Panic error scanning images with v0.101.0 on some java dependencies #3002
Description
What happened:
Grype CLI scan using v0.101.0 fails with panic error on image built with maven-jib-plugin where dependencies pulled in include either jakarta.activation-api-2.1.3.jar or javax.annotation-api-1.3.2.jar.
What you expected to happen:
Grype scan does not experience a segfault. The same scan using v0.100.0 does not fail.
How to reproduce it (as minimally and precisely as possible):
I can provide examples of the jib-assembled jars, if needed, but was not able to upload jars to the issue. A direct grype scan on these jars produces a similar error to scanning the image itself that contains the jars. Explicitly excluding those jars from the image with --exclude arg avoids the error.
The error output from the scans includes
$ grype /tmp/jakarta.activation-api-2.1.3.jar
panic: runtime error: invalid memory address or nil pointer dereference /tmp/jakarta.activation-api-2.1.3.jar
[signal SIGSEGV: segmentation violation code=0x2 addr=0x38 pc=0x101f8511c]
goroutine 107 [running]:
github.com/anchore/syft/syft/pkg/cataloger/java/internal/maven.(*Resolver).resolveProperty(0x0, {0x10376a688, 0x14000a2a450}, {0x140046a6138, 0x1, 0x1}, {0x140021ec7f2, 0xc}, {0x0, 0x0, ...})
github.com/anchore/[email protected]/syft/pkg/cataloger/java/internal/maven/resolver.go:146 +0x37c
github.com/anchore/syft/syft/pkg/cataloger/java/internal/maven.(*Resolver).resolveExpression.func1({0x140021ec7f0, 0xf})
github.com/anchore/[email protected]/syft/pkg/cataloger/java/internal/maven/resolver.go:109 +0x190
regexp.(*Regexp).ReplaceAllStringFunc.func1({0x140046a3110, 0x17, 0x18}, {0x14001c96b20?, 0x0?, 0x0?})
regexp/regexp.go:598 +0x78
regexp.(*Regexp).replaceAll(0x1400028e6e0, {0x0, 0x0, 0x0}, {0x140021ec7e0, 0x2d}, 0x2, 0x14000da0f78)
regexp/regexp.go:636 +0x2cc
regexp.(*Regexp).ReplaceAllStringFunc(0x14000268ec0?, {0x140021ec7e0?, 0x1?}, 0x140002f9a40?)
regexp/regexp.go:597 +0x4c
github.com/anchore/syft/syft/pkg/cataloger/java/internal/maven.(*Resolver).resolveExpression(0x0, {0x10376a688, 0x14000a2a450}, {0x140046a6138, 0x1, 0x1}, {0x140021ec7e0, 0x2d}, {0x0, 0x0, ...})
github.com/anchore/[email protected]/syft/pkg/cataloger/java/internal/maven/resolver.go:106 +0x17c
github.com/anchore/syft/syft/pkg/cataloger/java/internal/maven.(*Resolver).resolvePropertyValue(0x10376a688?, {0x10376a688?, 0x14000a2a450?}, 0x14000889840, {0x0?, 0x0?, 0x140046a6108?}, {0x140046a6138?, 0x1?, 0x14000955890?})
github.com/anchore/[email protected]/syft/pkg/cataloger/java/internal/maven/resolver.go:93 +0x64
github.com/anchore/syft/syft/pkg/cataloger/java/internal/maven.(*Resolver).ResolveProperty(...)
github.com/anchore/[email protected]/syft/pkg/cataloger/java/internal/maven/resolver.go:83
github.com/anchore/syft/syft/pkg/cataloger/java.newPomProject({0x10376a688, 0x14000a2a450}, 0x0, {0x14000b4fac0, 0x40}, 0x1400079ec30)
github.com/anchore/[email protected]/syft/pkg/cataloger/java/parse_pom_xml.go:225 +0x3b0
github.com/anchore/syft/syft/pkg/cataloger/java.(*archiveParser).discoverMainPackage(0x14000ba6000, {0x10376a688, 0x14000a2a450})
github.com/anchore/[email protected]/syft/pkg/cataloger/java/archive_parser.go:266 +0x450
github.com/anchore/syft/syft/pkg/cataloger/java.(*archiveParser).parse(0x14000ba6000, {0x10376a688, 0x14000a2a450}, 0x0)
github.com/anchore/[email protected]/syft/pkg/cataloger/java/archive_parser.go:140 +0x34
github.com/anchore/syft/syft/pkg/cataloger/java.genericArchiveParserAdapter.processJavaArchive({{{0x1, 0x0}, 0x0, 0x0, {0x14000163980, 0x1d}, {0x1026d8536, 0x1e}, 0x0, 0x0}}, ...)
github.com/anchore/[email protected]/syft/pkg/cataloger/java/archive_parser.go:88 +0x11c
github.com/anchore/syft/syft/pkg/cataloger/java.genericArchiveParserAdapter.parseJavaArchive(...)
github.com/anchore/[email protected]/syft/pkg/cataloger/java/archive_parser.go:77
github.com/anchore/syft/syft/pkg/cataloger/generic.invokeParser({0x10376a688, 0x14000a2a450}, {0x10377fe10, 0x14000bcad80}, {{{{0x140008e4b4c, 0x21}, {0x0, 0x0}}, {0x140008e4b4c, 0x21}, ...}, ...}, ...)
github.com/anchore/[email protected]/syft/pkg/cataloger/generic/cataloger.go:217 +0x2f8
github.com/anchore/syft/syft/pkg/cataloger/generic.(*Cataloger).Catalog.func1({{{{{...}, {...}}, {0x140008e4b4c, 0x21}, {0x2, {...}}}, {0x14000955890}}, 0x14000ab5800})
github.com/anchore/[email protected]/syft/pkg/cataloger/generic/cataloger.go:186 +0x188
github.com/anchore/go-sync.Collect[...].func1()
github.com/anchore/[email protected]/collector.go:36 +0xa4
github.com/anchore/go-sync.(*errGroupExecutor).Go.func1()
github.com/anchore/[email protected]/executor_errgroup.go:37 +0x84
golang.org/x/sync/errgroup.(*Group).Go.func1()
golang.org/x/[email protected]/errgroup/errgroup.go:93 +0x4c
created by golang.org/x/sync/errgroup.(*Group).Go in goroutine 215
golang.org/x/[email protected]/errgroup/errgroup.go:78 +0x90
$ grype /tmp/javax.annotation-api-1.3.2.jar
panic: runtime error: invalid memory address or nil pointer dereference /tmp/javax.annotation-api-1.3.2.jar
[signal SIGSEGV: segmentation violation code=0x2 addr=0x38 pc=0x101ab511c]
goroutine 70 [running]:
github.com/anchore/syft/syft/pkg/cataloger/java/internal/maven.(*Resolver).resolveProperty(0x0, {0x10329a688, 0x140004630e0}, {0x140012200e8, 0x1, 0x1}, {0x1400462416a, 0xe}, {0x0, 0x0, ...})
github.com/anchore/[email protected]/syft/pkg/cataloger/java/internal/maven/resolver.go:146 +0x37c
github.com/anchore/syft/syft/pkg/cataloger/java/internal/maven.(*Resolver).resolveExpression.func1({0x14004624168, 0x11})
github.com/anchore/[email protected]/syft/pkg/cataloger/java/internal/maven/resolver.go:109 +0x190
regexp.(*Regexp).ReplaceAllStringFunc.func1({0x0, 0x0, 0x0}, {0x14004787b70?, 0x0?, 0x0?})
regexp/regexp.go:598 +0x78
regexp.(*Regexp).replaceAll(0x14000957cc0, {0x0, 0x0, 0x0}, {0x14004624168, 0x15}, 0x2, 0x140057f2f78)
regexp/regexp.go:636 +0x2cc
regexp.(*Regexp).ReplaceAllStringFunc(0x14000917c00?, {0x14004624168?, 0x1?}, 0x140049813c0?)
regexp/regexp.go:597 +0x4c
github.com/anchore/syft/syft/pkg/cataloger/java/internal/maven.(*Resolver).resolveExpression(0x0, {0x10329a688, 0x140004630e0}, {0x140012200e8, 0x1, 0x1}, {0x14004624168, 0x15}, {0x0, 0x0, ...})
github.com/anchore/[email protected]/syft/pkg/cataloger/java/internal/maven/resolver.go:106 +0x17c
github.com/anchore/syft/syft/pkg/cataloger/java/internal/maven.(*Resolver).resolvePropertyValue(0x0?, {0x10329a688?, 0x140004630e0?}, 0x140049d6400, {0x0?, 0x0?, 0x140012200e0?}, {0x140012200e8?, 0x1?, 0x14000462900?})
github.com/anchore/[email protected]/syft/pkg/cataloger/java/internal/maven/resolver.go:93 +0x64
github.com/anchore/syft/syft/pkg/cataloger/java/internal/maven.(*Resolver).ResolveProperty(...)
github.com/anchore/[email protected]/syft/pkg/cataloger/java/internal/maven/resolver.go:83
github.com/anchore/syft/syft/pkg/cataloger/java.newPomProject({0x10329a688, 0x140004630e0}, 0x0, {0x1400152aac0, 0x3c}, 0x1400089a2d0)
github.com/anchore/[email protected]/syft/pkg/cataloger/java/parse_pom_xml.go:214 +0x11c
github.com/anchore/syft/syft/pkg/cataloger/java.(*archiveParser).discoverMainPackage(0x14000254400, {0x10329a688, 0x140004630e0})
github.com/anchore/[email protected]/syft/pkg/cataloger/java/archive_parser.go:266 +0x450
github.com/anchore/syft/syft/pkg/cataloger/java.(*archiveParser).parse(0x14000254400, {0x10329a688, 0x140004630e0}, 0x0)
github.com/anchore/[email protected]/syft/pkg/cataloger/java/archive_parser.go:140 +0x34
github.com/anchore/syft/syft/pkg/cataloger/java.genericArchiveParserAdapter.processJavaArchive({{{0x1, 0x0}, 0x0, 0x0, {0x14000919ae0, 0x1d}, {0x102208536, 0x1e}, 0x0, 0x0}}, ...)
github.com/anchore/[email protected]/syft/pkg/cataloger/java/archive_parser.go:88 +0x11c
github.com/anchore/syft/syft/pkg/cataloger/java.genericArchiveParserAdapter.parseJavaArchive(...)
github.com/anchore/[email protected]/syft/pkg/cataloger/java/archive_parser.go:77
github.com/anchore/syft/syft/pkg/cataloger/generic.invokeParser({0x10329a688, 0x140004630e0}, {0x1032afe10, 0x14000ca8090}, {{{{0x14000adcfcc, 0x1f}, {0x0, 0x0}}, {0x14000adcfcc, 0x1f}, ...}, ...}, ...)
github.com/anchore/[email protected]/syft/pkg/cataloger/generic/cataloger.go:217 +0x2f8
github.com/anchore/syft/syft/pkg/cataloger/generic.(*Cataloger).Catalog.func1({{{{{...}, {...}}, {0x14000adcfcc, 0x1f}, {0x2, {...}}}, {0x14000462900}}, 0x14000bb6540})
github.com/anchore/[email protected]/syft/pkg/cataloger/generic/cataloger.go:186 +0x188
github.com/anchore/go-sync.Collect[...].func1()
github.com/anchore/[email protected]/collector.go:36 +0xa4
github.com/anchore/go-sync.(*errGroupExecutor).Go.func1()
github.com/anchore/[email protected]/executor_errgroup.go:37 +0x84
golang.org/x/sync/errgroup.(*Group).Go.func1()
golang.org/x/[email protected]/errgroup/errgroup.go:93 +0x4c
created by golang.org/x/sync/errgroup.(*Group).Go in goroutine 167
golang.org/x/[email protected]/errgroup/errgroup.go:78 +0x90
Anything else we need to know?:
Environment:
- Output of
grype version:
$ grype version
Application: grype
Version: 0.101.0
BuildDate: 2025-10-15T16:34:53Z
GitCommit: Homebrew
GitDescription: [not provided]
Platform: darwin/arm64
GoVersion: go1.25.2
Compiler: gc
Syft Version: v1.34.1
Supported DB Schema: 6
- OS (e.g:
cat /etc/os-releaseor similar):
$ uname -a
Darwin FT9Q32RJVJ 24.6.0 Darwin Kernel Version 24.6.0: Mon Aug 11 21:11:04 PDT 2025; root:xnu-11417.140.69.701.11~1/RELEASE_ARM64_T6031 arm64
Metadata
Metadata
Assignees
Labels
Type
Projects
Status