Trivy is crashing with "panic: runtime error: invalid memory address or nil pointer dereference" when scanning for HIGH/CRIT vulnerabilities #8537

gregory-hive · 2025-03-12T11:10:42Z

gregory-hive
Mar 12, 2025

Description

One of my builds with Trivy scans has started to crash with:
panic: runtime error: invalid memory address or nil pointer dereference [signal SIGSEGV: segmentation violation code=0x1 addr=0x58 pc=0x3c77dbb] .
When it is run with "--severity HIGH,CRITICAL" flag, while the previous step with "--severity LOW,MEDIUM" works just fine.

There were no change in the application code/dependencies list, it crashes with the same error even for the build which successfully passed last week (latest success on the 7th of March)

Desired Behavior

Successful scan

Actual Behavior

Runtime error

Reproduction Steps

mkdir $(Agent.WorkFolder)/trivy
    echo '-------------------------------------------------------------'
    # create the trivy configuration file
    cat > $(Agent.WorkFolder)/trivy/trivy.yml <<EOF
    timeout: ${{ parameters.timeout }}
    exit-code: 1
    ignorefile: /root/trivy/trivyignore
    vulnerability:
      ignore-unfixed: true
    server:
      addr: $(trivyURL)
      token: $(trivy-token)
    db:
      repository:
      - registry.azurecr.io/aquasec/trivy-db:2
      java-repository:
      - registry.azurecr.io/aquasec/trivy-java-db:1
    registry:
      username: []
      password: []
    EOF
    echo 'Trivy configuration:'
    cat $(Agent.WorkFolder)/trivy/trivy.yml
    echo '-------------------------------------------------------------'
    # create the trivyignore file
    cat > $(Agent.WorkFolder)/trivy/trivyignore <<EOF
    # Ignore the following vulnerabilities
    # eg. CVE-2019-1234
    EOF
    echo 'Ignored vulnerabilities:'
    cat $(Agent.WorkFolder)/trivy/trivyignore

 docker run --rm -v /var/run/docker.sock:/var/run/docker.sock \
                    -v /run/containerd/containerd.sock:/run/containerd/containerd.sock \
                    -v $(Agent.WorkFolder)/trivy-cache:/root/.cache/trivy \
                    -v $(Agent.WorkFolder)/trivy:/root/trivy \
                    registry.azurecr.io/aquasec/trivy:latest \
                    --config /root/trivy/trivy.yml image \
                    --severity LOW,MEDIUM --debug \
                    registry.azurecr.io/${{ parameters.image }}


 docker run --rm -v /var/run/docker.sock:/var/run/docker.sock \
                    -v /run/containerd/containerd.sock:/run/containerd/containerd.sock \
                    -v $(Agent.WorkFolder)/trivy-cache:/root/.cache/trivy \
                    -v $(Agent.WorkFolder)/trivy:/root/trivy \
                    registry.azurecr.io/aquasec/trivy:latest \
                    --config /root/trivy/trivy.yml image \
                    --severity HIGH,CRITICAL --debug \
                    registry.azurecr.io/${{ parameters.image }}

Target

Container Image

Scanner

Vulnerability

Output Format

Table

Mode

Standalone

Debug Output

Failed for HIGH,CRITICAL

2025-03-12T10:46:29.9808285Z ##[section]Starting: Scan the new image for high/critical level vulnerabilities
2025-03-12T10:46:29.9814022Z ==============================================================================
2025-03-12T10:46:29.9814449Z Task         : Command line
2025-03-12T10:46:29.9814825Z Description  : Run a command line script using Bash on Linux and macOS and cmd.exe on Windows
2025-03-12T10:46:29.9815111Z Version      : 2.250.1
2025-03-12T10:46:29.9815312Z Author       : Microsoft Corporation
2025-03-12T10:46:29.9815534Z Help         : https://docs.microsoft.com/azure/devops/pipelines/tasks/utility/command-line
2025-03-12T10:46:29.9815804Z ==============================================================================
2025-03-12T10:46:30.1436993Z Generating script.
2025-03-12T10:46:30.1446030Z ========================== Starting Command Output ===========================
2025-03-12T10:46:30.1462881Z [command]/usr/bin/bash --noprofile --norc /home/vsts/work/_temp/39432a4c-bb7b-42ef-a7cb-5e78b8080f48.sh
2025-03-12T10:46:30.4518226Z 2025-03-12T10:46:30Z	DEBUG	No plugins loaded
2025-03-12T10:46:30.4533478Z 2025-03-12T10:46:30Z	INFO	Loaded	file_path="/root/trivy/trivy.yml"
2025-03-12T10:46:30.4535732Z 2025-03-12T10:46:30Z	DEBUG	Cache dir	dir="/root/.cache/trivy"
2025-03-12T10:46:30.4537675Z 2025-03-12T10:46:30Z	DEBUG	Cache dir	dir="/root/.cache/trivy"
2025-03-12T10:46:30.4578695Z 2025-03-12T10:46:30Z	DEBUG	Parsed severities	severities=[HIGH CRITICAL]
2025-03-12T10:46:30.4592556Z 2025-03-12T10:46:30Z	DEBUG	Ignore statuses	statuses=[0 1 2 4 5 6 7]
2025-03-12T10:46:30.4600043Z 2025-03-12T10:46:30Z	WARN	Trivy runs in client/server mode, but misconfiguration and license scanning will be done on the client side, see https://trivy.dev/v0.60/docs/references/modes/client-server
2025-03-12T10:46:30.4601002Z 2025-03-12T10:46:30Z	DEBUG	[pkg] Package types	types=[os library]
2025-03-12T10:46:30.4601808Z 2025-03-12T10:46:30Z	DEBUG	[pkg] Package relationships	relationships=[unknown root workspace direct indirect]
2025-03-12T10:46:30.4602557Z 2025-03-12T10:46:30Z	INFO	[vuln] Vulnerability scanning is enabled
2025-03-12T10:46:30.4603256Z 2025-03-12T10:46:30Z	INFO	[secret] Secret scanning is enabled
2025-03-12T10:46:30.4604009Z 2025-03-12T10:46:30Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-03-12T10:46:30.4604878Z 2025-03-12T10:46:30Z	INFO	[secret] Please see also https://trivy.dev/v0.60/docs/scanner/secret#recommendation for faster secret detection
2025-03-12T10:46:30.4631765Z 2025-03-12T10:46:30Z	DEBUG	[secret] No secret config detected	config_path="trivy-secret.yaml"
2025-03-12T10:46:30.4644352Z 2025-03-12T10:46:30Z	DEBUG	[secret] No secret config detected	config_path="trivy-secret.yaml"
2025-03-12T10:46:30.4650092Z 2025-03-12T10:46:30Z	DEBUG	[image] Detected image ID	image_id="sha256:5a8e8907b3d28d833267717eab9ee6fe9d1f09ec3b4c4f1a912747debbd9f984"
2025-03-12T10:46:30.4653215Z 2025-03-12T10:46:30Z	DEBUG	[image] Detected diff ID	diff_ids=[sha256:08000c18d16dadf9553d747a58cf44023423a9ab010aab96cf263d2216b8b350 sha256:5b1aa58ce9820569832ed06c96c801c8a1f3fecf7a5bb4b094ad3839b257208a sha256:d5fa9fb24593bda290d7bb231c54ee1193c8e1fe7e4ec15e83f18a893b79911d sha256:224bd9b34beb2d16087ba8f5f3c2128962018458211b76432219d06effc98e05 sha256:6aff5d0c0bc3d604dda98ed280eab2dcf76499cc0000a937b78c16b4393cc555 sha256:a899d767a14e35604a05bd3a7d7890db65c5f3ed577af44d6780dc8774ae1eec sha256:da9b1395b147dfd7c3e7bea93a0939864f9bb7534a0372bb8c5f8a0fdfc6b2a3 sha256:66c6ec65e2304279dab4f21ae118410f2efb93b9ccaef549cef73e4425407166 sha256:6c99f5e0f34611ab2ba7d13196e294d322b462630d25aff78f9ccbee7e41cdd5 sha256:ef0e27345b7e18cbccf540ea151f860c79c8538f8986bbb2c2a7dda8b2e132d6 sha256:5f70bf18a086007016e948b04aed3b82103a36bea41755b6cddfaf10ace3c6ef]
2025-03-12T10:46:30.4656307Z 2025-03-12T10:46:30Z	DEBUG	[image] Detected base layers	diff_ids=[sha256:08000c18d16dadf9553d747a58cf44023423a9ab010aab96cf263d2216b8b350 sha256:5b1aa58ce9820569832ed06c96c801c8a1f3fecf7a5bb4b094ad3839b257208a sha256:d5fa9fb24593bda290d7bb231c54ee1193c8e1fe7e4ec15e83f18a893b79911d sha256:224bd9b34beb2d16087ba8f5f3c2128962018458211b76432219d06effc98e05]
2025-03-12T10:46:30.6671489Z 2025-03-12T10:46:30Z	DEBUG	Found an ignore file	file_path="/root/trivy/trivyignore"
2025-03-12T10:46:30.6673237Z 2025-03-12T10:46:30Z	DEBUG	[vex] VEX filtering is disabled
2025-03-12T10:46:30.6691756Z panic: runtime error: invalid memory address or nil pointer dereference
2025-03-12T10:46:30.6692755Z [signal SIGSEGV: segmentation violation code=0x1 addr=0x58 pc=0x3c77dbb]
2025-03-12T10:46:30.6696639Z 
2025-03-12T10:46:30.6699346Z goroutine 1 [running]:
2025-03-12T10:46:30.6702681Z github.com/aquasecurity/trivy/pkg/report/table.splitAggregatedVulns({{0xc0013c9c87, 0x7}, {0xc0013c9ce0, 0x9}, {0xc0013c9cc8, 0x8}, {0x0, 0x0, 0x0}, {0xc000a97d40, ...}, ...})
2025-03-12T10:46:30.6703519Z 	/home/runner/work/trivy/trivy/pkg/report/table/summary.go:266 +0x33b
2025-03-12T10:46:30.6704079Z github.com/aquasecurity/trivy/pkg/report/table.splitAggregatedPackages({0xc001427340?, 0xc00147e9c0?, 0x52b1900?})
2025-03-12T10:46:30.6704608Z 	/home/runner/work/trivy/trivy/pkg/report/table/summary.go:247 +0x33b
2025-03-12T10:46:30.6705204Z github.com/aquasecurity/trivy/pkg/report/table.(*summaryRenderer).Render(_, {0x2, {0xc1ec7761a7b75722, 0x11340b6b, 0x9355de0}, {0x7ffc18337f23, 0x5c}, {0x519b70e, 0xf}, {0x0, ...}, ...})
2025-03-12T10:46:30.6705828Z 	/home/runner/work/trivy/trivy/pkg/report/table/summary.go:174 +0x3fb
2025-03-12T10:46:30.6706364Z github.com/aquasecurity/trivy/pkg/report/table.(*Writer).Write(_, {_, _}, {0x2, {0xc1ec7761a7b75722, 0x11340b6b, 0x9355de0}, {0x7ffc18337f23, 0x5c}, {0x519b70e, ...}, ...})
2025-03-12T10:46:30.6706909Z 	/home/runner/work/trivy/trivy/pkg/report/table/table.go:94 +0xfa
2025-03-12T10:46:30.6707439Z github.com/aquasecurity/trivy/pkg/report.Write({_, _}, {0x2, {0xc1ec7761a7b75722, 0x11340b6b, 0x9355de0}, {0x7ffc18337f23, 0x5c}, {0x519b70e, 0xf}, ...}, ...)
2025-03-12T10:46:30.6712113Z 	/home/runner/work/trivy/trivy/pkg/report/writer.go:105 +0x9a6
2025-03-12T10:46:30.6714828Z github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).Report(_, {_, _}, {{{0x7ffc18337ee6, 0x15}, 0x0, 0x0, 0x1, 0x0, 0x45d964b800, ...}, ...}, ...)
2025-03-12T10:46:30.6715402Z 	/home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:276 +0x92
2025-03-12T10:46:30.6715958Z github.com/aquasecurity/trivy/pkg/commands/artifact.Run({_, _}, {{{0x7ffc18337ee6, 0x15}, 0x0, 0x0, 0x1, 0x0, 0x45d964b800, {0xc0005ee1c8, ...}, ...}, ...}, ...)
2025-03-12T10:46:30.6716704Z 	/home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:410 +0xc6e
2025-03-12T10:46:30.6720566Z github.com/aquasecurity/trivy/pkg/commands.NewImageCommand.func2(0xc000a10608, {0xc000e4dda0?, 0x1?, 0x6?})
2025-03-12T10:46:30.6721713Z 	/home/runner/work/trivy/trivy/pkg/commands/app.go:324 +0x11f
2025-03-12T10:46:30.6723753Z github.com/spf13/cobra.(*Command).execute(0xc000a10608, {0xc000e4dd40, 0x6, 0x6})
2025-03-12T10:46:30.6724284Z 	/home/runner/go/pkg/mod/github.com/spf13/[email protected]/command.go:1015 +0xa94
2025-03-12T10:46:30.6724745Z github.com/spf13/cobra.(*Command).ExecuteC(0xc000a10308)
2025-03-12T10:46:30.6725168Z 	/home/runner/go/pkg/mod/github.com/spf13/[email protected]/command.go:1148 +0x40c
2025-03-12T10:46:30.6725608Z github.com/spf13/cobra.(*Command).Execute(0x51bbeaf?)
2025-03-12T10:46:30.6726044Z 	/home/runner/go/pkg/mod/github.com/spf13/[email protected]/command.go:1071 +0x13
2025-03-12T10:46:30.6732888Z main.run()
2025-03-12T10:46:30.6734064Z 	/home/runner/work/trivy/trivy/cmd/trivy/main.go:45 +0x113
2025-03-12T10:46:30.6738390Z main.main()
2025-03-12T10:46:30.6741470Z 	/home/runner/work/trivy/trivy/cmd/trivy/main.go:19 +0x1f
2025-03-12T10:46:30.7461615Z ##[error]There is a High/Critical vulnerability in your Docker image
2025-03-12T10:46:30.7469811Z 
2025-03-12T10:46:30.7493628Z ##[error]Bash exited with code '1'.
2025-03-12T10:46:30.7531910Z ##[section]Finishing: Scan the new image for high/critical level vulnerabilities

