kics icon indicating copy to clipboard operation
kics copied to clipboard
verified publisher icon Checkmarx

fix(general): silently ignore stat errors

Open liorj-orca opened this issue 2 years ago • 4 comments

The following PR should solve the case where you have an error in os.stat during the scan, causing for a panic error runtime that will break the scan, I ran into this when I scanned a directory which contained a soft link and the original file of that soft link was already removed, and got the following error/stacktrace:

panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x18 pc=0x1b3f4e8]

goroutine 1 [running]:
github.com/Checkmarx/kics/pkg/analyzer.isConfigFile({0x4000c94720, 0xc}, {0x3bd67b0, 0x1, 0xc?})
	/app/pkg/analyzer/analyzer.go:602 +0xe8
github.com/Checkmarx/kics/pkg/analyzer.Analyze.func1({0x4000c94720, 0xc}, {0x4000c055c0?, 0x0?}, {0x0?, 0x0?})
	/app/pkg/analyzer/analyzer.go:285 +0x218
path/filepath.walk({0x4000c94720, 0xc}, {0x275b8a0, 0x4000c055c0}, 0x4000c2f530)
	/usr/local/go/src/path/filepath/path.go:480 +0xc8
path/filepath.walk({0x4000c94538, 0x6}, {0x275b8a0, 0x4000c05380}, 0x4000c2f530)
	/usr/local/go/src/path/filepath/path.go:504 +0x1d4
path/filepath.Walk({0x4000c94538, 0x6}, 0x4000c2f530)
	/usr/local/go/src/path/filepath/path.go:571 +0x6c
github.com/Checkmarx/kics/pkg/analyzer.Analyze(0x4000c2f870)
	/app/pkg/analyzer/analyzer.go:273 +0x204
github.com/Checkmarx/kics/pkg/scan.analyzePaths(0x4000c2f870)
	/app/pkg/scan/utils.go:185 +0x64
github.com/Checkmarx/kics/pkg/scan.(*Client).prepareAndAnalyzePaths(0x40003ac410, {0x2753f10, 0x4000054030})
	/app/pkg/scan/utils.go:62 +0x29c
github.com/Checkmarx/kics/pkg/scan.(*Client).initScan(0x40003ac410, {0x2753f10, 0x4000054030})
	/app/pkg/scan/scan.go:47 +0xd4
github.com/Checkmarx/kics/pkg/scan.(*Client).executeScan(0x40003ac410, {0x2753f10, 0x4000054030})
	/app/pkg/scan/scan.go:125 +0x2c
github.com/Checkmarx/kics/pkg/scan.(*Client).PerformScan(0x40003ac410, {0x2753f10, 0x4000054030})
	/app/pkg/scan/client.go:86 +0x74
github.com/Checkmarx/kics/internal/console.executeScan(0x2100000?)
	/app/internal/console/scan.go:163 +0x108
github.com/Checkmarx/kics/internal/console.run(0x0?)
	/app/internal/console/scan.go:98 +0x1d0
github.com/Checkmarx/kics/internal/console.NewScanCmd.func2(0x400055c600?, {0x20f236f?, 0x4?, 0x4?})
	/app/internal/console/scan.go:43 +0x1c
github.com/spf13/cobra.(*Command).execute(0x400055c600, {0x400004f380, 0x4, 0x4})
	/go/pkg/mod/github.com/spf13/[email protected]/command.go:916 +0x5c4
github.com/spf13/cobra.(*Command).ExecuteC(0x400055c300)
	/go/pkg/mod/github.com/spf13/[email protected]/command.go:1044 +0x340
github.com/spf13/cobra.(*Command).Execute(...)
	/go/pkg/mod/github.com/spf13/[email protected]/command.go:968
github.com/spf13/cobra.(*Command).ExecuteContext(...)
	/go/pkg/mod/github.com/spf13/[email protected]/command.go:961
github.com/Checkmarx/kics/internal/console.Execute()
	/app/internal/console/kics.go:90 +0xac
main.main()
	/app/cmd/console/main.go:12 +0x1c

I submit this contribution under the Apache-2.0 license.

liorj-orca avatar Jul 02 '23 14:07 liorj-orca

Thanks @liorj-orca .

Sounds like a more generic fix instead of #6452 ?

kaplanlior avatar Jul 03 '23 06:07 kaplanlior

Hello @liorj-orca! I saw that you closed and reopened this issue, could you please send us the error that is showing to you and the sample file?

About your solution:

  • isDeadSymlink should flag dead symlinks to ignore them and the first stack trace should not be appearing (that's why I asked you for the latest)
  • Can this solution ignore more files than it should since it is very "generic"?
  • If you scan a dead symlink (needs to be in folderA1/folderA2/deadsymlink), this solution puts its path twice in excludedPaths.

Could you please give me your opinion about this?

Best regards, Henrique Alvelos

cx-henriqueAlvelos avatar Jul 04 '23 11:07 cx-henriqueAlvelos

The previous fix was focused on broken symlinks, in this case we extend it to any stat error, and it should save future complaints. Example can be a file which we don't have read permissions for or other file types which aren't regular files.

We'll have to review the code, but it might make the previous fix redundant.

kaplanlior avatar Jul 04 '23 11:07 kaplanlior

Yes, I agree with you in terms of redundant code. However, I tested it with a file without read permissions and KICS already catches this problem in this line . I did not test any more files.

So, is there any errors that os.ReadFile() doesn't catch and os.Stat() does? If yes, then I totally agree with this solution (after refactoring previous one) and if not, I don't think that this solution would be necessary.

cx-henriqueAlvelos avatar Jul 04 '23 14:07 cx-henriqueAlvelos