BUG running scorecard on a new repo with no commits results in a panic SIGSEGV #2010
Assignees
Labels
kind/bug
Something isn't working
Comments
|
Thanks for the report @shissam. @laurentsimon assigning to you. Crash seems to be happening in the remediation code, could you PTAL? Also, let's add an empty (no commit) repo to |
|
I would swear I fixed this before, but apparently not! Thanks for the report! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
Logged into GitHub, using the GitHub Web User Interface and selecting "New repository" to create a new repository and then running scorecard against that new repo causes:
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0xda6966]
Reproduction steps
Steps to reproduce the behavior:
Expected behavior
I expected to get a the scorecard to run against the repo and give me an aggregate score (i.e., 'Aggregate score: 4.7 / 10') with a detail of the results following
What did happen was:
$ docker run -e GITHUB_AUTH_TOKEN=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 gcr.io/openssf/scorecard:stable --show-details --repo=https://github.com/shissam/BugsBunny
Starting [Packaging]
Starting [Pinned-Dependencies]
Starting [Token-Permissions]
Starting [Contributors]
Starting [CII-Best-Practices]
Starting [Vulnerabilities]
Starting [Branch-Protection]
Starting [CI-Tests]
Starting [License]
Starting [Fuzzing]
Starting [Security-Policy]
Starting [Signed-Releases]
Starting [Binary-Artifacts]
Starting [Dependency-Update-Tool]
Starting [Webhooks]
Starting [Maintained]
Starting [SAST]
Starting [Code-Review]
Starting [Dangerous-Workflow]
2022/06/28 21:08:11 unable to get tarball tarball not found: https://api.github.com/repos/shissam/BugsBunny/tarball/. Skipping...
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0xca8966]
goroutine 16 [running]:
github.com/ossf/scorecard/v4/remediation.Setup.func1()
github.com/ossf/scorecard/v4/remediation/remediations.go:58 +0x66
sync.(*Once).doSlow(0xc000400b40, 0xc0000c2a00)
sync/once.go:68 +0xec
sync.(*Once).Do(...)
sync/once.go:59
github.com/ossf/scorecard/v4/remediation.Setup(0xc000012ab0, 0x0, 0xc0000c2a60)
github.com/ossf/scorecard/v4/remediation/remediations.go:49 +0x7d
github.com/ossf/scorecard/v4/checks.PinningDependencies(0xc000012ab0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, ...)
github.com/ossf/scorecard/v4/checks/pinned_dependencies.go:44 +0x85
github.com/ossf/scorecard/v4/checker.(*Runner).Run(0xc0000c2ea8, 0x11d3bd8, 0xc0001e9ec0, 0x10d5328, 0xc000401620, 0x2, 0x2, 0x0, 0x0, 0x0, ...)
github.com/ossf/scorecard/v4/checker/check_runner.go:111 +0x594
github.com/ossf/scorecard/v4/pkg.runEnabledChecks.func1(0xc0003d0b30, 0x108c9eb, 0x13, 0x11d9340, 0xc000500310, 0xc0000987e0, 0xc0004a05a0, 0x11d3bd8, 0xc00003e050, 0x10d5328, ...)
github.com/ossf/scorecard/v4/pkg/scorecard.go:60 +0x172
created by github.com/ossf/scorecard/v4/pkg.runEnabledChecks
github.com/ossf/scorecard/v4/pkg/scorecard.go:52 +0x308
Additional context
The first version of this attempt was against https://github.com/shissam/YosemiteSam - it also failed in the same manner. BUT after creating (and committing) an initial file (e.g., README.md) and even after subsequently deleting that same file, the 'panic' never occurred again.
Both those repos, YosemiteSam and BugsBunny will remain for some time.
The text was updated successfully, but these errors were encountered: