Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

goroutine stack exceeds 1000000000-byte limit - trivy sbom 0.39.0 #3993

Closed
johanngyger opened this issue Apr 5, 2023 · 20 comments · Fixed by #3998
Closed

goroutine stack exceeds 1000000000-byte limit - trivy sbom 0.39.0 #3993

johanngyger opened this issue Apr 5, 2023 · 20 comments · Fixed by #3998
Assignees
@DmitriyLewen
Labels
kind/bug Categorizes issue or PR as related to a bug.

Comments

@johanngyger
Copy link

Description

trivy sbom leads to stack overflow

runtime: goroutine stack exceeds 1000000000-byte limit
runtime: sp=0x1402220e390 stack=[0x1402220e000, 0x1404220e000]
fatal error: stack overflow

What did you expect to happen?

No stack overflow

What happened instead?

Trivy crashed with a stack overflow

Output of run with -debug:

2023-04-05T14:33:52.406+0200	DEBUG	Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-04-05T14:33:52.420+0200	DEBUG	cache dir:  /Users/*****/Library/Caches/trivy
2023-04-05T14:33:52.420+0200	DEBUG	DB update was skipped because the local DB was downloaded during the last hour
2023-04-05T14:33:52.420+0200	DEBUG	DB Schema: 2, UpdatedAt: 2023-04-05 06:07:22.15150724 +0000 UTC, NextUpdate: 2023-04-05 12:07:22.15150684 +0000 UTC, DownloadedAt: 2023-04-05 12:16:36.060075 +0000 UTC
2023-04-05T14:33:52.420+0200	INFO	Vulnerability scanning is enabled
2023-04-05T14:33:52.420+0200	DEBUG	Vulnerability type:  [os library]
2023-04-05T14:33:52.425+0200	INFO	Detected SBOM format: cyclonedx-json
2023-04-05T14:33:52.430+0200	DEBUG	Unmarshaling CycloneDX JSON...
runtime: goroutine stack exceeds 1000000000-byte limit
runtime: sp=0x140222e4390 stack=[0x140222e4000, 0x140422e4000]
fatal error: stack overflow

runtime stack:
runtime.throw({0x10a13bb75?, 0x10facc800?})
	runtime/panic.go:1047 +0x40 fp=0x17233ed50 sp=0x17233ed20 pc=0x104b973e0
runtime.newstack()
	runtime/stack.go:1105 +0x460 fp=0x17233ef00 sp=0x17233ed50 pc=0x104bb0da0
runtime.morestack()
	runtime/asm_arm64.s:316 +0x70 fp=0x17233ef00 sp=0x17233ef00 pc=0x104bc9070

goroutine 1 [running]:
runtime.writeHeapBits.write({0x1400ef93400?, 0x0?, 0x28?, 0x28?}, 0x1feaeaaad5?, 0x25?)
	runtime/mbitmap.go:791 +0x138 fp=0x140222e4390 sp=0x140222e4390 pc=0x104b73528
runtime.heapBitsSetType(0x1400ef93540, 0x140, 0x128, 0x10c58cee0)
	runtime/mbitmap.go:1026 +0xd4 fp=0x140222e4450 sp=0x140222e4390 pc=0x104b738d4
runtime.mallocgc(0x128, 0x10c58cee0, 0x1)
	runtime/malloc.go:1074 +0x58c fp=0x140222e44c0 sp=0x140222e4450 pc=0x104b6b32c
runtime.growslice(0x0, 0x14000e5ccc0?, 0x140017a25c0?, 0x38?, 0x10c58cee0)
	runtime/slice.go:274 +0x400 fp=0x140222e4520 sp=0x140222e44c0 pc=0x104baef70
github.com/aquasecurity/trivy/pkg/sbom/cyclonedx.(*CycloneDX).walkDependencies(0x14000eaccc0, {0x140017a25c0?, 0x14001795e50?})
	github.com/aquasecurity/trivy/pkg/sbom/cyclonedx/unmarshal.go:218 +0x1b0 fp=0x140222e4830 sp=0x140222e4520 pc=0x108c32860
github.com/aquasecurity/trivy/pkg/sbom/cyclonedx.(*CycloneDX).walkDependencies(0x14000eaccc0, {0x14001795e50?, 0x140017a25c0?})
	github.com/aquasecurity/trivy/pkg/sbom/cyclonedx/unmarshal.go:221 +0x28c fp=0x140222e4b40 sp=0x140222e4830 pc=0x108c3293c
github.com/aquasecurity/trivy/pkg/sbom/cyclonedx.(*CycloneDX).walkDependencies(0x14000eaccc0, {0x140017a25c0?, 0x14001795e50?})
	github.com/aquasecurity/trivy/pkg/sbom/cyclonedx/unmarshal.go:221 +0x28c fp=0x140222e4e50 sp=0x140222e4b40 pc=0x108c3293c
github.com/aquasecurity/trivy/pkg/sbom/cyclonedx.(*CycloneDX).walkDependencies(0x14000eaccc0, {0x14001795e50?, 0x140017a25c0?})
	github.com/aquasecurity/trivy/pkg/sbom/cyclonedx/unmarshal.go:221 +0x28c fp=0x140222e5160 sp=0x140222e4e50 pc=0x108c3293c
github.com/aquasecurity/trivy/pkg/sbom/cyclonedx.(*CycloneDX).walkDependencies(0x14000eaccc0, {0x140017a25c0?, 0x14001795e50?})
	github.com/aquasecurity/trivy/pkg/sbom/cyclonedx/unmarshal.go:221 +0x28c fp=0x140222e5470 sp=0x140222e5160 pc=0x108c3293c
github.com/aquasecurity/trivy/pkg/sbom/cyclonedx.(*CycloneDX).walkDependencies(0x14000eaccc0, {0x14001795e50?, 0x140017a25c0?})
	github.com/aquasecurity/trivy/pkg/sbom/cyclonedx/unmarshal.go:221 +0x28c fp=0x140222e5780 sp=0x140222e5470 pc=0x108c3293c
github.com/aquasecurity/trivy/pkg/sbom/cyclonedx.(*CycloneDX).walkDependencies(0x14000eaccc0, {0x140017a25c0?, 0x14001795e50?})
	github.com/aquasecurity/trivy/pkg/sbom/cyclonedx/unmarshal.go:221 +0x28c fp=0x140222e5a90 sp=0x140222e5780 pc=0x108c3293c
github.com/aquasecurity/trivy/pkg/sbom/cyclonedx.(*CycloneDX).walkDependencies(0x14000eaccc0, {0x14001795e50?, 0x140017a25c0?})
	github.com/aquasecurity/trivy/pkg/sbom/cyclonedx/unmarshal.go:221 +0x28c fp=0x140222e5da0 sp=0x140222e5a90 pc=0x108c3293c
github.com/aquasecurity/trivy/pkg/sbom/cyclonedx.(*CycloneDX).walkDependencies(0x14000eaccc0, {0x140017a25c0?, 0x14001795e50?})
	github.com/aquasecurity/trivy/pkg/sbom/cyclonedx/unmarshal.go:221 +0x28c fp=0x140222e60b0 sp=0x140222e5da0 pc=0x108c3293c
github.com/aquasecurity/trivy/pkg/sbom/cyclonedx.(*CycloneDX).walkDependencies(0x14000eaccc0, {0x14001795e50?, 0x140017a25c0?})
	github.com/aquasecurity/trivy/pkg/sbom/cyclonedx/unmarshal.go:221 +0x28c fp=0x140222e63c0 sp=0x140222e60b0 pc=0x108c3293c
github.com/aquasecurity/trivy/pkg/sbom/cyclonedx.(*CycloneDX).walkDependencies(0x14000eaccc0, {0x140017a25c0?, 0x14001795e50?})
	github.com/aquasecurity/trivy/pkg/sbom/cyclonedx/unmarshal.go:221 +0x28c fp=0x140222e66d0 sp=0x140222e63c0 pc=0x108c3293c
github.com/aquasecurity/trivy/pkg/sbom/cyclonedx.(*CycloneDX).walkDependencies(0x14000eaccc0, {0x14001795e50?, 0x140017a25c0?})
	github.com/aquasecurity/trivy/pkg/sbom/cyclonedx/unmarshal.go:221 +0x28c fp=0x140222e69e0 sp=0x140222e66d0 pc=0x108c3293c
github.com/aquasecurity/trivy/pkg/sbom/cyclonedx.(*CycloneDX).walkDependencies(0x14000eaccc0, {0x140017a25c0?, 0x14001795e50?})
	github.com/aquasecurity/trivy/pkg/sbom/cyclonedx/unmarshal.go:221 +0x28c fp=0x140222e6cf0 sp=0x140222e69e0 pc=0x108c3293c
github.com/aquasecurity/trivy/pkg/sbom/cyclonedx.(*CycloneDX).walkDependencies(0x14000eaccc0, {0x14001795e50?, 0x140017a25c0?})
	github.com/aquasecurity/trivy/pkg/sbom/cyclonedx/unmarshal.go:221 +0x28c fp=0x140222e7000 sp=0x140222e6cf0 pc=0x108c3293c
github.com/aquasecurity/trivy/pkg/sbom/cyclonedx.(*CycloneDX).walkDependencies(0x14000eaccc0, {0x140017a25c0?, 0x14001795e50?})
	github.com/aquasecurity/trivy/pkg/sbom/cyclonedx/unmarshal.go:221 +0x28c fp=0x140222e7310 sp=0x140222e7000 pc=0x108c3293c
github.com/aquasecurity/trivy/pkg/sbom/cyclonedx.(*CycloneDX).walkDependencies(0x14000eaccc0, {0x14001795e50?, 0x140017a25c0?})
	github.com/aquasecurity/trivy/pkg/sbom/cyclonedx/unmarshal.go:221 +0x28c fp=0x140222e7620 sp=0x140222e7310 pc=0x108c3293c
github.com/aquasecurity/trivy/pkg/sbom/cyclonedx.(*CycloneDX).walkDependencies(0x14000eaccc0, {0x140017a25c0?, 0x14001795e50?})
	github.com/aquasecurity/trivy/pkg/sbom/cyclonedx/unmarshal.go:221 +0x28c fp=0x140222e7930 sp=0x140222e7620 pc=0x108c3293c
github.com/aquasecurity/trivy/pkg/sbom/cyclonedx.(*CycloneDX).walkDependencies(0x14000eaccc0, {0x14001795e50?, 0x140017a25c0?})
	github.com/aquasecurity/trivy/pkg/sbom/cyclonedx/unmarshal.go:221 +0x28c fp=0x140222e7c40 sp=0x140222e7930 pc=0x108c3293c
github.com/aquasecurity/trivy/pkg/sbom/cyclonedx.(*CycloneDX).walkDependencies(0x14000eaccc0, {0x140017a25c0?, 0x14001795e50?})
	github.com/aquasecurity/trivy/pkg/sbom/cyclonedx/unmarshal.go:221 +0x28c fp=0x140222e7f50 sp=0x140222e7c40 pc=0x108c3293c
github.com/aquasecurity/trivy/pkg/sbom/cyclonedx.(*CycloneDX).walkDependencies(0x14000eaccc0, {0x14001795e50?, 0x140017a25c0?})
	github.com/aquasecurity/trivy/pkg/sbom/cyclonedx/unmarshal.go:221 +0x28c fp=0x140222e8260 sp=0x140222e7f50 pc=0x108c3293c
github.com/aquasecurity/trivy/pkg/sbom/cyclonedx.(*CycloneDX).walkDependencies(0x14000eaccc0, {0x140017a25c0?, 0x14001795e50?})
	github.com/aquasecurity/trivy/pkg/sbom/cyclonedx/unmarshal.go:221 +0x28c fp=0x140222e8570 sp=0x140222e8260 pc=0x108c3293c
github.com/aquasecurity/trivy/pkg/sbom/cyclonedx.(*CycloneDX).walkDependencies(0x14000eaccc0, {0x14001795e50?, 0x140017a25c0?})
	github.com/aquasecurity/trivy/pkg/sbom/cyclonedx/unmarshal.go:221 +0x28c fp=0x140222e8880 sp=0x140222e8570 pc=0x108c3293c
github.com/aquasecurity/trivy/pkg/sbom/cyclonedx.(*CycloneDX).walkDependencies(0x14000eaccc0, {0x140017a25c0?, 0x14001795e50?})
	github.com/aquasecurity/trivy/pkg/sbom/cyclonedx/unmarshal.go:221 +0x28c fp=0x140222e8b90 sp=0x140222e8880 pc=0x108c3293c
github.com/aquasecurity/trivy/pkg/sbom/cyclonedx.(*CycloneDX).walkDependencies(0x14000eaccc0, {0x14001795e50?, 0x140017a25c0?})
	github.com/aquasecurity/trivy/pkg/sbom/cyclonedx/unmarshal.go:221 +0x28c fp=0x140222e8ea0 sp=0x140222e8b90 pc=0x108c3293c
github.com/aquasecurity/trivy/pkg/sbom/cyclonedx.(*CycloneDX).walkDependencies(0x14000eaccc0, {0x140017a25c0?, 0x14001795e50?})
	github.com/aquasecurity/trivy/pkg/sbom/cyclonedx/unmarshal.go:221 +0x28c fp=0x140222e91b0 sp=0x140222e8ea0 pc=0x108c3293c
github.com/aquasecurity/trivy/pkg/sbom/cyclonedx.(*CycloneDX).walkDependencies(0x14000eaccc0, {0x14001795e50?, 0x140017a25c0?})
	github.com/aquasecurity/trivy/pkg/sbom/cyclonedx/unmarshal.go:221 +0x28c fp=0x140222e94c0 sp=0x140222e91b0 pc=0x108c3293c
github.com/aquasecurity/trivy/pkg/sbom/cyclonedx.(*CycloneDX).walkDependencies(0x14000eaccc0, {0x140017a25c0?, 0x14001795e50?})
	github.com/aquasecurity/trivy/pkg/sbom/cyclonedx/unmarshal.go:221 +0x28c fp=0x140222e97d0 sp=0x140222e94c0 pc=0x108c3293c
github.com/aquasecurity/trivy/pkg/sbom/cyclonedx.(*CycloneDX).walkDependencies(0x14000eaccc0, {0x14001795e50?, 0x140017a25c0?})
	github.com/aquasecurity/trivy/pkg/sbom/cyclonedx/unmarshal.go:221 +0x28c fp=0x140222e9ae0 sp=0x140222e97d0 pc=0x108c3293c
github.com/aquasecurity/trivy/pkg/sbom/cyclonedx.(*CycloneDX).walkDependencies(0x14000eaccc0, {0x140017a25c0?, 0x14001795e50?})
	github.com/aquasecurity/trivy/pkg/sbom/cyclonedx/unmarshal.go:221 +0x28c fp=0x140222e9df0 sp=0x140222e9ae0 pc=0x108c3293c
github.com/aquasecurity/trivy/pkg/sbom/cyclonedx.(*CycloneDX).walkDependencies(0x14000eaccc0, {0x14001795e50?, 0x140017a25c0?})
	github.com/aquasecurity/trivy/pkg/sbom/cyclonedx/unmarshal.go:221 +0x28c fp=0x140222ea100 sp=0x140222e9df0 pc=0x108c3293c
github.com/aquasecurity/trivy/pkg/sbom/cyclonedx.(*CycloneDX).walkDependencies(0x14000eaccc0, {0x140017a25c0?, 0x14001795e50?})
	github.com/aquasecurity/trivy/pkg/sbom/cyclonedx/unmarshal.go:221 +0x28c fp=0x140222ea410 sp=0x140222ea100 pc=0x108c3293c
github.com/aquasecurity/trivy/pkg/sbom/cyclonedx.(*CycloneDX).walkDependencies(0x14000eaccc0, {0x14001795e50?, 0x140017a25c0?})
	github.com/aquasecurity/trivy/pkg/sbom/cyclonedx/unmarshal.go:221 +0x28c fp=0x140222ea720 sp=0x140222ea410 pc=0x108c3293c
github.com/aquasecurity/trivy/pkg/sbom/cyclonedx.(*CycloneDX).walkDependencies(0x14000eaccc0, {0x140017a25c0?, 0x14001795e50?})
	github.com/aquasecurity/trivy/pkg/sbom/cyclonedx/unmarshal.go:221 +0x28c fp=0x140222eaa30 sp=0x140222ea720 pc=0x108c3293c
github.com/aquasecurity/trivy/pkg/sbom/cyclonedx.(*CycloneDX).walkDependencies(0x14000eaccc0, {0x14001795e50?, 0x140017a25c0?})
	github.com/aquasecurity/trivy/pkg/sbom/cyclonedx/unmarshal.go:221 +0x28c fp=0x140222ead40 sp=0x140222eaa30 pc=0x108c3293c
github.com/aquasecurity/trivy/pkg/sbom/cyclonedx.(*CycloneDX).walkDependencies(0x14000eaccc0, {0x140017a25c0?, 0x14001795e50?})
	github.com/aquasecurity/trivy/pkg/sbom/cyclonedx/unmarshal.go:221 +0x28c fp=0x140222eb050 sp=0x140222ead40 pc=0x108c3293c
github.com/aquasecurity/trivy/pkg/sbom/cyclonedx.(*CycloneDX).walkDependencies(0x14000eaccc0, {0x14001795e50?, 0x140017a25c0?})
	github.com/aquasecurity/trivy/pkg/sbom/cyclonedx/unmarshal.go:221 +0x28c fp=0x140222eb360 sp=0x140222eb050 pc=0x108c3293c
github.com/aquasecurity/trivy/pkg/sbom/cyclonedx.(*CycloneDX).walkDependencies(0x14000eaccc0, {0x140017a25c0?, 0x14001795e50?})
	github.com/aquasecurity/trivy/pkg/sbom/cyclonedx/unmarshal.go:221 +0x28c fp=0x140222eb670 sp=0x140222eb360 pc=0x108c3293c
github.com/aquasecurity/trivy/pkg/sbom/cyclonedx.(*CycloneDX).walkDependencies(0x14000eaccc0, {0x14001795e50?, 0x140017a25c0?})
	github.com/aquasecurity/trivy/pkg/sbom/cyclonedx/unmarshal.go:221 +0x28c fp=0x140222eb980 sp=0x140222eb670 pc=0x108c3293c
github.com/aquasecurity/trivy/pkg/sbom/cyclonedx.(*CycloneDX).walkDependencies(0x14000eaccc0, {0x140017a25c0?, 0x14001795e50?})
	github.com/aquasecurity/trivy/pkg/sbom/cyclonedx/unmarshal.go:221 +0x28c fp=0x140222ebc90 sp=0x140222eb980 pc=0x108c3293c
github.com/aquasecurity/trivy/pkg/sbom/cyclonedx.(*CycloneDX).walkDependencies(0x14000eaccc0, {0x14001795e50?, 0x140017a25c0?})
	github.com/aquasecurity/trivy/pkg/sbom/cyclonedx/unmarshal.go:221 +0x28c fp=0x140222ebfa0 sp=0x140222ebc90 pc=0x108c3293c
github.com/aquasecurity/trivy/pkg/sbom/cyclonedx.(*CycloneDX).walkDependencies(0x14000eaccc0, {0x140017a25c0?, 0x14001795e50?})
	github.com/aquasecurity/trivy/pkg/sbom/cyclonedx/unmarshal.go:221 +0x28c fp=0x140222ec2b0 sp=0x140222ebfa0 pc=0x108c3293c
github.com/aquasecurity/trivy/pkg/sbom/cyclonedx.(*CycloneDX).walkDependencies(0x14000eaccc0, {0x14001795e50?, 0x140017a25c0?})
	github.com/aquasecurity/trivy/pkg/sbom/cyclonedx/unmarshal.go:221 +0x28c fp=0x140222ec5c0 sp=0x140222ec2b0 pc=0x108c3293c
github.com/aquasecurity/trivy/pkg/sbom/cyclonedx.(*CycloneDX).walkDependencies(0x14000eaccc0, {0x140017a25c0?, 0x14001795e50?})
	github.com/aquasecurity/trivy/pkg/sbom/cyclonedx/unmarshal.go:221 +0x28c fp=0x140222ec8d0 sp=0x140222ec5c0 pc=0x108c3293c
github.com/aquasecurity/trivy/pkg/sbom/cyclonedx.(*CycloneDX).walkDependencies(0x14000eaccc0, {0x14001795e50?, 0x140017a25c0?})
	github.com/aquasecurity/trivy/pkg/sbom/cyclonedx/unmarshal.go:221 +0x28c fp=0x140222ecbe0 sp=0x140222ec8d0 pc=0x108c3293c
github.com/aquasecurity/trivy/pkg/sbom/cyclonedx.(*CycloneDX).walkDependencies(0x14000eaccc0, {0x140017a25c0?, 0x14001795e50?})
	github.com/aquasecurity/trivy/pkg/sbom/cyclonedx/unmarshal.go:221 +0x28c fp=0x140222ecef0 sp=0x140222ecbe0 pc=0x108c3293c
github.com/aquasecurity/trivy/pkg/sbom/cyclonedx.(*CycloneDX).walkDependencies(0x14000eaccc0, {0x14001795e50?, 0x140017a25c0?})
	github.com/aquasecurity/trivy/pkg/sbom/cyclonedx/unmarshal.go:221 +0x28c fp=0x140222ed200 sp=0x140222ecef0 pc=0x108c3293c
github.com/aquasecurity/trivy/pkg/sbom/cyclonedx.(*CycloneDX).walkDependencies(0x14000eaccc0, {0x140017a25c0?, 0x14001795e50?})
	github.com/aquasecurity/trivy/pkg/sbom/cyclonedx/unmarshal.go:221 +0x28c fp=0x140222ed510 sp=0x140222ed200 pc=0x108c3293c
github.com/aquasecurity/trivy/pkg/sbom/cyclonedx.(*CycloneDX).walkDependencies(0x14000eaccc0, {0x14001795e50?, 0x140017a25c0?})
	github.com/aquasecurity/trivy/pkg/sbom/cyclonedx/unmarshal.go:221 +0x28c fp=0x140222ed820 sp=0x140222ed510 pc=0x108c3293c
github.com/aquasecurity/trivy/pkg/sbom/cyclonedx.(*CycloneDX).walkDependencies(0x14000eaccc0, {0x140017a25c0?, 0x14001795e50?})
	github.com/aquasecurity/trivy/pkg/sbom/cyclonedx/unmarshal.go:221 +0x28c fp=0x140222edb30 sp=0x140222ed820 pc=0x108c3293c
github.com/aquasecurity/trivy/pkg/sbom/cyclonedx.(*CycloneDX).walkDependencies(0x14000eaccc0, {0x14001795e50?, 0x140017a25c0?})
	github.com/aquasecurity/trivy/pkg/sbom/cyclonedx/unmarshal.go:221 +0x28c fp=0x140222ede40 sp=0x140222edb30 pc=0x108c3293c
github.com/aquasecurity/trivy/pkg/sbom/cyclonedx.(*CycloneDX).walkDependencies(0x14000eaccc0, {0x140017a25c0?, 0x14001795e50?})
	github.com/aquasecurity/trivy/pkg/sbom/cyclonedx/unmarshal.go:221 +0x28c fp=0x140222ee150 sp=0x140222ede40 pc=0x108c3293c
github.com/aquasecurity/trivy/pkg/sbom/cyclonedx.(*CycloneDX).walkDependencies(0x14000eaccc0, {0x14001795e50?, 0x140017a25c0?})
	github.com/aquasecurity/trivy/pkg/sbom/cyclonedx/unmarshal.go:221 +0x28c fp=0x140222ee460 sp=0x140222ee150 pc=0x108c3293c
github.com/aquasecurity/trivy/pkg/sbom/cyclonedx.(*CycloneDX).walkDependencies(0x14000eaccc0, {0x140017a25c0?, 0x14001795e50?})
	github.com/aquasecurity/trivy/pkg/sbom/cyclonedx/unmarshal.go:221 +0x28c fp=0x140222ee770 sp=0x140222ee460 pc=0x108c3293c
github.com/aquasecurity/trivy/pkg/sbom/cyclonedx.(*CycloneDX).walkDependencies(0x14000eaccc0, {0x14001795e50?, 0x140017a25c0?})
	github.com/aquasecurity/trivy/pkg/sbom/cyclonedx/unmarshal.go:221 +0x28c fp=0x140222eea80 sp=0x140222ee770 pc=0x108c3293c
github.com/aquasecurity/trivy/pkg/sbom/cyclonedx.(*CycloneDX).walkDependencies(0x14000eaccc0, {0x140017a25c0?, 0x14001795e50?})
	github.com/aquasecurity/trivy/pkg/sbom/cyclonedx/unmarshal.go:221 +0x28c fp=0x140222eed90 sp=0x140222eea80 pc=0x108c3293c
github.com/aquasecurity/trivy/pkg/sbom/cyclonedx.(*CycloneDX).walkDependencies(0x14000eaccc0, {0x14001795e50?, 0x140017a25c0?})
	github.com/aquasecurity/trivy/pkg/sbom/cyclonedx/unmarshal.go:221 +0x28c fp=0x140222ef0a0 sp=0x140222eed90 pc=0x108c3293c
github.com/aquasecurity/trivy/pkg/sbom/cyclonedx.(*CycloneDX).walkDependencies(0x14000eaccc0, {0x140017a25c0?, 0x14001795e50?})
	github.com/aquasecurity/trivy/pkg/sbom/cyclonedx/unmarshal.go:221 +0x28c fp=0x140222ef3b0 sp=0x140222ef0a0 pc=0x108c3293c
github.com/aquasecurity/trivy/pkg/sbom/cyclonedx.(*CycloneDX).walkDependencies(0x14000eaccc0, {0x14001795e50?, 0x140017a25c0?})
	github.com/aquasecurity/trivy/pkg/sbom/cyclonedx/unmarshal.go:221 +0x28c fp=0x140222ef6c0 sp=0x140222ef3b0 pc=0x108c3293c
github.com/aquasecurity/trivy/pkg/sbom/cyclonedx.(*CycloneDX).walkDependencies(0x14000eaccc0, {0x140017a25c0?, 0x14001795e50?})
	github.com/aquasecurity/trivy/pkg/sbom/cyclonedx/unmarshal.go:221 +0x28c fp=0x140222ef9d0 sp=0x140222ef6c0 pc=0x108c3293c
github.com/aquasecurity/trivy/pkg/sbom/cyclonedx.(*CycloneDX).walkDependencies(0x14000eaccc0, {0x14001795e50?, 0x140017a25c0?})
	github.com/aquasecurity/trivy/pkg/sbom/cyclonedx/unmarshal.go:221 +0x28c fp=0x140222efce0 sp=0x140222ef9d0 pc=0x108c3293c
github.com/aquasecurity/trivy/pkg/sbom/cyclonedx.(*CycloneDX).walkDependencies(0x14000eaccc0, {0x140017a25c0?, 0x14001795e50?})
	github.com/aquasecurity/trivy/pkg/sbom/cyclonedx/unmarshal.go:221 +0x28c fp=0x140222efff0 sp=0x140222efce0 pc=0x108c3293c
github.com/aquasecurity/trivy/pkg/sbom/cyclonedx.(*CycloneDX).walkDependencies(0x14000eaccc0, {0x14001795e50?, 0x140017a25c0?})
	github.com/aquasecurity/trivy/pkg/sbom/cyclonedx/unmarshal.go:221 +0x28c fp=0x140222f0300 sp=0x140222efff0 pc=0x108c3293c
github.com/aquasecurity/trivy/pkg/sbom/cyclonedx.(*CycloneDX).walkDependencies(0x14000eaccc0, {0x140017a25c0?, 0x14001795e50?})
	github.com/aquasecurity/trivy/pkg/sbom/cyclonedx/unmarshal.go:221 +0x28c fp=0x140222f0610 sp=0x140222f0300 pc=0x108c3293c
github.com/aquasecurity/trivy/pkg/sbom/cyclonedx.(*CycloneDX).walkDependencies(0x14000eaccc0, {0x14001795e50?, 0x140017a25c0?})
	github.com/aquasecurity/trivy/pkg/sbom/cyclonedx/unmarshal.go:221 +0x28c fp=0x140222f0920 sp=0x140222f0610 pc=0x108c3293c
github.com/aquasecurity/trivy/pkg/sbom/cyclonedx.(*CycloneDX).walkDependencies(0x14000eaccc0, {0x140017a25c0?, 0x14001795e50?})
	github.com/aquasecurity/trivy/pkg/sbom/cyclonedx/unmarshal.go:221 +0x28c fp=0x140222f0c30 sp=0x140222f0920 pc=0x108c3293c
github.com/aquasecurity/trivy/pkg/sbom/cyclonedx.(*CycloneDX).walkDependencies(0x14000eaccc0, {0x14001795e50?, 0x140017a25c0?})
	github.com/aquasecurity/trivy/pkg/sbom/cyclonedx/unmarshal.go:221 +0x28c fp=0x140222f0f40 sp=0x140222f0c30 pc=0x108c3293c
github.com/aquasecurity/trivy/pkg/sbom/cyclonedx.(*CycloneDX).walkDependencies(0x14000eaccc0, {0x140017a25c0?, 0x14001795e50?})
	github.com/aquasecurity/trivy/pkg/sbom/cyclonedx/unmarshal.go:221 +0x28c fp=0x140222f1250 sp=0x140222f0f40 pc=0x108c3293c
github.com/aquasecurity/trivy/pkg/sbom/cyclonedx.(*CycloneDX).walkDependencies(0x14000eaccc0, {0x14001795e50?, 0x140017a25c0?})
	github.com/aquasecurity/trivy/pkg/sbom/cyclonedx/unmarshal.go:221 +0x28c fp=0x140222f1560 sp=0x140222f1250 pc=0x108c3293c
github.com/aquasecurity/trivy/pkg/sbom/cyclonedx.(*CycloneDX).walkDependencies(0x14000eaccc0, {0x140017a25c0?, 0x14001795e50?})
	github.com/aquasecurity/trivy/pkg/sbom/cyclonedx/unmarshal.go:221 +0x28c fp=0x140222f1870 sp=0x140222f1560 pc=0x108c3293c
github.com/aquasecurity/trivy/pkg/sbom/cyclonedx.(*CycloneDX).walkDependencies(0x14000eaccc0, {0x14001795e50?, 0x140017a25c0?})
	github.com/aquasecurity/trivy/pkg/sbom/cyclonedx/unmarshal.go:221 +0x28c fp=0x140222f1b80 sp=0x140222f1870 pc=0x108c3293c
github.com/aquasecurity/trivy/pkg/sbom/cyclonedx.(*CycloneDX).walkDependencies(0x14000eaccc0, {0x140017a25c0?, 0x14001795e50?})
	github.com/aquasecurity/trivy/pkg/sbom/cyclonedx/unmarshal.go:221 +0x28c fp=0x140222f1e90 sp=0x140222f1b80 pc=0x108c3293c
github.com/aquasecurity/trivy/pkg/sbom/cyclonedx.(*CycloneDX).walkDependencies(0x14000eaccc0, {0x14001795e50?, 0x140017a25c0?})
	github.com/aquasecurity/trivy/pkg/sbom/cyclonedx/unmarshal.go:221 +0x28c fp=0x140222f21a0 sp=0x140222f1e90 pc=0x108c3293c
github.com/aquasecurity/trivy/pkg/sbom/cyclonedx.(*CycloneDX).walkDependencies(0x14000eaccc0, {0x140017a25c0?, 0x14001795e50?})
	github.com/aquasecurity/trivy/pkg/sbom/cyclonedx/unmarshal.go:221 +0x28c fp=0x140222f24b0 sp=0x140222f21a0 pc=0x108c3293c
github.com/aquasecurity/trivy/pkg/sbom/cyclonedx.(*CycloneDX).walkDependencies(0x14000eaccc0, {0x14001795e50?, 0x140017a25c0?})
	github.com/aquasecurity/trivy/pkg/sbom/cyclonedx/unmarshal.go:221 +0x28c fp=0x140222f27c0 sp=0x140222f24b0 pc=0x108c3293c
github.com/aquasecurity/trivy/pkg/sbom/cyclonedx.(*CycloneDX).walkDependencies(0x14000eaccc0, {0x140017a25c0?, 0x14001795e50?})
	github.com/aquasecurity/trivy/pkg/sbom/cyclonedx/unmarshal.go:221 +0x28c fp=0x140222f2ad0 sp=0x140222f27c0 pc=0x108c3293c
github.com/aquasecurity/trivy/pkg/sbom/cyclonedx.(*CycloneDX).walkDependencies(0x14000eaccc0, {0x14001795e50?, 0x140017a25c0?})
	github.com/aquasecurity/trivy/pkg/sbom/cyclonedx/unmarshal.go:221 +0x28c fp=0x140222f2de0 sp=0x140222f2ad0 pc=0x108c3293c
github.com/aquasecurity/trivy/pkg/sbom/cyclonedx.(*CycloneDX).walkDependencies(0x14000eaccc0, {0x140017a25c0?, 0x14001795e50?})
	github.com/aquasecurity/trivy/pkg/sbom/cyclonedx/unmarshal.go:221 +0x28c fp=0x140222f30f0 sp=0x140222f2de0 pc=0x108c3293c
github.com/aquasecurity/trivy/pkg/sbom/cyclonedx.(*CycloneDX).walkDependencies(0x14000eaccc0, {0x14001795e50?, 0x140017a25c0?})
	github.com/aquasecurity/trivy/pkg/sbom/cyclonedx/unmarshal.go:221 +0x28c fp=0x140222f3400 sp=0x140222f30f0 pc=0x108c3293c
github.com/aquasecurity/trivy/pkg/sbom/cyclonedx.(*CycloneDX).walkDependencies(0x14000eaccc0, {0x140017a25c0?, 0x14001795e50?})
	github.com/aquasecurity/trivy/pkg/sbom/cyclonedx/unmarshal.go:221 +0x28c fp=0x140222f3710 sp=0x140222f3400 pc=0x108c3293c
github.com/aquasecurity/trivy/pkg/sbom/cyclonedx.(*CycloneDX).walkDependencies(0x14000eaccc0, {0x14001795e50?, 0x140017a25c0?})
	github.com/aquasecurity/trivy/pkg/sbom/cyclonedx/unmarshal.go:221 +0x28c fp=0x140222f3a20 sp=0x140222f3710 pc=0x108c3293c
github.com/aquasecurity/trivy/pkg/sbom/cyclonedx.(*CycloneDX).walkDependencies(0x14000eaccc0, {0x140017a25c0?, 0x14001795e50?})
	github.com/aquasecurity/trivy/pkg/sbom/cyclonedx/unmarshal.go:221 +0x28c fp=0x140222f3d30 sp=0x140222f3a20 pc=0x108c3293c
github.com/aquasecurity/trivy/pkg/sbom/cyclonedx.(*CycloneDX).walkDependencies(0x14000eaccc0, {0x14001795e50?, 0x140017a25c0?})
	github.com/aquasecurity/trivy/pkg/sbom/cyclonedx/unmarshal.go:221 +0x28c fp=0x140222f4040 sp=0x140222f3d30 pc=0x108c3293c
github.com/aquasecurity/trivy/pkg/sbom/cyclonedx.(*CycloneDX).walkDependencies(0x14000eaccc0, {0x140017a25c0?, 0x14001795e50?})
	github.com/aquasecurity/trivy/pkg/sbom/cyclonedx/unmarshal.go:221 +0x28c fp=0x140222f4350 sp=0x140222f4040 pc=0x108c3293c
github.com/aquasecurity/trivy/pkg/sbom/cyclonedx.(*CycloneDX).walkDependencies(0x14000eaccc0, {0x14001795e50?, 0x140017a25c0?})
	github.com/aquasecurity/trivy/pkg/sbom/cyclonedx/unmarshal.go:221 +0x28c fp=0x140222f4660 sp=0x140222f4350 pc=0x108c3293c
github.com/aquasecurity/trivy/pkg/sbom/cyclonedx.(*CycloneDX).walkDependencies(0x14000eaccc0, {0x140017a25c0?, 0x14001795e50?})
	github.com/aquasecurity/trivy/pkg/sbom/cyclonedx/unmarshal.go:221 +0x28c fp=0x140222f4970 sp=0x140222f4660 pc=0x108c3293c
github.com/aquasecurity/trivy/pkg/sbom/cyclonedx.(*CycloneDX).walkDependencies(0x14000eaccc0, {0x14001795e50?, 0x140017a25c0?})
	github.com/aquasecurity/trivy/pkg/sbom/cyclonedx/unmarshal.go:221 +0x28c fp=0x140222f4c80 sp=0x140222f4970 pc=0x108c3293c
github.com/aquasecurity/trivy/pkg/sbom/cyclonedx.(*CycloneDX).walkDependencies(0x14000eaccc0, {0x140017a25c0?, 0x14001795e50?})
	github.com/aquasecurity/trivy/pkg/sbom/cyclonedx/unmarshal.go:221 +0x28c fp=0x140222f4f90 sp=0x140222f4c80 pc=0x108c3293c
github.com/aquasecurity/trivy/pkg/sbom/cyclonedx.(*CycloneDX).walkDependencies(0x14000eaccc0, {0x14001795e50?, 0x140017a25c0?})
	github.com/aquasecurity/trivy/pkg/sbom/cyclonedx/unmarshal.go:221 +0x28c fp=0x140222f52a0 sp=0x140222f4f90 pc=0x108c3293c
github.com/aquasecurity/trivy/pkg/sbom/cyclonedx.(*CycloneDX).walkDependencies(0x14000eaccc0, {0x140017a25c0?, 0x14001795e50?})
	github.com/aquasecurity/trivy/pkg/sbom/cyclonedx/unmarshal.go:221 +0x28c fp=0x140222f55b0 sp=0x140222f52a0 pc=0x108c3293c
github.com/aquasecurity/trivy/pkg/sbom/cyclonedx.(*CycloneDX).walkDependencies(0x14000eaccc0, {0x14001795e50?, 0x140017a25c0?})
	github.com/aquasecurity/trivy/pkg/sbom/cyclonedx/unmarshal.go:221 +0x28c fp=0x140222f58c0 sp=0x140222f55b0 pc=0x108c3293c
github.com/aquasecurity/trivy/pkg/sbom/cyclonedx.(*CycloneDX).walkDependencies(0x14000eaccc0, {0x140017a25c0?, 0x14001795e50?})
	github.com/aquasecurity/trivy/pkg/sbom/cyclonedx/unmarshal.go:221 +0x28c fp=0x140222f5bd0 sp=0x140222f58c0 pc=0x108c3293c
github.com/aquasecurity/trivy/pkg/sbom/cyclonedx.(*CycloneDX).walkDependencies(0x14000eaccc0, {0x14001795e50?, 0x140017a25c0?})
	github.com/aquasecurity/trivy/pkg/sbom/cyclonedx/unmarshal.go:221 +0x28c fp=0x140222f5ee0 sp=0x140222f5bd0 pc=0x108c3293c
github.com/aquasecurity/trivy/pkg/sbom/cyclonedx.(*CycloneDX).walkDependencies(0x14000eaccc0, {0x140017a25c0?, 0x14001795e50?})
	github.com/aquasecurity/trivy/pkg/sbom/cyclonedx/unmarshal.go:221 +0x28c fp=0x140222f61f0 sp=0x140222f5ee0 pc=0x108c3293c
github.com/aquasecurity/trivy/pkg/sbom/cyclonedx.(*CycloneDX).walkDependencies(0x14000eaccc0, {0x14001795e50?, 0x140017a25c0?})
	github.com/aquasecurity/trivy/pkg/sbom/cyclonedx/unmarshal.go:221 +0x28c fp=0x140222f6500 sp=0x140222f61f0 pc=0x108c3293c
github.com/aquasecurity/trivy/pkg/sbom/cyclonedx.(*CycloneDX).walkDependencies(0x14000eaccc0, {0x140017a25c0?, 0x14001795e50?})
	github.com/aquasecurity/trivy/pkg/sbom/cyclonedx/unmarshal.go:221 +0x28c fp=0x140222f6810 sp=0x140222f6500 pc=0x108c3293c
github.com/aquasecurity/trivy/pkg/sbom/cyclonedx.(*CycloneDX).walkDependencies(0x14000eaccc0, {0x14001795e50?, 0x140017a25c0?})
	github.com/aquasecurity/trivy/pkg/sbom/cyclonedx/unmarshal.go:221 +0x28c fp=0x140222f6b20 sp=0x140222f6810 pc=0x108c3293c
...additional frames elided...