Success for LOW,MEDIUM

2025-03-12T10:45:11.4142764Z ##[section]Starting: Scan the new image for low/medium level vulnerabilities
2025-03-12T10:45:11.4148156Z ==============================================================================
2025-03-12T10:45:11.4148467Z Task         : Command line
2025-03-12T10:45:11.4148647Z Description  : Run a command line script using Bash on Linux and macOS and cmd.exe on Windows
2025-03-12T10:45:11.4148895Z Version      : 2.250.1
2025-03-12T10:45:11.4149053Z Author       : Microsoft Corporation
2025-03-12T10:45:11.4149206Z Help         : https://docs.microsoft.com/azure/devops/pipelines/tasks/utility/command-line
2025-03-12T10:45:11.4149404Z ==============================================================================
2025-03-12T10:45:11.5653739Z Generating script.
2025-03-12T10:45:11.5665930Z ========================== Starting Command Output ===========================
2025-03-12T10:45:11.5681945Z [command]/usr/bin/bash --noprofile --norc /home/vsts/work/_temp/9b3f1e11-5766-4e6b-bbbc-695bd0cf2659.sh
2025-03-12T10:45:11.5905399Z Unable to find image 'registry.azurecr.io/aquasec/trivy:latest' locally
2025-03-12T10:45:12.5791013Z latest: Pulling from aquasec/trivy
2025-03-12T10:45:12.8091144Z f18232174bc9: Already exists
2025-03-12T10:45:12.8113840Z 132d99fdd67c: Pulling fs layer
2025-03-12T10:45:12.8118556Z 687aac105e95: Pulling fs layer
2025-03-12T10:45:12.8119482Z 5c11dbe27100: Pulling fs layer
2025-03-12T10:45:12.9901779Z 5c11dbe27100: Download complete
2025-03-12T10:45:13.0386777Z 132d99fdd67c: Verifying Checksum
2025-03-12T10:45:13.0388669Z 132d99fdd67c: Download complete
2025-03-12T10:45:13.3691223Z 687aac105e95: Verifying Checksum
2025-03-12T10:45:13.3692673Z 687aac105e95: Download complete
2025-03-12T10:45:13.4766714Z 132d99fdd67c: Pull complete
2025-03-12T10:45:14.9594041Z 687aac105e95: Pull complete
2025-03-12T10:45:14.9729138Z 5c11dbe27100: Pull complete
2025-03-12T10:45:14.9772698Z Digest: sha256:91c3a842834563a6860dbaec5af7c1949df5caf988f9632ef5cbb0a5cd59d8f8
2025-03-12T10:45:14.9790145Z Status: Downloaded newer image for registry.azurecr.io/aquasec/trivy:latest
2025-03-12T10:45:15.2761509Z 2025-03-12T10:45:15Z	DEBUG	No plugins loaded
2025-03-12T10:45:15.2762371Z 2025-03-12T10:45:15Z	INFO	Loaded	file_path="/root/trivy/trivy.yml"
2025-03-12T10:45:15.2762922Z 2025-03-12T10:45:15Z	DEBUG	Cache dir	dir="/root/.cache/trivy"
2025-03-12T10:45:15.2763429Z 2025-03-12T10:45:15Z	DEBUG	Cache dir	dir="/root/.cache/trivy"
2025-03-12T10:45:15.2825603Z 2025-03-12T10:45:15Z	DEBUG	Parsed severities	severities=[LOW MEDIUM]
2025-03-12T10:45:15.2830735Z 2025-03-12T10:45:15Z	DEBUG	Ignore statuses	statuses=[0 1 2 4 5 6 7]
2025-03-12T10:45:15.2832636Z 2025-03-12T10:45:15Z	WARN	Trivy runs in client/server mode, but misconfiguration and license scanning will be done on the client side, see https://trivy.dev/v0.60/docs/references/modes/client-server
2025-03-12T10:45:15.2834012Z 2025-03-12T10:45:15Z	DEBUG	[pkg] Package types	types=[os library]
2025-03-12T10:45:15.2834832Z 2025-03-12T10:45:15Z	DEBUG	[pkg] Package relationships	relationships=[unknown root workspace direct indirect]
2025-03-12T10:45:15.2835544Z 2025-03-12T10:45:15Z	INFO	[vuln] Vulnerability scanning is enabled
2025-03-12T10:45:15.2836011Z 2025-03-12T10:45:15Z	INFO	[secret] Secret scanning is enabled
2025-03-12T10:45:15.2836640Z 2025-03-12T10:45:15Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-03-12T10:45:15.2837364Z 2025-03-12T10:45:15Z	INFO	[secret] Please see also https://trivy.dev/v0.60/docs/scanner/secret#recommendation for faster secret detection
2025-03-12T10:45:15.2873473Z 2025-03-12T10:45:15Z	DEBUG	[secret] No secret config detected	config_path="trivy-secret.yaml"
2025-03-12T10:45:15.2882407Z 2025-03-12T10:45:15Z	DEBUG	[secret] No secret config detected	config_path="trivy-secret.yaml"
2025-03-12T10:45:15.2883516Z 2025-03-12T10:45:15Z	DEBUG	[image] Detected image ID	image_id="sha256:5a8e8907b3d28d833267717eab9ee6fe9d1f09ec3b4c4f1a912747debbd9f984"
2025-03-12T10:45:15.2886060Z 2025-03-12T10:45:15Z	DEBUG	[image] Detected diff ID	diff_ids=[sha256:08000c18d16dadf9553d747a58cf44023423a9ab010aab96cf263d2216b8b350 sha256:5b1aa58ce9820569832ed06c96c801c8a1f3fecf7a5bb4b094ad3839b257208a sha256:d5fa9fb24593bda290d7bb231c54ee1193c8e1fe7e4ec15e83f18a893b79911d sha256:224bd9b34beb2d16087ba8f5f3c2128962018458211b76432219d06effc98e05 sha256:6aff5d0c0bc3d604dda98ed280eab2dcf76499cc0000a937b78c16b4393cc555 sha256:a899d767a14e35604a05bd3a7d7890db65c5f3ed577af44d6780dc8774ae1eec sha256:da9b1395b147dfd7c3e7bea93a0939864f9bb7534a0372bb8c5f8a0fdfc6b2a3 sha256:66c6ec65e2304279dab4f21ae118410f2efb93b9ccaef549cef73e4425407166 sha256:6c99f5e0f34611ab2ba7d13196e294d322b462630d25aff78f9ccbee7e41cdd5 sha256:ef0e27345b7e18cbccf540ea151f860c79c8538f8986bbb2c2a7dda8b2e132d6 sha256:5f70bf18a086007016e948b04aed3b82103a36bea41755b6cddfaf10ace3c6ef]
2025-03-12T10:45:15.2888628Z 2025-03-12T10:45:15Z	DEBUG	[image] Detected base layers	diff_ids=[sha256:08000c18d16dadf9553d747a58cf44023423a9ab010aab96cf263d2216b8b350 sha256:5b1aa58ce9820569832ed06c96c801c8a1f3fecf7a5bb4b094ad3839b257208a sha256:d5fa9fb24593bda290d7bb231c54ee1193c8e1fe7e4ec15e83f18a893b79911d sha256:224bd9b34beb2d16087ba8f5f3c2128962018458211b76432219d06effc98e05]
2025-03-12T10:45:15.3429114Z 2025-03-12T10:45:15Z	DEBUG	[image] Missing image ID in cache	image_id="sha256:5a8e8907b3d28d833267717eab9ee6fe9d1f09ec3b4c4f1a912747debbd9f984"
2025-03-12T10:45:15.3430932Z 2025-03-12T10:45:15Z	DEBUG	[image] Missing diff ID in cache	diff_id="sha256:a899d767a14e35604a05bd3a7d7890db65c5f3ed577af44d6780dc8774ae1eec"
2025-03-12T10:45:15.3431916Z 2025-03-12T10:45:15Z	DEBUG	[image] Missing diff ID in cache	diff_id="sha256:6aff5d0c0bc3d604dda98ed280eab2dcf76499cc0000a937b78c16b4393cc555"
2025-03-12T10:45:15.3435991Z 2025-03-12T10:45:15Z	DEBUG	[image] Missing diff ID in cache	diff_id="sha256:6c99f5e0f34611ab2ba7d13196e294d322b462630d25aff78f9ccbee7e41cdd5"
2025-03-12T10:45:15.3437020Z 2025-03-12T10:45:15Z	DEBUG	[image] Missing diff ID in cache	diff_id="sha256:da9b1395b147dfd7c3e7bea93a0939864f9bb7534a0372bb8c5f8a0fdfc6b2a3"
2025-03-12T10:45:15.3437976Z 2025-03-12T10:45:15Z	DEBUG	[image] Missing diff ID in cache	diff_id="sha256:66c6ec65e2304279dab4f21ae118410f2efb93b9ccaef549cef73e4425407166"
2025-03-12T10:46:25.9364000Z 2025-03-12T10:46:25Z	DEBUG	[image] Missing diff ID in cache	diff_id="sha256:ef0e27345b7e18cbccf540ea151f860c79c8538f8986bbb2c2a7dda8b2e132d6"
2025-03-12T10:46:25.9384119Z 2025-03-12T10:46:25Z	DEBUG	[analyzer] Analysis error	err="failed to parse app/node_modules/@angular-devkit/core/node_modules/rxjs/ajax/package.json: failed to parse app/node_modules/@angular-devkit/core/node_modules/rxjs/ajax/package.json: Name can only contain URL-friendly characters"
2025-03-12T10:46:26.0631849Z 2025-03-12T10:46:26Z	DEBUG	[analyzer] Analysis error	err="failed to parse app/node_modules/@angular-devkit/core/node_modules/rxjs/webSocket/package.json: failed to parse app/node_modules/@angular-devkit/core/node_modules/rxjs/webSocket/package.json: Name can only contain URL-friendly characters"
2025-03-12T10:46:26.0671873Z 2025-03-12T10:46:26Z	DEBUG	[analyzer] Analysis error	err="failed to parse app/node_modules/@angular-devkit/schematics-cli/blank/project-files/package.json: failed to parse app/node_modules/@angular-devkit/schematics-cli/blank/project-files/package.json: Name can only contain URL-friendly characters"
2025-03-12T10:46:26.2849425Z 2025-03-12T10:46:26Z	DEBUG	[analyzer] Analysis error	err="failed to parse app/node_modules/@angular-devkit/schematics-cli/schematic/files/package.json: failed to parse app/node_modules/@angular-devkit/schematics-cli/schematic/files/package.json: Name can only contain URL-friendly characters"
2025-03-12T10:46:26.2853283Z 2025-03-12T10:46:26Z	DEBUG	[analyzer] Analysis error	err="failed to parse app/node_modules/@angular-devkit/schematics/node_modules/rxjs/ajax/package.json: failed to parse app/node_modules/@angular-devkit/schematics/node_modules/rxjs/ajax/package.json: Name can only contain URL-friendly characters"
2025-03-12T10:46:26.2854623Z 2025-03-12T10:46:26Z	DEBUG	[analyzer] Analysis error	err="failed to parse app/node_modules/@angular-devkit/core/node_modules/rxjs/fetch/package.json: failed to parse app/node_modules/@angular-devkit/core/node_modules/rxjs/fetch/package.json: Name can only contain URL-friendly characters"
2025-03-12T10:46:26.2856214Z 2025-03-12T10:46:26Z	DEBUG	[analyzer] Analysis error	err="failed to parse app/node_modules/@angular-devkit/core/node_modules/rxjs/operators/package.json: failed to parse app/node_modules/@angular-devkit/core/node_modules/rxjs/operators/package.json: Name can only contain URL-friendly characters"
2025-03-12T10:46:26.2857367Z 2025-03-12T10:46:26Z	DEBUG	[analyzer] Analysis error	err="failed to parse app/node_modules/@angular-devkit/core/node_modules/rxjs/testing/package.json: failed to parse app/node_modules/@angular-devkit/core/node_modules/rxjs/testing/package.json: Name can only contain URL-friendly characters"
2025-03-12T10:46:26.3762259Z 2025-03-12T10:46:26Z	DEBUG	[analyzer] Analysis error	err="failed to parse app/node_modules/@angular-devkit/schematics/node_modules/rxjs/fetch/package.json: failed to parse app/node_modules/@angular-devkit/schematics/node_modules/rxjs/fetch/package.json: Name can only contain URL-friendly characters"
2025-03-12T10:46:26.3763784Z 2025-03-12T10:46:26Z	DEBUG	[analyzer] Analysis error	err="failed to parse app/node_modules/@angular-devkit/schematics/node_modules/rxjs/operators/package.json: failed to parse app/node_modules/@angular-devkit/schematics/node_modules/rxjs/operators/package.json: Name can only contain URL-friendly characters"
2025-03-12T10:46:26.4152779Z 2025-03-12T10:46:26Z	DEBUG	[analyzer] Analysis error	err="failed to parse app/node_modules/@angular-devkit/schematics/tasks/package.json: failed to parse app/node_modules/@angular-devkit/schematics/tasks/package.json: Name can only contain URL-friendly characters"
2025-03-12T10:46:26.4159774Z 2025-03-12T10:46:26Z	DEBUG	[analyzer] Analysis error	err="failed to parse app/node_modules/@angular-devkit/schematics/testing/package.json: failed to parse app/node_modules/@angular-devkit/schematics/testing/package.json: Name can only contain URL-friendly characters"
2025-03-12T10:46:26.4175495Z 2025-03-12T10:46:26Z	DEBUG	[analyzer] Analysis error	err="failed to parse app/node_modules/@angular-devkit/schematics/node_modules/rxjs/testing/package.json: failed to parse app/node_modules/@angular-devkit/schematics/node_modules/rxjs/testing/package.json: Name can only contain URL-friendly characters"
2025-03-12T10:46:26.4176986Z 2025-03-12T10:46:26Z	DEBUG	[analyzer] Analysis error	err="failed to parse app/node_modules/@angular-devkit/schematics/tools/package.json: failed to parse app/node_modules/@angular-devkit/schematics/tools/package.json: Name can only contain URL-friendly characters"
2025-03-12T10:46:26.4186744Z 2025-03-12T10:46:26Z	DEBUG	[analyzer] Analysis error	err="failed to parse app/node_modules/@angular-devkit/schematics/node_modules/rxjs/webSocket/package.json: failed to parse app/node_modules/@angular-devkit/schematics/node_modules/rxjs/webSocket/package.json: Name can only contain URL-friendly characters"
2025-03-12T10:46:26.4711605Z 2025-03-12T10:46:26Z	DEBUG	[analyzer] Analysis error	err="failed to parse app/node_modules/@apollo/server/errors/package.json: failed to parse app/node_modules/@apollo/server/errors/package.json: Name can only contain URL-friendly characters"
2025-03-12T10:46:26.4712942Z 2025-03-12T10:46:26Z	DEBUG	[analyzer] Analysis error	err="failed to parse app/node_modules/@apollo/server/express4/package.json: failed to parse app/node_modules/@apollo/server/express4/package.json: Name can only contain URL-friendly characters"
2025-03-12T10:46:26.5731490Z 2025-03-12T10:46:26Z	DEBUG	[analyzer] Analysis error	err="failed to parse app/node_modules/@apollo/server/plugin/cacheControl/package.json: failed to parse app/node_modules/@apollo/server/plugin/cacheControl/package.json: Name can only contain URL-friendly characters"
2025-03-12T10:46:26.5740761Z 2025-03-12T10:46:26Z	DEBUG	[analyzer] Analysis error	err="failed to parse app/node_modules/@apollo/server/plugin/disableSuggestions/package.json: failed to parse app/node_modules/@apollo/server/plugin/disableSuggestions/package.json: Name can only contain URL-friendly characters"
2025-03-12T10:46:26.5757014Z 2025-03-12T10:46:26Z	DEBUG	[analyzer] Analysis error	err="failed to parse app/node_modules/@apollo/server/plugin/disabled/package.json: failed to parse app/node_modules/@apollo/server/plugin/disabled/package.json: Name can only contain URL-friendly characters"
2025-03-12T10:46:26.5764376Z 2025-03-12T10:46:26Z	DEBUG	[analyzer] Analysis error	err="failed to parse app/node_modules/@apollo/server/plugin/drainHttpServer/package.json: failed to parse app/node_modules/@apollo/server/plugin/drainHttpServer/package.json: Name can only contain URL-friendly characters"
2025-03-12T10:46:26.5773261Z 2025-03-12T10:46:26Z	DEBUG	[analyzer] Analysis error	err="failed to parse app/node_modules/@apollo/server/plugin/inlineTrace/package.json: failed to parse app/node_modules/@apollo/server/plugin/inlineTrace/package.json: Name can only contain URL-friendly characters"
2025-03-12T10:46:26.5895588Z 2025-03-12T10:46:26Z	DEBUG	[analyzer] Analysis error	err="failed to parse app/node_modules/@apollo/server/plugin/schemaReporting/package.json: failed to parse app/node_modules/@apollo/server/plugin/schemaReporting/package.json: Name can only contain URL-friendly characters"
2025-03-12T10:46:26.5909640Z 2025-03-12T10:46:26Z	DEBUG	[analyzer] Analysis error	err="failed to parse app/node_modules/@apollo/server/plugin/subscriptionCallback/package.json: failed to parse app/node_modules/@apollo/server/plugin/subscriptionCallback/package.json: Name can only contain URL-friendly characters"
2025-03-12T10:46:26.5919701Z 2025-03-12T10:46:26Z	DEBUG	[analyzer] Analysis error	err="failed to parse app/node_modules/@apollo/server/plugin/usageReporting/package.json: failed to parse app/node_modules/@apollo/server/plugin/usageReporting/package.json: Name can only contain URL-friendly characters"
2025-03-12T10:46:26.5925779Z 2025-03-12T10:46:26Z	DEBUG	[analyzer] Analysis error	err="failed to parse app/node_modules/@apollo/server/standalone/package.json: failed to parse app/node_modules/@apollo/server/standalone/package.json: Name can only contain URL-friendly characters"
2025-03-12T10:46:26.6030968Z 2025-03-12T10:46:26Z	DEBUG	[analyzer] Analysis error	err="failed to parse app/node_modules/@apollo/server/plugin/landingPage/default/package.json: failed to parse app/node_modules/@apollo/server/plugin/landingPage/default/package.json: Name can only contain URL-friendly characters"
2025-03-12T10:46:27.0836824Z 2025-03-12T10:46:27Z	DEBUG	[analyzer] Analysis error	err="failed to parse app/node_modules/@angular-devkit/core/node_modules/rxjs/ajax/package.json: failed to parse app/node_modules/@angular-devkit/core/node_modules/rxjs/ajax/package.json: Name can only contain URL-friendly characters"
2025-03-12T10:46:27.1927108Z 2025-03-12T10:46:27Z	DEBUG	[analyzer] Analysis error	err="failed to parse app/node_modules/@angular-devkit/core/node_modules/rxjs/testing/package.json: failed to parse app/node_modules/@angular-devkit/core/node_modules/rxjs/testing/package.json: Name can only contain URL-friendly characters"
2025-03-12T10:46:27.2304099Z 2025-03-12T10:46:27Z	DEBUG	[analyzer] Analysis error	err="failed to parse app/node_modules/@angular-devkit/core/node_modules/rxjs/webSocket/package.json: failed to parse app/node_modules/@angular-devkit/core/node_modules/rxjs/webSocket/package.json: Name can only contain URL-friendly characters"
2025-03-12T10:46:27.2306792Z 2025-03-12T10:46:27Z	DEBUG	[analyzer] Analysis error	err="failed to parse app/node_modules/@angular-devkit/core/node_modules/rxjs/fetch/package.json: failed to parse app/node_modules/@angular-devkit/core/node_modules/rxjs/fetch/package.json: Name can only contain URL-friendly characters"
2025-03-12T10:46:27.2308123Z 2025-03-12T10:46:27Z	DEBUG	[analyzer] Analysis error	err="failed to parse app/node_modules/@angular-devkit/core/node_modules/rxjs/operators/package.json: failed to parse app/node_modules/@angular-devkit/core/node_modules/rxjs/operators/package.json: Name can only contain URL-friendly characters"
2025-03-12T10:46:27.2330630Z 2025-03-12T10:46:27Z	DEBUG	[analyzer] Analysis error	err="failed to parse app/node_modules/@angular-devkit/schematics-cli/blank/project-files/package.json: failed to parse app/node_modules/@angular-devkit/schematics-cli/blank/project-files/package.json: Name can only contain URL-friendly characters"
2025-03-12T10:46:27.2370713Z 2025-03-12T10:46:27Z	DEBUG	[analyzer] Analysis error	err="failed to parse app/node_modules/@angular-devkit/schematics-cli/schematic/files/package.json: failed to parse app/node_modules/@angular-devkit/schematics-cli/schematic/files/package.json: Name can only contain URL-friendly characters"
2025-03-12T10:46:27.2454456Z 2025-03-12T10:46:27Z	DEBUG	[analyzer] Analysis error	err="failed to parse app/node_modules/@angular-devkit/schematics/node_modules/rxjs/ajax/package.json: failed to parse app/node_modules/@angular-devkit/schematics/node_modules/rxjs/ajax/package.json: Name can only contain URL-friendly characters"
2025-03-12T10:46:27.3102347Z 2025-03-12T10:46:27Z	DEBUG	[analyzer] Analysis error	err="failed to parse app/node_modules/@angular-devkit/schematics/node_modules/rxjs/testing/package.json: failed to parse app/node_modules/@angular-devkit/schematics/node_modules/rxjs/testing/package.json: Name can only contain URL-friendly characters"
2025-03-12T10:46:27.3104099Z 2025-03-12T10:46:27Z	DEBUG	[analyzer] Analysis error	err="failed to parse app/node_modules/@angular-devkit/schematics/node_modules/rxjs/webSocket/package.json: failed to parse app/node_modules/@angular-devkit/schematics/node_modules/rxjs/webSocket/package.json: Name can only contain URL-friendly characters"
2025-03-12T10:46:27.3139725Z 2025-03-12T10:46:27Z	DEBUG	[analyzer] Analysis error	err="failed to parse app/node_modules/@angular-devkit/schematics/tasks/package.json: failed to parse app/node_modules/@angular-devkit/schematics/tasks/package.json: Name can only contain URL-friendly characters"
2025-03-12T10:46:27.3141062Z 2025-03-12T10:46:27Z	DEBUG	[analyzer] Analysis error	err="failed to parse app/node_modules/@angular-devkit/schematics/testing/package.json: failed to parse app/node_modules/@angular-devkit/schematics/testing/package.json: Name can only contain URL-friendly characters"
2025-03-12T10:46:27.3149551Z 2025-03-12T10:46:27Z	DEBUG	[analyzer] Analysis error	err="failed to parse app/node_modules/@angular-devkit/schematics/tools/package.json: failed to parse app/node_modules/@angular-devkit/schematics/tools/package.json: Name can only contain URL-friendly characters"
2025-03-12T10:46:27.3151530Z 2025-03-12T10:46:27Z	DEBUG	[analyzer] Analysis error	err="failed to parse app/node_modules/@angular-devkit/schematics/node_modules/rxjs/fetch/package.json: failed to parse app/node_modules/@angular-devkit/schematics/node_modules/rxjs/fetch/package.json: Name can only contain URL-friendly characters"
2025-03-12T10:46:27.3153301Z 2025-03-12T10:46:27Z	DEBUG	[analyzer] Analysis error	err="failed to parse app/node_modules/@angular-devkit/schematics/node_modules/rxjs/operators/package.json: failed to parse app/node_modules/@angular-devkit/schematics/node_modules/rxjs/operators/package.json: Name can only contain URL-friendly characters"
2025-03-12T10:46:27.3682298Z 2025-03-12T10:46:27Z	DEBUG	[analyzer] Analysis error	err="failed to parse app/node_modules/@apollo/server/errors/package.json: failed to parse app/node_modules/@apollo/server/errors/package.json: Name can only contain URL-friendly characters"
2025-03-12T10:46:27.3738379Z 2025-03-12T10:46:27Z	DEBUG	[analyzer] Analysis error	err="failed to parse app/node_modules/@apollo/server/plugin/cacheControl/package.json: failed to parse app/node_modules/@apollo/server/plugin/cacheControl/package.json: Name can only contain URL-friendly characters"
2025-03-12T10:46:27.3740317Z 2025-03-12T10:46:27Z	DEBUG	[analyzer] Analysis error	err="failed to parse app/node_modules/@apollo/server/plugin/disableSuggestions/package.json: failed to parse app/node_modules/@apollo/server/plugin/disableSuggestions/package.json: Name can only contain URL-friendly characters"
2025-03-12T10:46:27.3741875Z 2025-03-12T10:46:27Z	DEBUG	[analyzer] Analysis error	err="failed to parse app/node_modules/@apollo/server/plugin/disabled/package.json: failed to parse app/node_modules/@apollo/server/plugin/disabled/package.json: Name can only contain URL-friendly characters"
2025-03-12T10:46:27.3750386Z 2025-03-12T10:46:27Z	DEBUG	[analyzer] Analysis error	err="failed to parse app/node_modules/@apollo/server/plugin/drainHttpServer/package.json: failed to parse app/node_modules/@apollo/server/plugin/drainHttpServer/package.json: Name can only contain URL-friendly characters"
2025-03-12T10:46:27.3751517Z 2025-03-12T10:46:27Z	DEBUG	[analyzer] Analysis error	err="failed to parse app/node_modules/@apollo/server/plugin/inlineTrace/package.json: failed to parse app/node_modules/@apollo/server/plugin/inlineTrace/package.json: Name can only contain URL-friendly characters"
2025-03-12T10:46:27.3752565Z 2025-03-12T10:46:27Z	DEBUG	[analyzer] Analysis error	err="failed to parse app/node_modules/@apollo/server/plugin/landingPage/default/package.json: failed to parse app/node_modules/@apollo/server/plugin/landingPage/default/package.json: Name can only contain URL-friendly characters"
2025-03-12T10:46:27.3753806Z 2025-03-12T10:46:27Z	DEBUG	[analyzer] Analysis error	err="failed to parse app/node_modules/@apollo/server/plugin/schemaReporting/package.json: failed to parse app/node_modules/@apollo/server/plugin/schemaReporting/package.json: Name can only contain URL-friendly characters"
2025-03-12T10:46:27.3756230Z 2025-03-12T10:46:27Z	DEBUG	[analyzer] Analysis error	err="failed to parse app/node_modules/@apollo/server/plugin/subscriptionCallback/package.json: failed to parse app/node_modules/@apollo/server/plugin/subscriptionCallback/package.json: Name can only contain URL-friendly characters"
2025-03-12T10:46:27.3772166Z 2025-03-12T10:46:27Z	DEBUG	[analyzer] Analysis error	err="failed to parse app/node_modules/@apollo/server/plugin/usageReporting/package.json: failed to parse app/node_modules/@apollo/server/plugin/usageReporting/package.json: Name can only contain URL-friendly characters"
2025-03-12T10:46:27.3775293Z 2025-03-12T10:46:27Z	DEBUG	[analyzer] Analysis error	err="failed to parse app/node_modules/@apollo/server/standalone/package.json: failed to parse app/node_modules/@apollo/server/standalone/package.json: Name can only contain URL-friendly characters"
2025-03-12T10:46:27.3814422Z 2025-03-12T10:46:27Z	DEBUG	[analyzer] Analysis error	err="failed to parse app/node_modules/@apollo/server/express4/package.json: failed to parse app/node_modules/@apollo/server/express4/package.json: Name can only contain URL-friendly characters"
2025-03-12T10:46:27.5515729Z 2025-03-12T10:46:27Z	DEBUG	[analyzer] Analysis error	err="failed to parse app/node_modules/@nestjs/cli/node_modules/@nestjs/schematics/dist/lib/application/files/js/package.json: failed to parse app/node_modules/@nestjs/cli/node_modules/@nestjs/schematics/dist/lib/application/files/js/package.json: Name can only contain URL-friendly characters"
2025-03-12T10:46:27.5577267Z 2025-03-12T10:46:27Z	DEBUG	[analyzer] Analysis error	err="failed to parse app/node_modules/@nestjs/cli/node_modules/@nestjs/schematics/dist/lib/application/files/ts/package.json: failed to parse app/node_modules/@nestjs/cli/node_modules/@nestjs/schematics/dist/lib/application/files/ts/package.json: Name can only contain URL-friendly characters"
2025-03-12T10:46:27.5680629Z 2025-03-12T10:46:27Z	DEBUG	[analyzer] Analysis error	err="failed to parse app/node_modules/@nestjs/cli/node_modules/@nestjs/schematics/node_modules/@angular-devkit/schematics/tasks/package.json: failed to parse app/node_modules/@nestjs/cli/node_modules/@nestjs/schematics/node_modules/@angular-devkit/schematics/tasks/package.json: Name can only contain URL-friendly characters"
2025-03-12T10:46:27.5693351Z 2025-03-12T10:46:27Z	DEBUG	[analyzer] Analysis error	err="failed to parse app/node_modules/@nestjs/cli/node_modules/@nestjs/schematics/node_modules/@angular-devkit/schematics/testing/package.json: failed to parse app/node_modules/@nestjs/cli/node_modules/@nestjs/schematics/node_modules/@angular-devkit/schematics/testing/package.json: Name can only contain URL-friendly characters"
2025-03-12T10:46:27.5739071Z 2025-03-12T10:46:27Z	DEBUG	[analyzer] Analysis error	err="failed to parse app/node_modules/@nestjs/cli/node_modules/@nestjs/schematics/node_modules/@angular-devkit/schematics/tools/package.json: failed to parse app/node_modules/@nestjs/cli/node_modules/@nestjs/schematics/node_modules/@angular-devkit/schematics/tools/package.json: Name can only contain URL-friendly characters"
2025-03-12T10:46:27.5955678Z 2025-03-12T10:46:27Z	DEBUG	[analyzer] Analysis error	err="failed to parse app/node_modules/@nestjs/cli/node_modules/rxjs/ajax/package.json: failed to parse app/node_modules/@nestjs/cli/node_modules/rxjs/ajax/package.json: Name can only contain URL-friendly characters"
2025-03-12T10:46:27.6777014Z 2025-03-12T10:46:27Z	DEBUG	[analyzer] Analysis error	err="failed to parse app/node_modules/@nestjs/cli/node_modules/rxjs/webSocket/package.json: failed to parse app/node_modules/@nestjs/cli/node_modules/rxjs/webSocket/package.json: Name can only contain URL-friendly characters"
2025-03-12T10:46:27.6790732Z 2025-03-12T10:46:27Z	DEBUG	[analyzer] Analysis error	err="failed to parse app/node_modules/@nestjs/cli/node_modules/rxjs/fetch/package.json: failed to parse app/node_modules/@nestjs/cli/node_modules/rxjs/fetch/package.json: Name can only contain URL-friendly characters"
2025-03-12T10:46:27.6792167Z 2025-03-12T10:46:27Z	DEBUG	[analyzer] Analysis error	err="failed to parse app/node_modules/@nestjs/cli/node_modules/rxjs/operators/package.json: failed to parse app/node_modules/@nestjs/cli/node_modules/rxjs/operators/package.json: Name can only contain URL-friendly characters"
2025-03-12T10:46:27.6793187Z 2025-03-12T10:46:27Z	DEBUG	[analyzer] Analysis error	err="failed to parse app/node_modules/@nestjs/cli/node_modules/rxjs/testing/package.json: failed to parse app/node_modules/@nestjs/cli/node_modules/rxjs/testing/package.json: Name can only contain URL-friendly characters"
2025-03-12T10:46:27.7552981Z 2025-03-12T10:46:27Z	DEBUG	[analyzer] Analysis error	err="failed to parse app/node_modules/@nestjs/schematics/dist/lib/application/files/js/package.json: failed to parse app/node_modules/@nestjs/schematics/dist/lib/application/files/js/package.json: Name can only contain URL-friendly characters"
2025-03-12T10:46:27.7648790Z 2025-03-12T10:46:27Z	DEBUG	[analyzer] Analysis error	err="failed to parse app/node_modules/@nestjs/schematics/dist/lib/application/files/ts/package.json: failed to parse app/node_modules/@nestjs/schematics/dist/lib/application/files/ts/package.json: Name can only contain URL-friendly characters"
2025-03-12T10:46:27.8372118Z 2025-03-12T10:46:27Z	DEBUG	[analyzer] Analysis error	err="failed to parse app/node_modules/@nestjs/schematics/node_modules/@angular-devkit/schematics/tasks/package.json: failed to parse app/node_modules/@nestjs/schematics/node_modules/@angular-devkit/schematics/tasks/package.json: Name can only contain URL-friendly characters"
2025-03-12T10:46:27.8390078Z 2025-03-12T10:46:27Z	DEBUG	[analyzer] Analysis error	err="failed to parse app/node_modules/@nestjs/schematics/node_modules/@angular-devkit/schematics/testing/package.json: failed to parse app/node_modules/@nestjs/schematics/node_modules/@angular-devkit/schematics/testing/package.json: Name can only contain URL-friendly characters"
2025-03-12T10:46:27.8393339Z 2025-03-12T10:46:27Z	DEBUG	[analyzer] Analysis error	err="failed to parse app/node_modules/@nestjs/schematics/node_modules/@angular-devkit/schematics/tools/package.json: failed to parse app/node_modules/@nestjs/schematics/node_modules/@angular-devkit/schematics/tools/package.json: Name can only contain URL-friendly characters"
2025-03-12T10:46:27.8498021Z 2025-03-12T10:46:27Z	DEBUG	[analyzer] Analysis error	err="failed to parse app/node_modules/@nestjs/schematics/node_modules/rxjs/ajax/package.json: failed to parse app/node_modules/@nestjs/schematics/node_modules/rxjs/ajax/package.json: Name can only contain URL-friendly characters"
2025-03-12T10:46:27.8867993Z 2025-03-12T10:46:27Z	DEBUG	[analyzer] Analysis error	err="failed to parse app/node_modules/@nestjs/schematics/node_modules/rxjs/webSocket/package.json: failed to parse app/node_modules/@nestjs/schematics/node_modules/rxjs/webSocket/package.json: Name can only contain URL-friendly characters"
2025-03-12T10:46:27.8901696Z 2025-03-12T10:46:27Z	DEBUG	[analyzer] Analysis error	err="failed to parse app/node_modules/@nestjs/schematics/node_modules/rxjs/fetch/package.json: failed to parse app/node_modules/@nestjs/schematics/node_modules/rxjs/fetch/package.json: Name can only contain URL-friendly characters"
2025-03-12T10:46:27.8903158Z 2025-03-12T10:46:27Z	DEBUG	[analyzer] Analysis error	err="failed to parse app/node_modules/@nestjs/schematics/node_modules/rxjs/operators/package.json: failed to parse app/node_modules/@nestjs/schematics/node_modules/rxjs/operators/package.json: Name can only contain URL-friendly characters"
2025-03-12T10:46:27.8909574Z 2025-03-12T10:46:27Z	DEBUG	[analyzer] Analysis error	err="failed to parse app/node_modules/@nestjs/schematics/node_modules/rxjs/testing/package.json: failed to parse app/node_modules/@nestjs/schematics/node_modules/rxjs/testing/package.json: Name can only contain URL-friendly characters"
2025-03-12T10:46:27.9307396Z 2025-03-12T10:46:27Z	DEBUG	[analyzer] Analysis error	err="failed to parse app/node_modules/@nestjs/cli/node_modules/@nestjs/schematics/dist/lib/application/files/ts/package.json: failed to parse app/node_modules/@nestjs/cli/node_modules/@nestjs/schematics/dist/lib/application/files/ts/package.json: Name can only contain URL-friendly characters"
2025-03-12T10:46:27.9365270Z 2025-03-12T10:46:27Z	DEBUG	[analyzer] Analysis error	err="failed to parse app/node_modules/@nestjs/cli/node_modules/@nestjs/schematics/node_modules/@angular-devkit/schematics/tasks/package.json: failed to parse app/node_modules/@nestjs/cli/node_modules/@nestjs/schematics/node_modules/@angular-devkit/schematics/tasks/package.json: Name can only contain URL-friendly characters"
2025-03-12T10:46:27.9368518Z 2025-03-12T10:46:27Z	DEBUG	[analyzer] Analysis error	err="failed to parse app/node_modules/@nestjs/cli/node_modules/@nestjs/schematics/node_modules/@angular-devkit/schematics/testing/package.json: failed to parse app/node_modules/@nestjs/cli/node_modules/@nestjs/schematics/node_modules/@angular-devkit/schematics/testing/package.json: Name can only contain URL-friendly characters"
2025-03-12T10:46:27.9399770Z 2025-03-12T10:46:27Z	DEBUG	[analyzer] Analysis error	err="failed to parse app/node_modules/@nestjs/cli/node_modules/@nestjs/schematics/node_modules/@angular-devkit/schematics/tools/package.json: failed to parse app/node_modules/@nestjs/cli/node_modules/@nestjs/schematics/node_modules/@angular-devkit/schematics/tools/package.json: Name can only contain URL-friendly characters"
2025-03-12T10:46:27.9471248Z 2025-03-12T10:46:27Z	DEBUG	[analyzer] Analysis error	err="failed to parse app/node_modules/@nestjs/cli/node_modules/@nestjs/schematics/dist/lib/application/files/js/package.json: failed to parse app/node_modules/@nestjs/cli/node_modules/@nestjs/schematics/dist/lib/application/files/js/package.json: Name can only contain URL-friendly characters"
2025-03-12T10:46:27.9656269Z 2025-03-12T10:46:27Z	DEBUG	[analyzer] Analysis error	err="failed to parse app/node_modules/@nestjs/cli/node_modules/rxjs/ajax/package.json: failed to parse app/node_modules/@nestjs/cli/node_modules/rxjs/ajax/package.json: Name can only contain URL-friendly characters"
2025-03-12T10:46:27.9961920Z 2025-03-12T10:46:27Z	DEBUG	[analyzer] Analysis error	err="failed to parse app/node_modules/@nestjs/cli/node_modules/rxjs/fetch/package.json: failed to parse app/node_modules/@nestjs/cli/node_modules/rxjs/fetch/package.json: Name can only contain URL-friendly characters"
2025-03-12T10:46:27.9964059Z 2025-03-12T10:46:27Z	DEBUG	[analyzer] Analysis error	err="failed to parse app/node_modules/@nestjs/cli/node_modules/rxjs/operators/package.json: failed to parse app/node_modules/@nestjs/cli/node_modules/rxjs/operators/package.json: Name can only contain URL-friendly characters"
2025-03-12T10:46:28.0212548Z 2025-03-12T10:46:28Z	DEBUG	[analyzer] Analysis error	err="failed to parse app/node_modules/@nestjs/cli/node_modules/rxjs/testing/package.json: failed to parse app/node_modules/@nestjs/cli/node_modules/rxjs/testing/package.json: Name can only contain URL-friendly characters"
2025-03-12T10:46:28.0214407Z 2025-03-12T10:46:28Z	DEBUG	[analyzer] Analysis error	err="failed to parse app/node_modules/@nestjs/cli/node_modules/rxjs/webSocket/package.json: failed to parse app/node_modules/@nestjs/cli/node_modules/rxjs/webSocket/package.json: Name can only contain URL-friendly characters"
2025-03-12T10:46:28.0556324Z 2025-03-12T10:46:28Z	DEBUG	[analyzer] Analysis error	err="failed to parse app/node_modules/@nestjs/schematics/node_modules/@angular-devkit/schematics/tasks/package.json: failed to parse app/node_modules/@nestjs/schematics/node_modules/@angular-devkit/schematics/tasks/package.json: Name can only contain URL-friendly characters"
2025-03-12T10:46:28.0567033Z 2025-03-12T10:46:28Z	DEBUG	[analyzer] Analysis error	err="failed to parse app/node_modules/@nestjs/schematics/node_modules/@angular-devkit/schematics/testing/package.json: failed to parse app/node_modules/@nestjs/schematics/node_modules/@angular-devkit/schematics/testing/package.json: Name can only contain URL-friendly characters"
2025-03-12T10:46:28.0574004Z 2025-03-12T10:46:28Z	DEBUG	[analyzer] Analysis error	err="failed to parse app/node_modules/@nestjs/schematics/dist/lib/application/files/js/package.json: failed to parse app/node_modules/@nestjs/schematics/dist/lib/application/files/js/package.json: Name can only contain URL-friendly characters"
2025-03-12T10:46:28.0576341Z 2025-03-12T10:46:28Z	DEBUG	[analyzer] Analysis error	err="failed to parse app/node_modules/@nestjs/schematics/dist/lib/application/files/ts/package.json: failed to parse app/node_modules/@nestjs/schematics/dist/lib/application/files/ts/package.json: Name can only contain URL-friendly characters"
2025-03-12T10:46:28.0589338Z 2025-03-12T10:46:28Z	DEBUG	[analyzer] Analysis error	err="failed to parse app/node_modules/@nestjs/schematics/node_modules/@angular-devkit/schematics/tools/package.json: failed to parse app/node_modules/@nestjs/schematics/node_modules/@angular-devkit/schematics/tools/package.json: Name can only contain URL-friendly characters"
2025-03-12T10:46:28.0727186Z 2025-03-12T10:46:28Z	DEBUG	[analyzer] Analysis error	err="failed to parse app/node_modules/@nestjs/schematics/node_modules/rxjs/ajax/package.json: failed to parse app/node_modules/@nestjs/schematics/node_modules/rxjs/ajax/package.json: Name can only contain URL-friendly characters"
2025-03-12T10:46:28.1142139Z 2025-03-12T10:46:28Z	DEBUG	[analyzer] Analysis error	err="failed to parse app/node_modules/@nestjs/schematics/node_modules/rxjs/fetch/package.json: failed to parse app/node_modules/@nestjs/schematics/node_modules/rxjs/fetch/package.json: Name can only contain URL-friendly characters"
2025-03-12T10:46:28.1144355Z 2025-03-12T10:46:28Z	DEBUG	[analyzer] Analysis error	err="failed to parse app/node_modules/@nestjs/schematics/node_modules/rxjs/operators/package.json: failed to parse app/node_modules/@nestjs/schematics/node_modules/rxjs/operators/package.json: Name can only contain URL-friendly characters"
2025-03-12T10:46:28.1389918Z 2025-03-12T10:46:28Z	DEBUG	[analyzer] Analysis error	err="failed to parse app/node_modules/@nestjs/schematics/node_modules/rxjs/testing/package.json: failed to parse app/node_modules/@nestjs/schematics/node_modules/rxjs/testing/package.json: Name can only contain URL-friendly characters"
2025-03-12T10:46:28.1392418Z 2025-03-12T10:46:28Z	DEBUG	[analyzer] Analysis error	err="failed to parse app/node_modules/@nestjs/schematics/node_modules/rxjs/webSocket/package.json: failed to parse app/node_modules/@nestjs/schematics/node_modules/rxjs/webSocket/package.json: Name can only contain URL-friendly characters"
2025-03-12T10:46:28.7118574Z 2025-03-12T10:46:28Z	DEBUG	[analyzer] Analysis error	err="failed to parse app/node_modules/libphonenumber-js/build/package.json: failed to parse app/node_modules/libphonenumber-js/build/package.json: Name can only contain URL-friendly characters"
2025-03-12T10:46:28.7175481Z 2025-03-12T10:46:28Z	DEBUG	[analyzer] Analysis error	err="failed to parse app/node_modules/libphonenumber-js/core/package.json: failed to parse app/node_modules/libphonenumber-js/core/package.json: Name can only contain URL-friendly characters"
2025-03-12T10:46:28.7200493Z 2025-03-12T10:46:28Z	DEBUG	[analyzer] Analysis error	err="failed to parse app/node_modules/libphonenumber-js/mobile/examples/package.json: failed to parse app/node_modules/libphonenumber-js/mobile/examples/package.json: Name can only contain URL-friendly characters"
2025-03-12T10:46:28.7214634Z 2025-03-12T10:46:28Z	DEBUG	[analyzer] Analysis error	err="failed to parse app/node_modules/libphonenumber-js/mobile/metadata/package.json: failed to parse app/node_modules/libphonenumber-js/mobile/metadata/package.json: Name can only contain URL-friendly characters"
2025-03-12T10:46:28.7217317Z 2025-03-12T10:46:28Z	DEBUG	[analyzer] Analysis error	err="failed to parse app/node_modules/libphonenumber-js/mobile/package.json: failed to parse app/node_modules/libphonenumber-js/mobile/package.json: Name can only contain URL-friendly characters"
2025-03-12T10:46:28.7377259Z 2025-03-12T10:46:28Z	DEBUG	[analyzer] Analysis error	err="failed to parse app/node_modules/libphonenumber-js/max/metadata/package.json: failed to parse app/node_modules/libphonenumber-js/max/metadata/package.json: Name can only contain URL-friendly characters"
2025-03-12T10:46:28.7398716Z 2025-03-12T10:46:28Z	DEBUG	[analyzer] Analysis error	err="failed to parse app/node_modules/libphonenumber-js/max/package.json: failed to parse app/node_modules/libphonenumber-js/max/package.json: Name can only contain URL-friendly characters"
2025-03-12T10:46:28.7403363Z 2025-03-12T10:46:28Z	DEBUG	[analyzer] Analysis error	err="failed to parse app/node_modules/libphonenumber-js/min/metadata/package.json: failed to parse app/node_modules/libphonenumber-js/min/metadata/package.json: Name can only contain URL-friendly characters"
2025-03-12T10:46:28.7404742Z 2025-03-12T10:46:28Z	DEBUG	[analyzer] Analysis error	err="failed to parse app/node_modules/libphonenumber-js/min/package.json: failed to parse app/node_modules/libphonenumber-js/min/package.json: Name can only contain URL-friendly characters"
2025-03-12T10:46:28.8280195Z 2025-03-12T10:46:28Z	DEBUG	[analyzer] Analysis error	err="failed to parse app/node_modules/rxjs/ajax/package.json: failed to parse app/node_modules/rxjs/ajax/package.json: Name can only contain URL-friendly characters"
2025-03-12T10:46:28.8587214Z 2025-03-12T10:46:28Z	DEBUG	[analyzer] Analysis error	err="failed to parse app/node_modules/rxjs/webSocket/package.json: failed to parse app/node_modules/rxjs/webSocket/package.json: Name can only contain URL-friendly characters"
2025-03-12T10:46:28.8615322Z 2025-03-12T10:46:28Z	DEBUG	[analyzer] Analysis error	err="failed to parse app/node_modules/rxjs/fetch/package.json: failed to parse app/node_modules/rxjs/fetch/package.json: Name can only contain URL-friendly characters"
2025-03-12T10:46:28.8684174Z 2025-03-12T10:46:28Z	DEBUG	[analyzer] Analysis error	err="failed to parse app/node_modules/rxjs/operators/package.json: failed to parse app/node_modules/rxjs/operators/package.json: Name can only contain URL-friendly characters"
2025-03-12T10:46:28.8882407Z 2025-03-12T10:46:28Z	DEBUG	[analyzer] Analysis error	err="failed to parse app/node_modules/rxjs/testing/package.json: failed to parse app/node_modules/rxjs/testing/package.json: Name can only contain URL-friendly characters"
2025-03-12T10:46:28.9866456Z 2025-03-12T10:46:28Z	DEBUG	[analyzer] Analysis error	err="failed to parse app/node_modules/libphonenumber-js/build/package.json: failed to parse app/node_modules/libphonenumber-js/build/package.json: Name can only contain URL-friendly characters"
2025-03-12T10:46:28.9954357Z 2025-03-12T10:46:28Z	DEBUG	[analyzer] Analysis error	err="failed to parse app/node_modules/libphonenumber-js/max/metadata/package.json: failed to parse app/node_modules/libphonenumber-js/max/metadata/package.json: Name can only contain URL-friendly characters"
2025-03-12T10:46:28.9989059Z 2025-03-12T10:46:28Z	DEBUG	[analyzer] Analysis error	err="failed to parse app/node_modules/libphonenumber-js/max/package.json: failed to parse app/node_modules/libphonenumber-js/max/package.json: Name can only contain URL-friendly characters"
2025-03-12T10:46:28.9992567Z 2025-03-12T10:46:28Z	DEBUG	[analyzer] Analysis error	err="failed to parse app/node_modules/libphonenumber-js/min/metadata/package.json: failed to parse app/node_modules/libphonenumber-js/min/metadata/package.json: Name can only contain URL-friendly characters"
2025-03-12T10:46:28.9993923Z 2025-03-12T10:46:28Z	DEBUG	[analyzer] Analysis error	err="failed to parse app/node_modules/libphonenumber-js/min/package.json: failed to parse app/node_modules/libphonenumber-js/min/package.json: Name can only contain URL-friendly characters"
2025-03-12T10:46:29.0016316Z 2025-03-12T10:46:29Z	DEBUG	[analyzer] Analysis error	err="failed to parse app/node_modules/libphonenumber-js/mobile/examples/package.json: failed to parse app/node_modules/libphonenumber-js/mobile/examples/package.json: Name can only contain URL-friendly characters"
2025-03-12T10:46:29.0019497Z 2025-03-12T10:46:29Z	DEBUG	[analyzer] Analysis error	err="failed to parse app/node_modules/libphonenumber-js/mobile/metadata/package.json: failed to parse app/node_modules/libphonenumber-js/mobile/metadata/package.json: Name can only contain URL-friendly characters"
2025-03-12T10:46:29.0026133Z 2025-03-12T10:46:29Z	DEBUG	[analyzer] Analysis error	err="failed to parse app/node_modules/libphonenumber-js/mobile/package.json: failed to parse app/node_modules/libphonenumber-js/mobile/package.json: Name can only contain URL-friendly characters"
2025-03-12T10:46:29.0096029Z 2025-03-12T10:46:29Z	DEBUG	[analyzer] Analysis error	err="failed to parse app/node_modules/libphonenumber-js/core/package.json: failed to parse app/node_modules/libphonenumber-js/core/package.json: Name can only contain URL-friendly characters"
2025-03-12T10:46:29.0910291Z 2025-03-12T10:46:29Z	DEBUG	[analyzer] Analysis error	err="failed to parse app/node_modules/rxjs/ajax/package.json: failed to parse app/node_modules/rxjs/ajax/package.json: Name can only contain URL-friendly characters"
2025-03-12T10:46:29.1283506Z 2025-03-12T10:46:29Z	DEBUG	[analyzer] Analysis error	err="failed to parse app/node_modules/rxjs/fetch/package.json: failed to parse app/node_modules/rxjs/fetch/package.json: Name can only contain URL-friendly characters"
2025-03-12T10:46:29.1286624Z 2025-03-12T10:46:29Z	DEBUG	[analyzer] Analysis error	err="failed to parse app/node_modules/rxjs/operators/package.json: failed to parse app/node_modules/rxjs/operators/package.json: Name can only contain URL-friendly characters"
2025-03-12T10:46:29.1330752Z 2025-03-12T10:46:29Z	DEBUG	[analyzer] Analysis error	err="failed to parse app/node_modules/rxjs/testing/package.json: failed to parse app/node_modules/rxjs/testing/package.json: Name can only contain URL-friendly characters"
2025-03-12T10:46:29.1335711Z 2025-03-12T10:46:29Z	DEBUG	[analyzer] Analysis error	err="failed to parse app/node_modules/rxjs/webSocket/package.json: failed to parse app/node_modules/rxjs/webSocket/package.json: Name can only contain URL-friendly characters"
2025-03-12T10:46:29.3200485Z 2025-03-12T10:46:29Z	DEBUG	No secrets found in container image config
2025-03-12T10:46:29.6716292Z 2025-03-12T10:46:29Z	DEBUG	Found an ignore file	file_path="/root/trivy/trivyignore"
2025-03-12T10:46:29.6717922Z 2025-03-12T10:46:29Z	DEBUG	[vex] VEX filtering is disabled
2025-03-12T10:46:29.6751286Z 
2025-03-12T10:46:29.6752857Z Report Summary
2025-03-12T10:46:29.6753068Z 
2025-03-12T10:46:29.6753970Z ┌──────────────────────────────────────────────────────────────────────────────────┬────────┬─────────────────┬─────────┐
2025-03-12T10:46:29.6754816Z │                                      Target                                      │  Type  │ Vulnerabilities │ Secrets │
2025-03-12T10:46:29.6755493Z ├──────────────────────────────────────────────────────────────────────────────────┼────────┼─────────────────┼─────────┤
2025-03-12T10:46:29.6756283Z │ ***/repo-for-scan/repo-for-scan:d5fe4e58733c3834f7ecb288b3e- │ alpine │        0        │    -    │
2025-03-12T10:46:29.6756883Z │ e3d5db23d1b61 (alpine 3.21.3)                                                    │        │                 │         │
2025-03-12T10:46:29.6757547Z └──────────────────────────────────────────────────────────────────────────────────┴────────┴─────────────────┴─────────┘
2025-03-12T10:46:29.6758071Z Legend:
2025-03-12T10:46:29.6758403Z - '-': Not scanned
2025-03-12T10:46:29.6758828Z - '0': Clean (no security findings detected)
2025-03-12T10:46:29.6759003Z 
2025-03-12T10:46:29.9717092Z 
2025-03-12T10:46:29.9781452Z ##[section]Finishing: Scan the new image for low/medium level vulnerabilities

