bug(cyclonedx): Trivy panics when scanning an SBOM in CycloneDX format if the file has an empty metadata component. #9561
Description
Description
After #9439, Trivy reuses the scanned SBOM.
When a user tries to enrich the report with vulnerabilities, and the CycloneDX file has no metadata component, Trivy panics:
➜ trivy -q sbom sbom.cdx.json -f cyclonedx --scanners vuln
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x2 addr=0x10 pc=0x10580dce8]
goroutine 1 [running]:
github.com/aquasecurity/trivy/pkg/sbom/cyclonedx.(*Marshaler).MarshalComponent(0x1400129a308, 0x0)
github.com/aquasecurity/trivy/pkg/sbom/cyclonedx/marshal.go:114 +0x28
github.com/aquasecurity/trivy/pkg/sbom/cyclonedx.(*Marshaler).MarshalRoot(0x1400129a308)
github.com/aquasecurity/trivy/pkg/sbom/cyclonedx/marshal.go:110 +0x30
github.com/aquasecurity/trivy/pkg/sbom/cyclonedx.(*Marshaler).Marshal(0x1400129a308, {0x109875b60, 0x140003d5180}, 0x10d39aca0?)
github.com/aquasecurity/trivy/pkg/sbom/cyclonedx/marshal.go:78 +0x1dc
github.com/aquasecurity/trivy/pkg/sbom/cyclonedx.(*Marshaler).MarshalReport(_, {_, _}, {0x2, {0xc22f4b35b4ef0a68, 0x32733e3, 0x10d39aca0}, {0x16d9d78be, 0xd}, {0x10712e46b, ...}, ...})
github.com/aquasecurity/trivy/pkg/sbom/cyclonedx/marshal.go:65 +0xc8
github.com/aquasecurity/trivy/pkg/report/cyclonedx.Writer.Write({{_, _}, _, {{_, _}, _, _, _}}, {_, _}, ...)
github.com/aquasecurity/trivy/pkg/report/cyclonedx/cyclonedx.go:31 +0x7c
github.com/aquasecurity/trivy/pkg/report.Write({_, _}, {0x2, {0xc22f4b35b4ef0a68, 0x32733e3, 0x10d39aca0}, {0x16d9d78be, 0xd}, {0x10712e46b, 0x9}, ...}, ...)
github.com/aquasecurity/trivy/pkg/report/writer.go:111 +0x944
github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).Report(_, {_, _}, {{{0x107137f1a, 0xa}, 0x0, 0x1, 0x0, 0x0, 0x45d964b800, ...}, ...}, ...)
github.com/aquasecurity/trivy/pkg/commands/artifact/run.go:306 +0x84
github.com/aquasecurity/trivy/pkg/commands/artifact.run({_, _}, {{{0x107137f1a, 0xa}, 0x0, 0x1, 0x0, 0x0, 0x45d964b800, {0x140003f9ad0, ...}, ...}, ...}, ...)
github.com/aquasecurity/trivy/pkg/commands/artifact/run.go:449 +0x960
github.com/aquasecurity/trivy/pkg/commands/artifact.Run({_, _}, {{{0x107137f1a, 0xa}, 0x0, 0x1, 0x0, 0x0, 0x45d964b800, {0x140003f9ad0, ...}, ...}, ...}, ...)
github.com/aquasecurity/trivy/pkg/commands/artifact/run.go:396 +0x1d8
github.com/aquasecurity/trivy/pkg/commands.NewSBOMCommand.func2(0x1400152a308, {0x14000c0e720, 0x1, 0x6})
github.com/aquasecurity/trivy/pkg/commands/app.go:1217 +0x190
github.com/spf13/cobra.(*Command).execute(0x1400152a308, {0x14000c0e6c0, 0x6, 0x6})
github.com/spf13/cobra@v1.10.1/command.go:1015 +0x7d4
github.com/spf13/cobra.(*Command).ExecuteC(0x14000ae6008)
github.com/spf13/cobra@v1.10.1/command.go:1148 +0x350
github.com/spf13/cobra.(*Command).Execute(...)
github.com/spf13/cobra@v1.10.1/command.go:1071
github.com/spf13/cobra.(*Command).ExecuteContext(...)
github.com/spf13/cobra@v1.10.1/command.go:1064
github.com/aquasecurity/trivy/pkg/commands.Run({0x109875ea8, 0x14000c03f40})
github.com/aquasecurity/trivy/pkg/commands/run.go:23 +0x5c
main.run()
github.com/aquasecurity/trivy/cmd/trivy/main.go:50 +0x14c
main.main()
github.com/aquasecurity/trivy/cmd/trivy/main.go:19 +0x20