goroutine 2 [force gc (idle)]:
runtime.gopark(0x0?, 0x0?, 0x0?, 0x0?, 0x0?)
	runtime/proc.go:381 +0xe0 fp=0x140000e8fa0 sp=0x140000e8f80 pc=0x104b9a050
runtime.goparkunlock(...)
	runtime/proc.go:387
runtime.forcegchelper()
	runtime/proc.go:305 +0xb0 fp=0x140000e8fd0 sp=0x140000e8fa0 pc=0x104b99ea0
runtime.goexit()
	runtime/asm_arm64.s:1172 +0x4 fp=0x140000e8fd0 sp=0x140000e8fd0 pc=0x104bcb534
created by runtime.init.6
	runtime/proc.go:293 +0x24

goroutine 18 [GC sweep wait]:
runtime.gopark(0x1?, 0x0?, 0x0?, 0x0?, 0x0?)
	runtime/proc.go:381 +0xe0 fp=0x140000e4760 sp=0x140000e4740 pc=0x104b9a050
runtime.goparkunlock(...)
	runtime/proc.go:387
runtime.bgsweep(0x0?)
	runtime/mgcsweep.go:319 +0x100 fp=0x140000e47b0 sp=0x140000e4760 pc=0x104b83a20
runtime.gcenable.func1()
	runtime/mgc.go:178 +0x28 fp=0x140000e47d0 sp=0x140000e47b0 pc=0x104b78918
runtime.goexit()
	runtime/asm_arm64.s:1172 +0x4 fp=0x140000e47d0 sp=0x140000e47d0 pc=0x104bcb534
created by runtime.gcenable
	runtime/mgc.go:178 +0x6c

