+
Skip to content

panic while resolving maven properties in archive parser #4288

New issue
New issue
Closed
#4290
Closed
panic while resolving maven properties in archive parser#4288
#4290
Assignees
kzantow
Labels
bugSomething isn't working
@noahbailey

Description

@noahbailey
noahbailey
opened on Oct 15, 2025

Our pipeline started returning SIGSEGV when we upgraded to 0.101.0. Rolling back fixed this.
This environment uses self-hosted Bitbucket runners, all on X64 Intel boxes.

Command line:

docker run -v $BITBUCKET_CLONE_DIR:/src anchore/grype:${GRYPE_VERSION} /src -o json --exclude **/node_modules > TestResults/vulnerabilities.json

Error log:

[0000]  WARN no explicit name and version provided for directory source, deriving artifact ID from the given path (which is not ideal)
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x38 pc=0x1e85afb]
goroutine 2449 [running]:
github.com/anchore/syft/syft/pkg/cataloger/java/internal/maven.(*Resolver).resolveProperty(0x0, {0x36e52b0, 0xc000aef980}, {0xc000ca2bd0, 0x1, 0x1}, {0xc0090007e6, 0x13}, {0x0, 0x0, ...})
	/home/runner/go/pkg/mod/github.com/anchore/syft@v1.34.1/syft/pkg/cataloger/java/internal/maven/resolver.go:146 +0x45b
github.com/anchore/syft/syft/pkg/cataloger/java/internal/maven.(*Resolver).resolveExpression.func1({0xc0090007e4, 0x16})
	/home/runner/go/pkg/mod/github.com/anchore/syft@v1.34.1/syft/pkg/cataloger/java/internal/maven/resolver.go:109 +0x22b
regexp.(*Regexp).ReplaceAllStringFunc.func1({0xc0068e8ed0, 0x14, 0x18}, {0xc009040380?, 0x1?, 0x0?})
	/opt/hostedtoolcache/go/1.24.7/x64/src/regexp/regexp.go:598 +0x85
regexp.(*Regexp).replaceAll(0xc0003e8b40, {0x0, 0x0, 0x0}, {0xc0090007d0, 0x41}, 0x2, 0xc00903ef40)
	/opt/hostedtoolcache/go/1.24.7/x64/src/regexp/regexp.go:636 +0x3e3
regexp.(*Regexp).ReplaceAllStringFunc(0xc000468f00?, {0xc0090007d0?, 0x1?}, 0xc0068eb620?)
	/opt/hostedtoolcache/go/1.24.7/x64/src/regexp/regexp.go:597 +0x4b
github.com/anchore/syft/syft/pkg/cataloger/java/internal/maven.(*Resolver).resolveExpression(0x0, {0x36e52b0, 0xc000aef980}, {0xc000ca2bd0, 0x1, 0x1}, {0xc0090007d0, 0x41}, {0x0, 0x0, ...})
	/home/runner/go/pkg/mod/github.com/anchore/syft@v1.34.1/syft/pkg/cataloger/java/internal/maven/resolver.go:106 +0x21b
github.com/anchore/syft/syft/pkg/cataloger/java/internal/maven.(*Resolver).resolvePropertyValue(0x0?, {0x36e52b0?, 0xc000aef980?}, 0xc006891940, {0x0?, 0x1?, 0xc000aef980?}, {0xc000ca2bd0, 0x1, 0x1})
	/home/runner/go/pkg/mod/github.com/anchore/syft@v1.34.1/syft/pkg/cataloger/java/internal/maven/resolver.go:93 +0x75
github.com/anchore/syft/syft/pkg/cataloger/java/internal/maven.(*Resolver).ResolveProperty(...)
	/home/runner/go/pkg/mod/github.com/anchore/syft@v1.34.1/syft/pkg/cataloger/java/internal/maven/resolver.go:83
github.com/anchore/syft/syft/pkg/cataloger/java.newPomProject({0x36e52b0, 0xc000aef980}, 0x0, {0xc009000640, 0x48}, 0xc001f68c30)
	/home/runner/go/pkg/mod/github.com/anchore/syft@v1.34.1/syft/pkg/cataloger/java/parse_pom_xml.go:214 +0x198
github.com/anchore/syft/syft/pkg/cataloger/java.(*archiveParser).discoverMainPackage(0xc0068d4200, {0x36e52b0, 0xc000aef980})
	/home/runner/go/pkg/mod/github.com/anchore/syft@v1.34.1/syft/pkg/cataloger/java/archive_parser.go:266 +0x531
github.com/anchore/syft/syft/pkg/cataloger/java.(*archiveParser).parse(0xc0068d4200, {0x36e52b0, 0xc000aef980}, 0x0)
	/home/runner/go/pkg/mod/github.com/anchore/syft@v1.34.1/syft/pkg/cataloger/java/archive_parser.go:140 +0x45
github.com/anchore/syft/syft/pkg/cataloger/java.genericArchiveParserAdapter.processJavaArchive({{{0x1, 0x0}, 0x0, 0x0, {0xc000a8c9e0, 0xf}, {0x2eeef4d, 0x1e}, 0x0, 0x0}}, ...)
	/home/runner/go/pkg/mod/github.com/anchore/syft@v1.34.1/syft/pkg/cataloger/java/archive_parser.go:88 +0x1a8
github.com/anchore/syft/syft/pkg/cataloger/java.genericArchiveParserAdapter.parseJavaArchive(...)
	/home/runner/go/pkg/mod/github.com/anchore/syft@v1.34.1/syft/pkg/cataloger/java/archive_parser.go:77
github.com/anchore/syft/syft/pkg/cataloger/generic.invokeParser({0x36e52b0, 0xc000aef980}, {0x36f4698, 0xc000ad1a70}, {{{{0xc000aa6b44, 0x42}, {0x0, 0x0}}, {0xc000aa6b44, 0x42}, ...}, ...}, ...)
	/home/runner/go/pkg/mod/github.com/anchore/syft@v1.34.1/syft/pkg/cataloger/generic/cataloger.go:217 +0x3fe
github.com/anchore/syft/syft/pkg/cataloger/generic.(*Cataloger).Catalog.func1({{{{{...}, {...}}, {0xc000aa6b44, 0x42}, {0xf8c, {...}}}, {0xc000958ae0}}, 0xc000aae100})
	/home/runner/go/pkg/mod/github.com/anchore/syft@v1.34.1/syft/pkg/cataloger/generic/cataloger.go:186 +0x208
github.com/anchore/go-sync.Collect[...].func1()
	/home/runner/go/pkg/mod/github.com/anchore/go-sync@v0.0.0-20250714163430-add63db73ad1/collector.go:36 +0xfa
github.com/anchore/go-sync.(*errGroupExecutor).Go.func1()
	/home/runner/go/pkg/mod/github.com/anchore/go-sync@v0.0.0-20250714163430-add63db73ad1/executor_errgroup.go:37 +0x83
golang.org/x/sync/errgroup.(*Group).Go.func1()
	/home/runner/go/pkg/mod/golang.org/x/sync@v0.17.0/errgroup/errgroup.go:93 +0x50
created by golang.org/x/sync/errgroup.(*Group).Go in goroutine 180
	/home/runner/go/pkg/mod/golang.org/x/sync@v0.17.0/errgroup/errgroup.go:78 +0x93

Happy to provide more info if needed.
Cheers

Metadata

Metadata

Assignees

Labels

bugSomething isn't working

Type

No type

Projects

OSS

Status

Done

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions
    点击 这是indexloc提供的php浏览器服务,不要输入任何密码和下载