0x0, 0x45d964b800, {0x4000923e80, ...}, ...}, ...}, ...)
        /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:684 +0x2d4
github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).scanArtifact(_, {_, _}, {{{0x661cec7, 0xa}, 0x0, 0x1, 0x1, 0x0, 0x45d964b800, ...}, ...}, ...)
        /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:266 +0x98
github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).ScanRepository(_, {_, _}, {{{0x661cec7, 0xa}, 0x0, 0x1, 0x1, 0x0, 0x45d964b800, ...}, ...})
        /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:233 +0x22c
github.com/aquasecurity/trivy/pkg/commands/artifact.Run({_, _}, {{{0x661cec7, 0xa}, 0x0, 0x1, 0x1, 0x0, 0x45d964b800, {0x4000923e80, ...}, ...}, ...}, ...)
        /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:437 +0x5f0
github.com/aquasecurity/trivy/pkg/commands.NewRepositoryCommand.func2(0x40001ea600, {0x4000edce00, 0x1, 0x7})
        /home/runner/work/trivy/trivy/pkg/commands/app.go:476 +0x19c
github.com/spf13/cobra.(*Command).execute(0x40001ea600, {0x4000edcd90, 0x7, 0x7})
        /home/runner/go/pkg/mod/github.com/spf13/[email protected]/command.go:940 +0x5e0
github.com/spf13/cobra.(*Command).ExecuteC(0x40002d0c00)
        /home/runner/go/pkg/mod/github.com/spf13/[email protected]/command.go:1068 +0x368
github.com/spf13/cobra.(*Command).Execute(...)
        /home/runner/go/pkg/mod/github.com/spf13/[email protected]/command.go:992
main.run()
        /home/runner/work/trivy/trivy/cmd/trivy/main.go:39 +0x17c
main.main()
        /home/runner/work/trivy/trivy/cmd/trivy/main.go:21 +0x1c

Operating System

macOS Ventura & Debuan

Version

0.44.0

Checklist

• Run trivy image --reset
• Read the troubleshooting

[DmitriyLewen]

Hello @fbufler
Thanks for your report!

I will investigation this problem and write to you.

[DmitriyLewen]

Created #4923