Skip to content

bug(report): Trivy panics when converting json report without Packages to table report with summary table #8622

New issue
New issue
Closed
#8549
Closed
bug(report): Trivy panics when converting json report without Packages to table report with summary table#8622
#8549
Assignees
DmitriyLewen
Labels
kind/bugCategorizes issue or PR as related to a bug.
Milestone
v0.64.0
@DmitriyLewen

Description

@DmitriyLewen
DmitriyLewen
opened on Mar 27, 2025

Description

When Trivy converts json report without Packages to table report with summary table - Trivy returns panic.

It works only if report contains aggregated packages

  8537 trivy -q rootfs ./package.json  -f json -o report.json
➜  8537 trivy convert report.json --table-mode summary --scanners vuln
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x2 addr=0x58 pc=0x1038add24]

goroutine 1 [running]:
github.com/aquasecurity/trivy/pkg/report/table.splitAggregatedVulns({{0x1400158e677, 0x7}, {0x1400158e6b0, 0x9}, {0x1400158e6c0, 0x8}, {0x0, 0x0, 0x0}, {0x14001515380, ...}, ...})
	github.com/aquasecurity/trivy/pkg/report/table/summary.go:266 +0x274
github.com/aquasecurity/trivy/pkg/report/table.splitAggregatedPackages({0x140015400e0?, 0x1400158ce70?, 0x104e4ee01?})
	github.com/aquasecurity/trivy/pkg/report/table/summary.go:247 +0x288
github.com/aquasecurity/trivy/pkg/report/table.(*summaryRenderer).Render(_, {0x2, {0xb6d3390, 0xedf770900, 0x10ac9eb80}, {0x1400158e680, 0xc}, {0x1400158e690, 0xa}, {0x0, ...}, ...})
	github.com/aquasecurity/trivy/pkg/report/table/summary.go:174 +0x344
github.com/aquasecurity/trivy/pkg/report/table.(*Writer).Write(_, {_, _}, {0x2, {0xb6d3390, 0xedf770900, 0x10ac9eb80}, {0x1400158e680, 0xc}, {0x1400158e690, ...}, ...})
	github.com/aquasecurity/trivy/pkg/report/table/table.go:94 +0xd0
github.com/aquasecurity/trivy/pkg/report.Write({_, _}, {0x2, {0xb6d3390, 0xedf770900, 0x10ac9eb80}, {0x1400158e680, 0xc}, {0x1400158e690, 0xa}, ...}, ...)
	github.com/aquasecurity/trivy/pkg/report/writer.go:105 +0x7bc
github.com/aquasecurity/trivy/pkg/commands/convert.Run({_, _}, {{{0x104cdc83d, 0xa}, 0x0, 0x0, 0x0, 0x0, 0x45d964b800, {0x1400117e510, ...}, ...}, ...})
	github.com/aquasecurity/trivy/pkg/commands/convert/run.go:56 +0x5c4
github.com/aquasecurity/trivy/pkg/commands.NewConvertCommand.func2(0x140005c3508, {0x140013a2f00, 0x1, 0x5})
	github.com/aquasecurity/trivy/pkg/commands/app.go:554 +0x17c
github.com/spf13/cobra.(*Command).execute(0x140005c3508, {0x140013a2eb0, 0x5, 0x5})
	github.com/spf13/[email protected]/command.go:1015 +0x828
github.com/spf13/cobra.(*Command).ExecuteC(0x1400123ac08)
	github.com/spf13/[email protected]/command.go:1148 +0x350
github.com/spf13/cobra.(*Command).Execute(0x104d3fb76?)
	github.com/spf13/[email protected]/command.go:1071 +0x1c
main.run()
	github.com/aquasecurity/trivy/cmd/trivy/main.go:45 +0x124
main.main()
	github.com/aquasecurity/trivy/cmd/trivy/main.go:19 +0x20

Despite the fact that we recommend including packages in json report for conversion - this is still a recommendation.
Therefore, Trivy should not panic in any case.

Discussed in #8537

Metadata

Metadata

Assignees

Labels

kind/bugCategorizes issue or PR as related to a bug.

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions