kubernetes-sigs/bom

Panic when building with both --image and --file

jaevans opened this issue ยท 3 comments

jaevans commented

What happened:

Building a BOM with an image and a file ends in a panic due to out of stack space

runtime: sp=0x14020740350 stack=[0x14020740000, 0x14040740000]
fatal error: stack overflow

Using just --image or just --files on the same set works. So does using --image and --dirs together. Only the combination of --image and --files causes the error.

What you expected to happen:

SBOM built with both the result of the image and files.

How to reproduce it (as minimally and precisely as possible):

touch file1 file2 file3
bom generate --image busybox --file file1 --file file2 --file file3

...

runtime: goroutine stack exceeds 1000000000-byte limit
runtime: sp=0x14020740350 stack=[0x14020740000, 0x14040740000]
fatal error: stack overflow

runtime stack:
runtime.throw({0x100db3e17?, 0x101258780?})
	/opt/homebrew/Cellar/go/1.20.2/libexec/src/runtime/panic.go:1047 +0x40 fp=0x16f74ad20 sp=0x16f74acf0 pc=0x10099e940
runtime.newstack()
	/opt/homebrew/Cellar/go/1.20.2/libexec/src/runtime/stack.go:1105 +0x460 fp=0x16f74aed0 sp=0x16f74ad20 pc=0x1009b7a50
runtime.morestack()
	/opt/homebrew/Cellar/go/1.20.2/libexec/src/runtime/asm_arm64.s:316 +0x70 fp=0x16f74aed0 sp=0x16f74aed0 pc=0x1009cd400

goroutine 1 [running]:
runtime.mapaccess2_faststr(0x100ef7b20, 0x140406df5e8, {0x140000300c0, 0x57})
	/opt/homebrew/Cellar/go/1.20.2/libexec/src/runtime/map_faststr.go:108 +0x3f4 fp=0x140206e0350 sp=0x140206e0350 pc=0x10097dd04
sigs.k8s.io/bom/pkg/spdx.recursiveIDSearch({0x140004aa018, 0x12}, {0x100f86c98, 0x14000083520}, 0x140406df5e0)
	/Users/james/go/pkg/mod/sigs.k8s.io/bom@v0.4.2-0.20230308093512-98baf662f2fe/pkg/spdx/spdx.go:279 +0xe8 fp=0x140206e03b0 sp=0x140206e0350 pc=0x100d818b8
sigs.k8s.io/bom/pkg/spdx.recursiveIDSearch({0x140004aa018, 0x12}, {0x100f86c98, 0x14000083ba0}, 0x140406df5e0)
	/Users/james/go/pkg/mod/sigs.k8s.io/bom@v0.4.2-0.20230308093512-98baf662f2fe/pkg/spdx/spdx.go:287 +0x150 fp=0x140206e0410 sp=0x140206e03b0 pc=0x100d81920
sigs.k8s.io/bom/pkg/spdx.recursiveIDSearch({0x140004aa018, 0x12}, {0x100f86c98, 0x14000083520}, 0x140406df5e0)
	/Users/james/go/pkg/mod/sigs.k8s.io/bom@v0.4.2-0.20230308093512-98baf662f2fe/pkg/spdx/spdx.go:287 +0x150 fp=0x140206e0470 sp=0x140206e0410 pc=0x100d81920
sigs.k8s.io/bom/pkg/spdx.recursiveIDSearch({0x140004aa018, 0x12}, {0x100f86c98, 0x14000083ba0}, 0x140406df5e0)
	/Users/james/go/pkg/mod/sigs.k8s.io/bom@v0.4.2-0.20230308093512-98baf662f2fe/pkg/spdx/spdx.go:287 +0x150 fp=0x140206e04d0 sp=0x140206e0470 pc=0x100d81920

Anything else we need to know?:

Apple M1, I haven't been able to test on x86. I've tested with 0.4.1 and master.

Environment:

  • Cloud provider or hardware configuration: Apple M1
  • OS (e.g: cat /etc/os-release): Ventura 13.2.1
  • Kernel (e.g. uname -a): Darwin MacDevelopment 22.3.0 Darwin Kernel Version 22.3.0: Mon Jan 30 20:38:37 PST 2023; root:xnu-8792.81.3~2/RELEASE_ARM64_T6000 arm64
  • Others:
jaevans commented

Same error on linux/amd64 (fedora 37), version 0.4.1

puerco commented

Weird, I've managed to reproduce it and I'm checking it now. Thanks for the report @jaevans !

puerco commented

I've pushed #244 to fix this bug, now generating the sbom works:

bom generate --image busybox --file file1 --file file2 --file file3 | bom document outline -

               _      
 ___ _ __   __| |_  __
/ __| '_ \ / _` \ \/ /
\__ \ |_) | (_| |>  < 
|___/ .__/ \__,_/_/\_\
    |_|               

 ๐Ÿ“‚ SPDX Document SBOM-SPDX-3b54773f-02aa-4c3e-9a12-85d2a8f44af3
  โ”‚ 
  โ”‚ ๐Ÿ“ฆ DESCRIBES 1 Packages
  โ”‚ 
  โ”œ sha256:c118f538365369207c12e5794c3cbfb7b042d950af590ae6c287ede74f29b7d4
  โ”‚  โ”‚ ๐Ÿ”— 10 Relationships
  โ”‚  โ”œ CONTAINS PACKAGE sha256:e8df49b8bf88d2e57d68613eb891a863b9a4d107d46804bb5456430ef3f8ca6a
  โ”‚  โ”‚  โ”‚ ๐Ÿ”— 2 Relationships
  โ”‚  โ”‚  โ”œ CONTAINS PACKAGE sha256:3cd170288f2fd3e424ba5329d99b40927f4721c5b16fe20ef72dd73c160b0245
  โ”‚  โ”‚  โ”” VARIANT_OF PACKAGE sha256:c118f538365369207c12e5794c3cbfb7b042d950af590ae6c287ede74f29b7d4
  โ”‚  โ”‚ 
  โ”‚  โ”œ CONTAINS PACKAGE sha256:9c4aa07dc6de17545781cfad8cf412c810ba88f98187008eeae7bdaa3976f3bb
  โ”‚  โ”‚  โ”‚ ๐Ÿ”— 2 Relationships
  โ”‚  โ”‚  โ”œ CONTAINS PACKAGE sha256:ed0e558e1a9b9e8d9be4d1bdc09a27e86b8e816de9788f292232d1a5e84b0731
  โ”‚  โ”‚  โ”” VARIANT_OF PACKAGE sha256:c118f538365369207c12e5794c3cbfb7b042d950af590ae6c287ede74f29b7d4
  โ”‚  โ”‚ 
  โ”‚  โ”œ CONTAINS PACKAGE sha256:2c8ed5408179ff4f53242a4bdd2706110ce000be239fe37a61be9c52f704c437
  โ”‚  โ”‚  โ”‚ ๐Ÿ”— 2 Relationships
  โ”‚  โ”‚  โ”œ CONTAINS PACKAGE sha256:1487bff95222881565c7c063129c2c2ce3d6fc4d14796ac7627bd1f167bc5621
  โ”‚  โ”‚  โ”” VARIANT_OF PACKAGE sha256:c118f538365369207c12e5794c3cbfb7b042d950af590ae6c287ede74f29b7d4
  โ”‚  โ”‚ 
  โ”‚  โ”œ CONTAINS PACKAGE sha256:c6c4fb2c249a531ce74e7970daf33dd5597fbb1b217bb4b52e0e9b350b5218f4
  โ”‚  โ”‚  โ”‚ ๐Ÿ”— 2 Relationships
  โ”‚  โ”‚  โ”œ CONTAINS PACKAGE sha256:9c10fd6e29d89874e9355832b75a2c3baa067b2a90ae6f26b5c2b22e942bead6
  โ”‚  โ”‚  โ”” VARIANT_OF PACKAGE sha256:c118f538365369207c12e5794c3cbfb7b042d950af590ae6c287ede74f29b7d4
  โ”‚  โ”‚ 
  โ”‚  โ”œ CONTAINS PACKAGE sha256:afebab8e3d8cbef70c0632b5a7aa5c003f253d4f4f1ca47fe6b094ef7fe0cd07
  โ”‚  โ”‚  โ”‚ ๐Ÿ”— 2 Relationships
  โ”‚  โ”‚  โ”œ CONTAINS PACKAGE sha256:814c8b675ca358072b3bfd78ba92ae7e5cf5d9e44fbe710fbfa619f6fdc4b72b
  โ”‚  โ”‚  โ”” VARIANT_OF PACKAGE sha256:c118f538365369207c12e5794c3cbfb7b042d950af590ae6c287ede74f29b7d4
  โ”‚  โ”‚ 
  โ”‚  โ”œ CONTAINS PACKAGE sha256:b7c64f5c78e96bd56921c28d7794a5ed1ffcf10536d748219dc20bb799162e80
  โ”‚  โ”‚  โ”‚ ๐Ÿ”— 2 Relationships
  โ”‚  โ”‚  โ”œ CONTAINS PACKAGE sha256:57e84f0a7f5010bc07bd842638c4a106afd40ca113b3e4b57f934aa9348f5f2a
  โ”‚  โ”‚  โ”” VARIANT_OF PACKAGE sha256:c118f538365369207c12e5794c3cbfb7b042d950af590ae6c287ede74f29b7d4
  โ”‚  โ”‚ 
  โ”‚  โ”œ CONTAINS PACKAGE sha256:77cf10a9f12c8e1274d80b8644934ee279c201697d8036c199322b258a20b30d
  โ”‚  โ”‚  โ”‚ ๐Ÿ”— 2 Relationships
  โ”‚  โ”‚  โ”œ CONTAINS PACKAGE sha256:59520f5d6c57137715f3f3afecdaed7360828fedc3abc05aa1972c4371a749f2
  โ”‚  โ”‚  โ”” VARIANT_OF PACKAGE sha256:c118f538365369207c12e5794c3cbfb7b042d950af590ae6c287ede74f29b7d4
  โ”‚  โ”‚ 
  โ”‚  โ”œ CONTAINS PACKAGE sha256:0d985c89169632f79e8594b8fa522b44649312b5f86e28ee3ff3e56f30cc7c44
  โ”‚  โ”‚  โ”‚ ๐Ÿ”— 2 Relationships
  โ”‚  โ”‚  โ”œ CONTAINS PACKAGE sha256:fe77dc6592f172993935753980c1081538bc17af23d7ef0435af99a0bbbd905f
  โ”‚  โ”‚  โ”” VARIANT_OF PACKAGE sha256:c118f538365369207c12e5794c3cbfb7b042d950af590ae6c287ede74f29b7d4
  โ”‚  โ”‚ 
  โ”‚  โ”œ CONTAINS PACKAGE sha256:bc35ee0ae8c742ec79d347808e26c5f08bc6c1d8c883d6cac34151983791ab6a
  โ”‚  โ”‚  โ”‚ ๐Ÿ”— 2 Relationships
  โ”‚  โ”‚  โ”œ CONTAINS PACKAGE sha256:13cca494f936f21fbf8f00e454e6cff8ab62e733f468c102f4d0a0fe4eb21e4d
  โ”‚  โ”‚  โ”” VARIANT_OF PACKAGE sha256:c118f538365369207c12e5794c3cbfb7b042d950af590ae6c287ede74f29b7d4
  โ”‚  โ”‚ 
  โ”‚  โ”” CONTAINS PACKAGE sha256:c1d97f83e9971011d6c1c492892bce9ac2be24705650cd52ac09effab5b8abba
  โ”‚  โ”‚  โ”‚ ๐Ÿ”— 2 Relationships
  โ”‚  โ”‚  โ”œ CONTAINS PACKAGE sha256:81407dacd54e9a77b35c98644d5e51f8fc3a0f257ef24886dd20c352e1a42ab5
  โ”‚  โ”‚  โ”” VARIANT_OF PACKAGE sha256:c118f538365369207c12e5794c3cbfb7b042d950af590ae6c287ede74f29b7d4
  โ”‚  โ”‚ 
  โ”‚ 
  โ”‚ 
  โ”‚ ๐Ÿ“„ DESCRIBES 3 Files
  โ”‚ 
  โ”œ SPDXRef-File-file3 (file3)
  โ”œ SPDXRef-File-file1 (file1)
  โ”” SPDXRef-File-file2 (file2)