Skip to content

fix(nodejs): fix npmjs parser.pkgNameFromPath() panic issue #9688

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
DmitriyLewen merged 5 commits into from
Oct 23, 2025
Merged

fix(nodejs): fix npmjs parser.pkgNameFromPath() panic issue #9688

DmitriyLewen merged 5 commits into from
Oct 23, 2025

Conversation

@derekhjray
Copy link
Contributor

@derekhjray derekhjray commented Oct 20, 2025

Description

nodejs parser will panic if parser.pkgNameFromPath invoked with parameter 'xxxx/node_modules' which has no trailing slash or submodule

Checklist

  • I've read the guidelines for contributing to this repository.
  • I've followed the conventions in the PR title.
  • I've added tests that prove my fix is effective or that my feature works.
  • I've updated the documentation with the relevant information (if needed).
  • I've added usage information (if the PR introduces new options)
  • I've included a "before" and "after" example to the description (if the PR is a user interface change).

@CLAassistant
Copy link

CLAassistant commented Oct 20, 2025
edited
Loading

CLA assistant check
All committers have signed the CLA.

@DmitriyLewen
Copy link
Contributor

DmitriyLewen commented Oct 20, 2025

Hello @derekhjray
Thanks for your work!

Can you share example how we can reproduce this issue?

@derekhjray
Copy link
Contributor Author

derekhjray commented Oct 21, 2025

@DmitriyLewen
Sorry, I cannot get the image trigger this panic issue, which is from different group.

Nodejs parser.parseV2->parser.pkgNameFromPath() processing a nodejs path with suffix "node_modules", such as "xxxx/node_modules", but has no trailing slash or sub-package name, the func access string slice with 'path[index + len(node_modules) + 1:]' will panic, and I have no idea why nodejs parser got a javascript package path with no trailing slash and package name

@derekhjray
Copy link
Contributor Author

derekhjray commented Oct 21, 2025

@DmitriyLewen
There maybe a chance that the image contains a malformed package-lock.json file

@DmitriyLewen
Copy link
Contributor

DmitriyLewen commented Oct 21, 2025

There maybe a chance that the image contains a malformed package-lock.json file

Trivy doesn't check npm lock files in image mode - https://trivy.dev/latest/docs/coverage/language/#supported-languages

I have no idea why nodejs parser got a javascript package path with no trailing slash and package name

It looks like this is invalid lock file. Can you share this package-lock.json file?

@derekhjray
Copy link
Contributor Author

derekhjray commented Oct 21, 2025

Sorry, I can not get the package-lock.json file myself, I just fix it from panic log, and it's just an insurance and compatile fixture for invalid nodejs lock file for both image and filesystem scanning.

If it's not an issue for your consideration, I can close this pr

@DmitriyLewen
Copy link
Contributor

DmitriyLewen commented Oct 21, 2025

I just wanted to understand how this is possible.
Perhaps we are missing something.

DmitriyLewen
DmitriyLewen reviewed Oct 21, 2025
View reviewed changes
pkg/dependency/parser/nodejs/npm/parse.go Outdated
Comment on lines 348 to 351
if index+len(nodeModulesDir) == len(pkgPath) {
return ""
}

Copy link
Contributor

@DmitriyLewen DmitriyLewen Oct 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is it possible to add a warning here since the package-lock.json file is invalid in this case?

Copy link
Contributor Author

@derekhjray derekhjray Oct 23, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, you could add warning message to warn the lock file is malformed

@derekhjray
Copy link
Contributor Author

derekhjray commented Oct 23, 2025

@DmitriyLewen
The invalid lock file triggered this panic is from another team, And they refuse to provide the original file, and I cannot figure out why this happened either.
So, I just add a index range validation to avoid panic issue

@github-actions github-actions bot added the apidiff Indicates Go API changes relevant to library consumers (CLI compatibility may be unaffected) label Oct 23, 2025
@aqua-bot aqua-bot requested a review from a team October 23, 2025 01:29
@DmitriyLewen DmitriyLewen removed the request for review from a team October 23, 2025 05:10
@aquasecurity aquasecurity deleted a comment from github-actions bot Oct 23, 2025
@DmitriyLewen DmitriyLewen removed the apidiff Indicates Go API changes relevant to library consumers (CLI compatibility may be unaffected) label Oct 23, 2025
DmitriyLewen
DmitriyLewen approved these changes Oct 23, 2025
View reviewed changes
Copy link
Contributor

@DmitriyLewen DmitriyLewen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@derekhjray Thanks for your work!

I refactored code a bit.

The invalid lock file triggered this panic is from another team, And they refuse to provide the original file, and I cannot figure out why this happened either.

If you manage to reproduce this case or get a file from this team, I would be very grateful if you sent it.

@github-actions github-actions bot added the apidiff Indicates Go API changes relevant to library consumers (CLI compatibility may be unaffected) label Oct 23, 2025
@aqua-bot aqua-bot requested a review from a team October 23, 2025 07:41
@DmitriyLewen DmitriyLewen removed the request for review from a team October 23, 2025 07:43
@aquasecurity aquasecurity deleted a comment from github-actions bot Oct 23, 2025
@DmitriyLewen DmitriyLewen added this pull request to the merge queue Oct 23, 2025
@DmitriyLewen DmitriyLewen removed this pull request from the merge queue due to a manual request Oct 23, 2025
@DmitriyLewen DmitriyLewen added this pull request to the merge queue Oct 23, 2025
Merged via the queue into aquasecurity:main with commit 231492d Oct 23, 2025
14 checks passed
@aqua-bot aqua-bot mentioned this pull request Oct 23, 2025
Merged
@derekhjray
Copy link
Contributor Author

derekhjray commented Oct 24, 2025

@derekhjray Thanks for your work!

I refactored code a bit.

The invalid lock file triggered this panic is from another team, And they refuse to provide the original file, and I cannot figure out why this happened either.

If you manage to reproduce this case or get a file from this team, I would be very grateful if you sent it.

OK, I will share the file if reproduce this panic and got the original file

knqyf263 pushed a commit to knqyf263/trivy that referenced this pull request Oct 27, 2025
@derekhjray @DmitriyLewen @knqyf263
fix(nodejs): fix npmjs parser.pkgNameFromPath() panic issue (aquasecu…
0af40b6 
…rity#9688)

Co-authored-by: DmitriyLewen <[email protected]>
Co-authored-by: DmitriyLewen <[email protected]>
@knqyf263 knqyf263 removed the apidiff Indicates Go API changes relevant to library consumers (CLI compatibility may be unaffected) label Oct 28, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@DmitriyLewen DmitriyLewen DmitriyLewen approved these changes

@knqyf263 knqyf263 Awaiting requested review from knqyf263 knqyf263 is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@derekhjray @CLAassistant @DmitriyLewen @knqyf263