BUG: runtime error when checking Vulnerabilities #2942
Description
Describe the bug
scorecard fails with the following error message when run on this specific github repository:
❯ GITHUB_AUTH_TOKEN=$GITHUB_ACCESS_TOKEN go run main.go --show-details --repo=https://github.com/parcel-bundler/parcel --checks=Vulnerabilities
Starting [Vulnerabilities]
Finished [Vulnerabilities]
RESULTS
-------
Aggregate score: ?
Check scores:
|-------|-----------------|---------------------------------------------------|---------|----------------------------------------------------------------------------|
| SCORE | NAME | REASON | DETAILS | DOCUMENTATION/REMEDIATION |
|-------|-----------------|---------------------------------------------------|---------|----------------------------------------------------------------------------|
| ? | Vulnerabilities | internal error: | | https://github.com/ossf/scorecard/blob/main/docs/checks.md#vulnerabilities |
| | | vulnerabilitiesClient.ListUnfixedVulnerabilities: | | |
| | | internal error: osv-scanner panic: runtime error: | | |
| | | invalid memory address or nil pointer dereference | | |
|-------|-----------------|---------------------------------------------------|---------|----------------------------------------------------------------------------|
Error: check runtime error: Vulnerabilities: internal error: vulnerabilitiesClient.ListUnfixedVulnerabilities: internal error: osv-scanner panic: runtime error: invalid memory address or nil pointer dereference
2023/05/03 17:18:55 error during command execution: check runtime error: Vulnerabilities: internal error: vulnerabilitiesClient.ListUnfixedVulnerabilities: internal error: osv-scanner panic: runtime error: invalid memory address or nil pointer dereference
exit status 1
Reproduction steps
Steps to reproduce the behavior:
git clonethis repo. I used commitd4624f7fa4f524f8da4f14ce3f5f309323f5febafor this report. However, it's worth noting that the error was also present with release4.10.5(in which case, there is no valid output, just a SIGSEGV with an exit status 2)- Run
GITHUB_AUTH_TOKEN=$GITHUB_ACCESS_TOKEN go run main.go --show-details --repo=https://github.com/parcel-bundler/parcel --checks=Vulnerabilitieswith a valid github access token - The run fails after a few seconds. The error also happens when running all checks, but limited to this same vulnerabilities check. Removing
--show-detailsfrom the command changes nothing.
I've been able to reproduce consistently with this repo, but no other ones. There is nothing immediately obvious (to me) in that repo that would explain the error.
Expected behavior
The tool(s) should not panic 😱
Additional context
It looks like the actual bug might be in osv-scanner, but I'm not sure whether that's the case or if it's the way scorecard runs it that is the problem. I have not tested osv-scanner separately to verify. I have not seen any obviously related bug in their repo though.
I've also tried running the docker and standalone release version 4.10.4 and 4.10.5, all fail.
I'm running debian/linux, with go version go1.19.8 linux/amd64.