Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Panic in gosec 2.22.0 SSA builder #1292

Open
gmwiz opened this issue Jan 23, 2025 · 2 comments
Open

Panic in gosec 2.22.0 SSA builder #1292

gmwiz opened this issue Jan 23, 2025 · 2 comments
Labels
bug

Comments

@gmwiz
Copy link

gmwiz commented Jan 23, 2025

Summary

We started getting panic on some of our routine gosec scans. I'm not certain as to what exactly triggers it, but it happens when scanning a large project.
I had to re-build the program with the generic panic handler removed to get this stack trace. It seems that somehow the "obj" parameter is nil (not a typed nil, but just a regular nil), causing a panic.

panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x38 pc=0x65d9c7]

goroutine 1 [running]:
golang.org/x/tools/go/ssa.(*Program).packageLevelMember(...)
    /root/go/pkg/mod/golang.org/x/[email protected]/go/ssa/source.go:187
golang.org/x/tools/go/ssa.(*builder).expr0(0xc018942f00, 0xc03322b400, {0x1071620?, 0xc01c3a2ca0}, {0x0, {0x0, 0x0}, {0x0, 0x0}})
    /root/go/pkg/mod/golang.org/x/[email protected]/go/ssa/builder.go:812 +0x567
golang.org/x/tools/go/ssa.(*builder).expr(0xc018942f00, 0xc03322b400, {0x1071620, 0xc01c3a2ca0})
    /root/go/pkg/mod/golang.org/x/[email protected]/go/ssa/builder.go:633 +0x17b
golang.org/x/tools/go/ssa.(*builder).setCallFunc(0xc0335aa100?, 0x0?, 0x0?, 0xc0335aa140)
    /root/go/pkg/mod/golang.org/x/[email protected]/go/ssa/builder.go:1058 +0x2b6
golang.org/x/tools/go/ssa.(*builder).setCall(0xc018942f00, 0xc03322b400, 0xc01fbe5b00, 0xc0335aa140)
    /root/go/pkg/mod/golang.org/x/[email protected]/go/ssa/builder.go:1136 +0x2b
golang.org/x/tools/go/ssa.(*builder).expr0(0xc018942f00, 0xc03322b400, {0x10716e0?, 0xc01fbe5b00}, {0x0, {0x0, 0x0}, {0x0, 0x0}})
    /root/go/pkg/mod/golang.org/x/[email protected]/go/ssa/builder.go:716 +0x290e
golang.org/x/tools/go/ssa.(*builder).expr(0xc018942f00, 0xc03322b400, {0x10716e0, 0xc01fbe5b00})
    /root/go/pkg/mod/golang.org/x/[email protected]/go/ssa/builder.go:633 +0x17b
golang.org/x/tools/go/ssa.(*builder).stmt(0xc018942f00, 0xc03322b400, {0x1071b90?, 0xc01fbced60?})
    /root/go/pkg/mod/golang.org/x/[email protected]/go/ssa/builder.go:2691 +0x3e5
golang.org/x/tools/go/ssa.(*builder).stmtList(...)
    /root/go/pkg/mod/golang.org/x/[email protected]/go/ssa/builder.go:964
golang.org/x/tools/go/ssa.(*builder).stmt(0xc018942f00, 0xc03322b400, {0x1071d40?, 0xc01fbe37a0?})
    /root/go/pkg/mod/golang.org/x/[email protected]/go/ssa/builder.go:2745 +0x1046
golang.org/x/tools/go/ssa.(*builder).buildFromSyntax(0xc018942f00, 0xc03322b400)
    /root/go/pkg/mod/golang.org/x/[email protected]/go/ssa/builder.go:2951 +0x265
golang.org/x/tools/go/ssa.(*builder).buildFunction(0xe27740?, 0xc03322b400)
    /root/go/pkg/mod/golang.org/x/[email protected]/go/ssa/builder.go:2904 +0x186
golang.org/x/tools/go/ssa.(*builder).iterate(0xc018942f00)
    /root/go/pkg/mod/golang.org/x/[email protected]/go/ssa/builder.go:2889 +0x25
golang.org/x/tools/go/ssa.(*Package).build(0xc033136600)
    /root/go/pkg/mod/golang.org/x/[email protected]/go/ssa/builder.go:3172 +0xce
sync.(*Once).doSlow(0xc01fae3440?, 0xc01bbbdc80?)
    /opt/go/src/sync/once.go:76 +0xb4
sync.(*Once).Do(...)
    /opt/go/src/sync/once.go:67
golang.org/x/tools/go/ssa.(*Package).Build(...)
    /root/go/pkg/mod/golang.org/x/[email protected]/go/ssa/builder.go:3161
golang.org/x/tools/go/analysis/passes/buildssa.run(0xc01fb5c9a0)
    /root/go/pkg/mod/golang.org/x/[email protected]/go/analysis/passes/buildssa/buildssa.go:59 +0x225
github.com/securego/gosec/v2.(*Analyzer).buildSSA(0xc0144ef690?, 0xc002cb2340)
    /root/git/gosec/analyzer.go:503 +0x193
github.com/securego/gosec/v2.(*Analyzer).CheckAnalyzers(0xc000512f80, 0xc002cb2340)
    /root/git/gosec/analyzer.go:412 +0x32
github.com/securego/gosec/v2.(*Analyzer).Process(0xc000512f80, {0x0, 0x0, 0x0}, {0xc00018aa08, 0x67, 0x3d?})
    /root/git/gosec/analyzer.go:318 +0x487
main.main()
    /root/git/gosec/cmd/gosec/main.go:477 +0xddc

Steps to reproduce the behavior

Scan a directory using:

gosec -concurrency=1 -verbose -nosec=false -confidence=high -severity=high

gosec version

2.22.0

Go version (output of 'go version')

1.23.2

Operating system / Environment

Linux
@ccojocar ccojocar added the bug label Jan 23, 2025
@ccojocar
Copy link
Member

Any chance that you can share a sample code generating this panic? This panic is deep into the tools package which contains the SSA representation. This seems like out of gosec reach, but it might be that some update of the tools package introduced this issue.

@ccojocar
Copy link
Member

Is this also reproducible with the master version if you use go 1.23.5?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ccojocar @gmwiz