goroutine 19 [GC scavenge wait]:
runtime.gopark(0x31cd06?, 0x6553f100?, 0x0?, 0x0?, 0x0?)
	runtime/proc.go:381 +0xe0 fp=0x140000e4f50 sp=0x140000e4f30 pc=0x104b9a050
runtime.goparkunlock(...)
	runtime/proc.go:387
runtime.(*scavengerState).park(0x10fdadfa0)
	runtime/mgcscavenge.go:400 +0x5c fp=0x140000e4f80 sp=0x140000e4f50 pc=0x104b8181c
runtime.bgscavenge(0x0?)
	runtime/mgcscavenge.go:633 +0xa8 fp=0x140000e4fb0 sp=0x140000e4f80 pc=0x104b81df8
runtime.gcenable.func2()
	runtime/mgc.go:179 +0x28 fp=0x140000e4fd0 sp=0x140000e4fb0 pc=0x104b788b8
runtime.goexit()
	runtime/asm_arm64.s:1172 +0x4 fp=0x140000e4fd0 sp=0x140000e4fd0 pc=0x104bcb534
created by runtime.gcenable
	runtime/mgc.go:179 +0xac

goroutine 20 [finalizer wait]:
runtime.gopark(0x1a0?, 0x10fdc39e0?, 0x80?, 0x26?, 0x0?)
	runtime/proc.go:381 +0xe0 fp=0x140000e8580 sp=0x140000e8560 pc=0x104b9a050
runtime.runfinq()
	runtime/mfinal.go:193 +0x100 fp=0x140000e87d0 sp=0x140000e8580 pc=0x104b779e0
runtime.goexit()
	runtime/asm_arm64.s:1172 +0x4 fp=0x140000e87d0 sp=0x140000e87d0 pc=0x104bcb534
created by runtime.createfing
	runtime/mfinal.go:163 +0x80

goroutine 21 [GC worker (idle)]:
runtime.gopark(0x10fe08020?, 0x3?, 0xfc?, 0x34?, 0x0?)
	runtime/proc.go:381 +0xe0 fp=0x140000e5740 sp=0x140000e5720 pc=0x104b9a050
runtime.gcBgMarkWorker()
	runtime/mgc.go:1275 +0xe4 fp=0x140000e57d0 sp=0x140000e5740 pc=0x104b7a6f4
runtime.goexit()
	runtime/asm_arm64.s:1172 +0x4 fp=0x140000e57d0 sp=0x140000e57d0 pc=0x104bcb534
created by runtime.gcBgMarkStartWorkers
	runtime/mgc.go:1199 +0x28

goroutine 34 [GC worker (idle)]:
runtime.gopark(0x9fe7b4dac01?, 0x3?, 0xe2?, 0x4?, 0x0?)
	runtime/proc.go:381 +0xe0 fp=0x14000514740 sp=0x14000514720 pc=0x104b9a050
runtime.gcBgMarkWorker()
	runtime/mgc.go:1275 +0xe4 fp=0x140005147d0 sp=0x14000514740 pc=0x104b7a6f4
runtime.goexit()
	runtime/asm_arm64.s:1172 +0x4 fp=0x140005147d0 sp=0x140005147d0 pc=0x104bcb534
created by runtime.gcBgMarkStartWorkers
	runtime/mgc.go:1199 +0x28

goroutine 22 [GC worker (idle)]:
runtime.gopark(0x9fe7b4daa61?, 0x1?, 0x92?, 0x76?, 0x0?)
	runtime/proc.go:381 +0xe0 fp=0x140000e5f40 sp=0x140000e5f20 pc=0x104b9a050
runtime.gcBgMarkWorker()
	runtime/mgc.go:1275 +0xe4 fp=0x140000e5fd0 sp=0x140000e5f40 pc=0x104b7a6f4
runtime.goexit()
	runtime/asm_arm64.s:1172 +0x4 fp=0x140000e5fd0 sp=0x140000e5fd0 pc=0x104bcb534
created by runtime.gcBgMarkStartWorkers
	runtime/mgc.go:1199 +0x28

goroutine 3 [GC worker (idle)]:
runtime.gopark(0x9fe7b4e6a46?, 0x3?, 0x79?, 0x26?, 0x0?)
	runtime/proc.go:381 +0xe0 fp=0x140000e9740 sp=0x140000e9720 pc=0x104b9a050
runtime.gcBgMarkWorker()
	runtime/mgc.go:1275 +0xe4 fp=0x140000e97d0 sp=0x140000e9740 pc=0x104b7a6f4
runtime.goexit()
	runtime/asm_arm64.s:1172 +0x4 fp=0x140000e97d0 sp=0x140000e97d0 pc=0x104bcb534
created by runtime.gcBgMarkStartWorkers
	runtime/mgc.go:1199 +0x28

goroutine 35 [GC worker (idle)]:
runtime.gopark(0x9fe7b4e723f?, 0x3?, 0x4a?, 0x4e?, 0x0?)
	runtime/proc.go:381 +0xe0 fp=0x14000514f40 sp=0x14000514f20 pc=0x104b9a050
runtime.gcBgMarkWorker()
	runtime/mgc.go:1275 +0xe4 fp=0x14000514fd0 sp=0x14000514f40 pc=0x104b7a6f4
runtime.goexit()
	runtime/asm_arm64.s:1172 +0x4 fp=0x14000514fd0 sp=0x14000514fd0 pc=0x104bcb534
created by runtime.gcBgMarkStartWorkers
	runtime/mgc.go:1199 +0x28

goroutine 4 [GC worker (idle)]:
runtime.gopark(0x10fe08020?, 0x1?, 0x8a?, 0xe3?, 0x0?)
	runtime/proc.go:381 +0xe0 fp=0x140000e9f40 sp=0x140000e9f20 pc=0x104b9a050
runtime.gcBgMarkWorker()
	runtime/mgc.go:1275 +0xe4 fp=0x140000e9fd0 sp=0x140000e9f40 pc=0x104b7a6f4
runtime.goexit()
	runtime/asm_arm64.s:1172 +0x4 fp=0x140000e9fd0 sp=0x140000e9fd0 pc=0x104bcb534
created by runtime.gcBgMarkStartWorkers
	runtime/mgc.go:1199 +0x28

goroutine 5 [GC worker (idle)]:
runtime.gopark(0x9fe7b4da52b?, 0x3?, 0x3e?, 0x50?, 0x0?)
	runtime/proc.go:381 +0xe0 fp=0x140000ea740 sp=0x140000ea720 pc=0x104b9a050
runtime.gcBgMarkWorker()
	runtime/mgc.go:1275 +0xe4 fp=0x140000ea7d0 sp=0x140000ea740 pc=0x104b7a6f4
runtime.goexit()
	runtime/asm_arm64.s:1172 +0x4 fp=0x140000ea7d0 sp=0x140000ea7d0 pc=0x104bcb534
created by runtime.gcBgMarkStartWorkers
	runtime/mgc.go:1199 +0x28

goroutine 6 [GC worker (idle)]:
runtime.gopark(0x9fe7b4dab07?, 0x3?, 0xd8?, 0x52?, 0x0?)
	runtime/proc.go:381 +0xe0 fp=0x140000eaf40 sp=0x140000eaf20 pc=0x104b9a050
runtime.gcBgMarkWorker()
	runtime/mgc.go:1275 +0xe4 fp=0x140000eafd0 sp=0x140000eaf40 pc=0x104b7a6f4
runtime.goexit()
	runtime/asm_arm64.s:1172 +0x4 fp=0x140000eafd0 sp=0x140000eafd0 pc=0x104bcb534
created by runtime.gcBgMarkStartWorkers
	runtime/mgc.go:1199 +0x28

goroutine 7 [GC worker (idle)]:
runtime.gopark(0x9fe7b4e8a2c?, 0x1?, 0xd0?, 0x76?, 0x0?)
	runtime/proc.go:381 +0xe0 fp=0x140000eb740 sp=0x140000eb720 pc=0x104b9a050
runtime.gcBgMarkWorker()
	runtime/mgc.go:1275 +0xe4 fp=0x140000eb7d0 sp=0x140000eb740 pc=0x104b7a6f4
runtime.goexit()
	runtime/asm_arm64.s:1172 +0x4 fp=0x140000eb7d0 sp=0x140000eb7d0 pc=0x104bcb534
created by runtime.gcBgMarkStartWorkers
	runtime/mgc.go:1199 +0x28

goroutine 36 [GC worker (idle)]:
runtime.gopark(0x9fe7b4dabae?, 0x3?, 0x0?, 0xee?, 0x0?)
	runtime/proc.go:381 +0xe0 fp=0x14000515740 sp=0x14000515720 pc=0x104b9a050
runtime.gcBgMarkWorker()
	runtime/mgc.go:1275 +0xe4 fp=0x140005157d0 sp=0x14000515740 pc=0x104b7a6f4
runtime.goexit()
	runtime/asm_arm64.s:1172 +0x4 fp=0x140005157d0 sp=0x140005157d0 pc=0x104bcb534
created by runtime.gcBgMarkStartWorkers
	runtime/mgc.go:1199 +0x28

goroutine 10 [select]:
runtime.gopark(0x14000515f78?, 0x3?, 0x50?, 0x87?, 0x14000515f62?)
	runtime/proc.go:381 +0xe0 fp=0x14000515e10 sp=0x14000515df0 pc=0x104b9a050
runtime.selectgo(0x14000515f78, 0x14000515f5c, 0x14000265200?, 0x0, 0x0?, 0x1)
	runtime/select.go:327 +0x68c fp=0x14000515f20 sp=0x14000515e10 pc=0x104ba9f3c
go.opencensus.io/stats/view.(*worker).start(0x14000265200)
	go.opencensus.io@v0.24.0/stats/view/worker.go:292 +0x88 fp=0x14000515fb0 sp=0x14000515f20 pc=0x1083a2428
go.opencensus.io/stats/view.init.0.func1()
	go.opencensus.io@v0.24.0/stats/view/worker.go:34 +0x28 fp=0x14000515fd0 sp=0x14000515fb0 pc=0x1083a1628
runtime.goexit()
	runtime/asm_arm64.s:1172 +0x4 fp=0x14000515fd0 sp=0x14000515fd0 pc=0x104bcb534
created by go.opencensus.io/stats/view.init.0
	go.opencensus.io@v0.24.0/stats/view/worker.go:34 +0xa0

Output of trivy -v:

Version: 0.39.0
Vulnerability DB:
  Version: 2
  UpdatedAt: 2023-04-05 06:07:22.15150724 +0000 UTC
  NextUpdate: 2023-04-05 12:07:22.15150684 +0000 UTC
  DownloadedAt: 2023-04-05 12:16:36.060075 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2023-03-16 00:51:40.514195197 +0000 UTC
  NextUpdate: 2023-03-19 00:51:40.514194697 +0000 UTC
  DownloadedAt: 2023-03-16 06:52:57.01602 +0000 UTC

Additional details (base image name, container registry info...):

Various SBOMs are affected. They have been generated with trivy image --format cyclonedx.
@johanngyger johanngyger added the kind/bug Categorizes issue or PR as related to a bug. label Apr 5, 2023
This was referenced Apr 6, 2023
Merged
Merged
@DmitriyLewen
Copy link
Contributor

Hello @johanngyger
Thanks for your report!

I created #3998 to fix this problem( i wrote in discription why this happens).
After merge this PR we will include changes in next release.

Regards, Dmitriy.

