k8s: scan returning panic: runtime error: invalid memory address or nil pointer dereference

[josedonizetti]

$ trivy k8s -n default --report all

panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0x240850d]

goroutine 1 [running]:
sync.(*Once).Do(...)
	/snap/go/9760/src/sync/once.go:57
github.com/aquasecurity/trivy/pkg/report.TableWriter.setVulnerabilityRows({{0xc0011c09c0, 0x5, 0x8}, {0x454da00, 0xc000010018}, 0x0, 0x0, 0x0}, 0xc00490f3c8, {0xc002e722c0, ...})
	/home/josedonizetti/code/trivy/pkg/report/table.go:161 +0x1cd
github.com/aquasecurity/trivy/pkg/report.TableWriter.writeVulnerabilities({{0xc0011c09c0, 0x5, 0x8}, {0x454da00, 0xc000010018}, 0x0, 0x0, 0x0}, 0xc00490f3c8, {0xc002e722c0, ...})
	/home/josedonizetti/code/trivy/pkg/report/table.go:152 +0x1b8
github.com/aquasecurity/trivy/pkg/report.TableWriter.write({{0xc0011c09c0, 0x5, 0x8}, {0x454da00, 0xc000010018}, 0x0, 0x0, 0x0}, {{0x3db0cce, 0x7}, ...})
	/home/josedonizetti/code/trivy/pkg/report/table.go:79 +0x3fa
github.com/aquasecurity/trivy/pkg/report.TableWriter.Write(...)
	/home/josedonizetti/code/trivy/pkg/report/table.go:48
github.com/aquasecurity/trivy/pkg/k8s.TableWriter.Write({{0x7ffcd50a8005, 0x3}, {0x454da00, 0xc000010018}, {0xc0011c09c0, 0x5, 0x8}}, {0x0, {0xc0011827f8, 0x8}, ...})
	/home/josedonizetti/code/trivy/pkg/k8s/table.go:25 +0x905
github.com/aquasecurity/trivy/pkg/k8s.write({0x0, {0xc0011827f8, 0x8}, {0xc00042c900, 0x1, 0x1}, {0xc001178400, 0x3, 0x4}}, {{0x3da72ba, ...}, ...})
	/home/josedonizetti/code/trivy/pkg/k8s/report.go:139 +0x1f8
github.com/aquasecurity/trivy/pkg/k8s.run({_, _}, _, {{0xc0011d54c0, 0xc000010118, {0x3d9fc23, 0x3}, 0x0, 0x0, {0xc0011b4b60, ...}}, ...}, ...)
	/home/josedonizetti/code/trivy/pkg/k8s/run.go:98 +0x29f
github.com/aquasecurity/trivy/pkg/k8s.Run(0xc0011d54c0)
	/home/josedonizetti/code/trivy/pkg/k8s/run.go:89 +0x794
github.com/urfave/cli/v2.(*Command).Run(0xc0012079e0, 0xc0011d4a80)
	/home/josedonizetti/go/pkg/mod/github.com/urfave/cli/v2@v2.5.1/command.go:163 +0x5bb
github.com/urfave/cli/v2.(*App).RunContext(0xc000103380, {0x456aa80?, 0xc0000520a8}, {0xc00004e1e0, 0x6, 0x6})
	/home/josedonizetti/go/pkg/mod/github.com/urfave/cli/v2@v2.5.1/app.go:313 +0xb48
github.com/urfave/cli/v2.(*App).Run(...)
	/home/josedonizetti/go/pkg/mod/github.com/urfave/cli/v2@v2.5.1/app.go:224
main.main()
	/home/josedonizetti/code/trivy/cmd/trivy/main.go:16 +0x4f
exit status 2

[james-luther]

Interestingly, I have this issue running a scan within GitHub as an action or even locally on a machine.

trivy config -f table --severity="HIGH,CRITICAL" /path/to/repo/dir

I know there is a MEDIUM vulnerability within this repository and if I don't specify severity or only specify MEDIUM there are no errors, both with the action and when running on a local machine.

If I run the command like:

trivy config -f table --severity="MEDIUM" /path/to/repo/dir
or
trivy config -f table /path/to/repo/dir

There is no problem.

[josedonizetti]

@b34rd-tek which trivy version are you using? I wasn't able to simulate this bug on latest trivy.

[james-luther]

I'm using 0.27.1 on one local machine and 0.28.0 on another. I'm using v0.3.0 of the GitHub action which is using Trivy 0.27.1 also. The repository is all terraform files. The issue persists across all versions.

Edited to add:
It seems to be a specific file that is causing issues. Isolating the terraform file and running trivy against it alone causes the crash when specifying severity outside MEDIUM. When no severity or MEDIUM is the only severity selected the scan runs fine.

[josedonizetti]

@b34rd-tek Thank you for the sample file. I was able to emulate the error, and there was a PR merged today that fixes it -> #2188 :)