@DmitriyLewen DmitriyLewen self-assigned this Apr 6, 2023
@candrews
Copy link
Contributor

candrews commented Apr 7, 2023

This issue is not a regression in Trivy 0.39.0. I can reproduce it at least back to Trivy 0.36.0.

@knqyf263 knqyf263 added this to the v0.40.0 milestone Apr 9, 2023
@knqyf263 knqyf263 removed this from the v0.40.0 milestone Apr 9, 2023
@knqyf263
Copy link
Collaborator

knqyf263 commented Apr 9, 2023

v0.39.1 includes this fix.

@KateFiroozi KateFiroozi mentioned this issue Mar 25, 2024
Closed
@KateFiroozi
Copy link

I am stll experiencing this issue: aquasecurity/trivy-operator#1938

@DmitriyLewen
Copy link
Contributor

Hello @KateFiroozi

We updated the SBOM logic in version 0.50.0.

Can you try using this version?

Regards, Dmitriy

@KateFiroozi
Copy link

Is it available in trivy-operator helm chart? https://artifacthub.io/packages/helm/trivy-operator/trivy-operator
I dont see SBOM parameters to adjust in values file there, only enable/disable.

Trivy-operator:

APPLICATION VERSION
0.19.1

CHART VERSIONS
0.21.1
(20 Mar, 2024)

@KateFiroozi
Copy link

I have also scan-vuln jobs that fail due to:
FATAL filter error: filtering error: unable to filter vulnerabilities: failed to apply the policy: unable to prepare for eval: 1 error occurred: trivy.rego:0: rego_parse_error: empty module

@DmitriyLewen
Copy link
Contributor

No, can you use `aquasec/trivy:0.50.0 image?

@KateFiroozi
Copy link

I need this updates available in trivy-operator image then

@nikpivkin
Copy link
Contributor

I have also scan-vuln jobs that fail due to: FATAL filter error: filtering error: unable to filter vulnerabilities: failed to apply the policy: unable to prepare for eval: 1 error occurred: trivy.rego:0: rego_parse_error: empty module

This error may appear if the Rego file for filtering results is empty.

@KateFiroozi
Copy link

I have also scan-vuln jobs that fail due to: FATAL filter error: filtering error: unable to filter vulnerabilities: failed to apply the policy: unable to prepare for eval: 1 error occurred: trivy.rego:0: rego_parse_error: empty module

This error may appear if the Rego file for filtering results is empty.

I have identical values file/configuration for 3 pretty similar cluster in their workload clusters. I have ignore list for few CVEs and some policies. This has worked before in all 3 and still woks just fine in 2 others clusters (If I understand your comment correctly).

  ignoreFile:
    - CVE-2019-8457
    - CVE-2023-45853
    - CVE-2023-23914
    - CVE-2024-24806 #PBI 155344 Keycloak
    - CVE-2024-1597 #PBI 156187 Keycloak

  # -- ignorePolicy can be used to tell Trivy to ignore vulnerabilities by a policy
  # If multiple policies would match, then the most specific one has precedence over the others.
  # See https://aquasecurity.github.io/trivy/latest/docs/configuration/filtering/#by-open-policy-agent for more details.
  #
  # ignorePolicy.application.my-app-.: |
  #   # applies to all workloads in namespace "application" with the name pattern "my-app-*"
  # ignorePolicy.kube-system: |
  #   # applies to all workloads in namespace "kube-system"
  # ignorePolicy: |
  #   # applies to all other workloads
  ignorePolicy.kube-system.azure-.: |

  ignorePolicy.kube-system.csi-.: |

  ignorePolicy.kube-system.microsoft-.: |```

@DmitriyLewen
Copy link
Contributor

rego_parse_error: empty module

You can see this error if you rego file is empty:

➜ cat trivy.rego 
➜ trivy -q image --ignore-policy ./trivy.rego alpine
2024-03-27T11:23:25.484+0600	FATAL	filter error: filtering error: unable to filter vulnerabilities: failed to apply the policy: unable to prepare for eval: 1 error occurred: trivy.rego:0: rego_parse_error: empty module

@KateFiroozi
Copy link

KateFiroozi commented Mar 27, 2024
edited
Loading

But how do I solve this issue then?
I see that trivy-operator-policies-config configMap on all 3 clusters has 0 data, but it fails only at one.
I also use default values for trivyOperator except som tolerations

@DmitriyLewen
Copy link
Contributor

This is due to the trivy-operator setting. Can you create a new discussion for this case?

@snoskov-amzn
Copy link

snoskov-amzn commented Mar 27, 2024
edited
Loading

Hi folks. I've tried 0.50 recently and bumped on the similar issue when collecting sbom from a root fs directory.

Command line

/scanner/trivy rootfs --output /results/sbom.cdx --format cyclonedx --no-progress --offline-scan --list-all-pkgs /mnt/rootfs

2024-03-27T15:55:20.201Z        ESC[35mDEBUGESC[0m      Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2024-03-27T15:55:20.201Z        ESC[35mDEBUGESC[0m      Ignore statuses {"statuses": null}
2024-03-27T15:55:20.201Z        ESC[34mINFOESC[0m       "--format cyclonedx" disables security scanning. Specify "--scanners vuln" explicitly if you want to include vulnerabilities in the CycloneDX report
.
2024-03-27T15:55:20.203Z        ESC[35mDEBUGESC[0m      cache dir:  /root/.cache/trivy
2024-03-27T15:55:20.203Z        ESC[35mDEBUGESC[0m      Enabling misconfiguration scanners: [azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan]
2024-03-27T15:55:20.203Z        ESC[35mDEBUGESC[0m      The nuget packages directory couldn't be found. License search disabled
2024-03-27T15:55:20.203Z        ESC[35mDEBUGESC[0m      Walk the file tree rooted at '/mnt/p2' in parallel
2024-03-27T15:55:20.203Z        ESC[35mDEBUGESC[0m      Skipping directory: proc
2024-03-27T15:55:20.203Z        ESC[35mDEBUGESC[0m      Skipping directory: dev
2024-03-27T15:55:20.203Z        ESC[35mDEBUGESC[0m      Skipping directory: sys
2024-03-27T15:55:20.205Z        ESC[35mDEBUGESC[0m      Analysis error: centos: invalid centos-release
2024-03-27T15:55:20.492Z        ESC[35mDEBUGESC[0m      OS is not detected.
runtime: goroutine stack exceeds 1000000000-byte limit
runtime: sp=0xc023ebe768 stack=[0xc023ebe000, 0xc043ebe000]
fatal error: stack overflow

runtime stack:
runtime.throw({0x7f45a58?, 0x42e1b8?})
        /opt/hostedtoolcache/go/1.21.6/x64/src/runtime/panic.go:1077 +0x5c fp=0xc0005a1e18 sp=0xc0005a1de8 pc=0x43bd7c
runtime.newstack()
        /opt/hostedtoolcache/go/1.21.6/x64/src/runtime/stack.go:1107 +0x5ac fp=0xc0005a1fc8 sp=0xc0005a1e18 pc=0x45574c
traceback: unexpected SPWRITE function runtime.morestack
runtime.morestack()
        /opt/hostedtoolcache/go/1.21.6/x64/src/runtime/asm_amd64.s:593 +0x8f fp=0xc0005a1fd0 sp=0xc0005a1fc8 pc=0x46d02f

goroutine 1 [running]:
github.com/aquasecurity/trivy/pkg/sbom/cyclonedx/core.(*CycloneDX).MarshalComponent(0xc0032ac8d0?, 0xc001d204e0, 0xc043eb9108?, 0xc043eb90d8?, 0xc043eb90a8?)
        /home/runner/work/trivy/trivy/pkg/sbom/cyclonedx/core/cyclonedx.go:84 +0xbc5 fp=0xc023ebe778 sp=0xc023ebe770 pc=0x661ea65
github.com/aquasecurity/trivy/pkg/sbom/cyclonedx/core.(*CycloneDX).MarshalComponent(0x738b960?, 0xc001d20410, 0xc01dab4a80?, 0x24?, 0x0?)
        /home/runner/work/trivy/trivy/pkg/sbom/cyclonedx/core/cyclonedx.go:142 +0x8ac fp=0xc023ebec68 sp=0xc023ebe778 pc=0x661e74c
github.com/aquasecurity/trivy/pkg/sbom/cyclonedx/core.(*CycloneDX).MarshalComponent(0x738b960?, 0xc001d20340, 0xc01dab4a50?, 0x24?, 0x0?)
<... cut similar lines ....>
        /home/runner/work/trivy/trivy/pkg/sbom/cyclonedx/core/cyclonedx.go:142 +0x8ac fp=0xc043eb8b68 sp=0xc043eb8678 pc=0x661e74c
github.com/aquasecurity/trivy/pkg/sbom/cyclonedx/core.(*CycloneDX).MarshalComponent(0xc0032ac8d0?, 0xc00181bd40, 0xc001072620?, 0x0?, 0x0?)
        /home/runner/work/trivy/trivy/pkg/sbom/cyclonedx/core/cyclonedx.go:142 +0x8ac fp=0xc043eb9058 sp=0xc043eb8b68 pc=0x661e74c
github.com/aquasecurity/trivy/pkg/sbom/cyclonedx/core.(*CycloneDX).Marshal(0x2?, {0x958de40, 0xc001072620}, 0xcb94700?)
        /home/runner/work/trivy/trivy/pkg/sbom/cyclonedx/core/cyclonedx.go:72 +0x2cd fp=0xc043eb93b8 sp=0xc043eb9058 pc=0x661dd4d
github.com/aquasecurity/trivy/pkg/sbom/cyclonedx.(*Marshaler).Marshal(_, {_, _}, {0x2, {0xc1792e3a1d57c7f8, 0x309eed3a, 0xcb94700}, {0x7ffdbc44ef43, 0x7}, {0x7f11c3b, ...}, ...})
        /home/runner/work/trivy/trivy/pkg/sbom/cyclonedx/marshal.go:69 +0xf4 fp=0xc043eb96a8 sp=0xc043eb93b8 pc=0x6625974
github.com/aquasecurity/trivy/pkg/report/cyclonedx.Writer.Write({{_, _}, _, _}, {_, _}, {0x2, {0xc1792e3a1d57c7f8, 0x309eed3a, 0xcb94700}, ...})
        /home/runner/work/trivy/trivy/pkg/report/cyclonedx/cyclonedx.go:31 +0xa5 fp=0xc043eb99d8 sp=0xc043eb96a8 pc=0x66c90a5
github.com/aquasecurity/trivy/pkg/report/cyclonedx.(*Writer).Write(_, {_, _}, {0x2, {0xc1792e3a1d57c7f8, 0x309eed3a, 0xcb94700}, {0x7ffdbc44ef43, 0x7}, {0x7f11c3b, ...}, ...})
        <autogenerated>:1 +0x91 fp=0xc043eb9ce0 sp=0xc043eb99d8 pc=0x66c9371
github.com/aquasecurity/trivy/pkg/report.Write({_, _}, {0x2, {0xc1792e3a1d57c7f8, 0x309eed3a, 0xcb94700}, {0x7ffdbc44ef43, 0x7}, {0x7f11c3b, 0xa}, ...}, ...)
        /home/runner/work/trivy/trivy/pkg/report/writer.go:100 +0x9c6 fp=0xc043eba7d8 sp=0xc043eb9ce0 pc=0x66d10c6
github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).Report(_, {_, _}, {{{0x7f119d9, 0xa}, 0x0, 0x0, 0x1, 0x0, 0x45d964b800, ...}, ...}, ...)
        /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:284 +0x92 fp=0xc043ebb198 sp=0xc043eba7d8 pc=0x69d7552
github.com/aquasecurity/trivy/pkg/commands/artifact.Run({_, _}, {{{0x7f119d9, 0xa}, 0x0, 0x0, 0x1, 0x0, 0x45d964b800, {0xc001ca2420, ...}, ...}, ...}, ...)
        /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:454 +0xf2e fp=0xc043ebce18 sp=0xc043ebb198 pc=0x69d93ae
github.com/aquasecurity/trivy/pkg/commands.NewRootfsCommand.func2(0xc000d74300, {0xc003442990, 0x1, 0x9})
        /home/runner/work/trivy/trivy/pkg/commands/app.go:427 +0x19c fp=0xc043ebdbf0 sp=0xc043ebce18 pc=0x6a8717c
github.com/spf13/cobra.(*Command).execute(0xc000d74300, {0xc003442900, 0x9, 0x9})
        /home/runner/go/pkg/mod/github.com/spf13/cobra@v1.8.0/command.go:983 +0xabc fp=0xc043ebdd90 sp=0xc043ebdbf0 pc=0x5ff23c
github.com/spf13/cobra.(*Command).ExecuteC(0xc00004fb00)
        /home/runner/go/pkg/mod/github.com/spf13/cobra@v1.8.0/command.go:1115 +0x3ff fp=0xc043ebde68 sp=0xc043ebdd90 pc=0x5ffaff
github.com/spf13/cobra.(*Command).Execute(0x7f799ae?)
        /home/runner/go/pkg/mod/github.com/spf13/cobra@v1.8.0/command.go:1039 +0x13 fp=0xc043ebde80 sp=0xc043ebde68 pc=0x5ff653
main.run()
        /home/runner/work/trivy/trivy/cmd/trivy/main.go:35 +0x198 fp=0xc043ebdf20 sp=0xc043ebde80 pc=0x6c52c78
main.main()
        /home/runner/work/trivy/trivy/cmd/trivy/main.go:17 +0x13 fp=0xc043ebdf40 sp=0xc043ebdf20 pc=0x6c52ab3
runtime.main()
        /opt/hostedtoolcache/go/1.21.6/x64/src/runtime/proc.go:267 +0x2bb fp=0xc043ebdfe0 sp=0xc043ebdf40 pc=0x43e75b
runtime.goexit()
        /opt/hostedtoolcache/go/1.21.6/x64/src/runtime/asm_amd64.s:1650 +0x1 fp=0xc043ebdfe8 sp=0xc043ebdfe0 pc=0x46ed41

goroutine 2 [force gc (idle)]:
runtime.gopark(0x0?, 0x0?, 0x0?, 0x0?, 0x0?)
        /opt/hostedtoolcache/go/1.21.6/x64/src/runtime/proc.go:398 +0xce fp=0xc0000e2fa8 sp=0xc0000e2f88 pc=0x43ebce
runtime.goparkunlock(...)
        /opt/hostedtoolcache/go/1.21.6/x64/src/runtime/proc.go:404
runtime.forcegchelper()
        /opt/hostedtoolcache/go/1.21.6/x64/src/runtime/proc.go:322 +0xb3 fp=0xc0000e2fe0 sp=0xc0000e2fa8 pc=0x43ea33
runtime.goexit()
        /opt/hostedtoolcache/go/1.21.6/x64/src/runtime/asm_amd64.s:1650 +0x1 fp=0xc0000e2fe8 sp=0xc0000e2fe0 pc=0x46ed41
created by runtime.init.6 in goroutine 1
        /opt/hostedtoolcache/go/1.21.6/x64/src/runtime/proc.go:310 +0x1a

<... cut similar goroutine stack traces ...>

goroutine 7 [select]:
runtime.gopark(0xc000175788?, 0x3?, 0xe8?, 0x61?, 0xc000175772?)
        /opt/hostedtoolcache/go/1.21.6/x64/src/runtime/proc.go:398 +0xce fp=0xc000175618 sp=0xc0001755f8 pc=0x43ebce
runtime.selectgo(0xc000175788, 0xc00017576c, 0xc0002f0500?, 0x0, 0x0?, 0x1)
        /opt/hostedtoolcache/go/1.21.6/x64/src/runtime/select.go:327 +0x725 fp=0xc000175738 sp=0xc000175618 pc=0x44e7c5
go.opencensus.io/stats/view.(*worker).start(0xc0002f0500)
        /home/runner/go/pkg/mod/go.opencensus.io@v0.24.0/stats/view/worker.go:292 +0x9f fp=0xc0001757c8 sp=0xc000175738 pc=0x4efe8df
go.opencensus.io/stats/view.init.0.func1()
        /home/runner/go/pkg/mod/go.opencensus.io@v0.24.0/stats/view/worker.go:34 +0x25 fp=0xc0001757e0 sp=0xc0001757c8 pc=0x4efdc05
runtime.goexit()
        /opt/hostedtoolcache/go/1.21.6/x64/src/runtime/asm_amd64.s:1650 +0x1 fp=0xc0001757e8 sp=0xc0001757e0 pc=0x46ed41
created by go.opencensus.io/stats/view.init.0 in goroutine 1
        /home/runner/go/pkg/mod/go.opencensus.io@v0.24.0/stats/view/worker.go:34 +0x8d

@DmitriyLewen
Copy link
Contributor

Hello @snoskov-amzn
Do you see this error when scanning only this sbom file (I mean trivy sbom path/to/sbom)?

@snoskov-amzn
Copy link

SBOM is not created (i.e. created with zero size) in that case, because trivy panics, so I can't scan this one. But I didn't see panics with other SBOMs.

@DmitriyLewen
Copy link
Contributor

I need to see wrong SBOM file to fix this panic.

Hi folks. I've tried 0.50 recently and bumped on the similar issue when collecting sbom from a root fs directory.

I checked your log:
/home/runner/work/trivy/trivy/pkg/sbom/cyclonedx/core/cyclonedx.go:142

We have removed trivy/pkg/sbom/cycledx/core directory. So this is version 0.49.1 or earlier.

@snoskov-amzn
Copy link

I've checked it with the latest version - 0.50.1 and I don't see stack overflows now. Thank you and sorry for the confusion!

@KateFiroozi
Copy link

This is due to the trivy-operator setting. Can you create a new discussion for this case?

I have created following: aquasecurity/trivy-operator#1984

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@DmitriyLewen DmitriyLewen

Labels
kind/bug Categorizes issue or PR as related to a bug.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(sbom): fix infinite loop for cyclonedx DmitriyLewen/trivy
7 participants
@johanngyger @candrews @knqyf263 @DmitriyLewen @nikpivkin @KateFiroozi @snoskov-amzn