Operating System

Ubuntu 22.04

Version

v0.60

Checklist

Run trivy clean --all
Read the troubleshooting

knqyf263 · 2025-03-12T11:50:06Z

knqyf263
Mar 12, 2025
Maintainer

@DmitriyLewen resultMap[pkgPath] seems nil.

trivy/pkg/report/table/summary.go

Line 266 in 67d95a9

    
           resultMap[pkgPath].Vulnerabilities = append(resultMap[pkgPath].Vulnerabilities, vuln)

7 replies

DmitriyLewen Mar 14, 2025
Maintainer

@knqyf263 I can't create a good PoC when the output contains vulnerabilities but doesn't contain packages.
But I think it's possible when Trivy is used as a library or a custom Trivy server is used.

Anyway - I think Trivy shouldn't panic in these cases. That's why I created #8549.
But I'm still not sure we need to fill tables from vulnerabilities for this case.

Take a look when you have time and let me know your opinion, please.

knqyf263 Mar 14, 2025
Maintainer

I think we can hold it until we replicate the error. Meanwhile, what if we just handle the non-existence key?

if r, ok resultMap[pkgPath]; ok {
    r.Vulnerabilities = append(r.Vulnerabilities, vuln)
}

or simply

if r := resultMap[pkgPath]; r != nil {
    r.Vulnerabilities = append(r.Vulnerabilities, vuln)
}

DmitriyLewen Mar 14, 2025
Maintainer

I thought about that, but in this case we will just skip aggregated packages in summary table.

I thought it would be better to show at least something

knqyf263 Apr 7, 2025
Maintainer

Then, what if displaying a warning message?

if r, ok resultMap[pkgPath]; !ok {
    r.logger.Warn("Package not found unexpectedly", log.String("package_path", pkgPath), log.String("vuln_id", vuln.ID)
} else {
    r.Vulnerabilities = append(r.Vulnerabilities, vuln)
}

DmitriyLewen Apr 7, 2025
Maintainer

I used your logic and updated a bit (to avoid case when we skip aggregated package) - #8549

take a look new tests - i showed questionable cases

DmitriyLewen · 2025-03-12T12:26:16Z

DmitriyLewen
Mar 12, 2025
Maintainer

Hello @gregory-hive
Thanks for your report!

Unfortunately, i can't reproduce your case.
Can you send image for that.

Also i see that you use client/server mode. Did you update Trivy server?

10 replies

DmitriyLewen Mar 18, 2025
Maintainer

Hello @gregory-hive
I installed SecureCodeBox last night and tried to reproduce the error, but I still couldn't.

Maybe you can make some test image so we can figure out what the error is?

gregory-hive Mar 21, 2025
Author

Hi @DmitriyLewen,
I've finally got a round to prepare a test image for the reproduction.

Steps to reproduce:

Start a self-hosted server, in our case it's installed with Helm as:

  - name: trivy
    version: 4.14.0
    repository: https://charts.securecodebox.io

Create trivy.yml with the following config:

timeout: 300s
exit-code: 1
vulnerability:
  ignore-unfixed: true
server:
  addr: <trivy_server_url>
  token: <token>
db:
  repository:
  - hivecacheregistry.azurecr.io/aquasec/trivy-db:2
  java-repository:
  - hivecacheregistry.azurecr.io/aquasec/trivy-java-db:1
registry:
  username: []
  password: []

Execute:
docker run --rm \ -v /var/run/docker.sock:/var/run/docker.sock \ -v "$(pwd):/app" \ -w /app \ aquasec/trivy:0.60.0 \ --config trivy.yml image grkhive33/trivy-crash:0.1

Note that the issue is not getting reproduced:
- when run with aquasec/trivy:0.59.1 image version
- when run without a self-hosted server

Hope this helps!

DmitriyLewen Mar 24, 2025
Maintainer

It doesn't help.
We need to get more info about server settings.

Your example works for me:

➜  ~ trivy -d  --config ./app/trivy.yml image grkhive33/trivy-crash:0.1
2025-03-24T12:40:29+06:00	INFO	Loaded	file_path="./app/trivy.yml"
2025-03-24T12:40:29+06:00	DEBUG	Cache dir	dir="/Users/dmitriy/Library/Caches/trivy"
2025-03-24T12:40:29+06:00	DEBUG	Cache dir	dir="/Users/dmitriy/Library/Caches/trivy"
2025-03-24T12:40:29+06:00	DEBUG	Parsed severities	severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2025-03-24T12:40:29+06:00	DEBUG	Ignore statuses	statuses=[0 1 2 4 5 6 7]
2025-03-24T12:40:29+06:00	WARN	Trivy runs in client/server mode, but misconfiguration and license scanning will be done on the client side, see https://trivy.dev/v0.60/docs/references/modes/client-server
2025-03-24T12:40:29+06:00	DEBUG	[pkg] Package types	types=[os library]
2025-03-24T12:40:29+06:00	DEBUG	[pkg] Package relationships	relationships=[unknown root workspace direct indirect]
2025-03-24T12:40:29+06:00	INFO	[vuln] Vulnerability scanning is enabled
2025-03-24T12:40:29+06:00	INFO	[secret] Secret scanning is enabled
2025-03-24T12:40:29+06:00	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-03-24T12:40:29+06:00	INFO	[secret] Please see also https://trivy.dev/v0.60/docs/scanner/secret#recommendation for faster secret detection
2025-03-24T12:40:29+06:00	DEBUG	[secret] No secret config detected	config_path="trivy-secret.yaml"
2025-03-24T12:40:29+06:00	DEBUG	[secret] No secret config detected	config_path="trivy-secret.yaml"
2025-03-24T12:40:29+06:00	DEBUG	[image] Detected image ID	image_id="sha256:ceae8c3f7f87bc28e70ea0dc389f8d602d72dfcc7114f05e95bd3dbc15a811a8"
2025-03-24T12:40:29+06:00	DEBUG	[image] Detected diff ID	diff_ids=[sha256:a16e98724c05975ee8c40d8fe389c3481373d34ab20a1cf52ea2accc43f71f4c sha256:4922e3cc7ed009f6fe362467ac861ca6ff0c745e3ca828b53d6fb2779465d344 sha256:aefe42347b5ea2fd3f566995c67596a8ea3dd7c59c38382e9a2bb90b8e80f040 sha256:0a23b29b4e893d93c023520d4b6ba8e191732e0dc02b7ae56e62c35de47e764d sha256:6da8a753c777fe5ff0298e2f7a596f1a3f097c0432d6d6156f0f6c7ed08fcc8d sha256:f2dcbf045ed60642905f5033b52c56cfe4a732e8481b8bf9fd9cf8055ba2b81e sha256:b2d59af63d5f324415e90e14370816354c7da5afb05cd353015dda8382e2bd1f sha256:85d01a53bcacb3f424fdae980f92cbe56c261128ba48e80f6e0e3142b42a4b8c sha256:f3280257837952de25d3c32fe3e21624ad30c50edff6f6bf206f3ec53b17622b]
2025-03-24T12:40:29+06:00	DEBUG	[image] Detected base layers	diff_ids=[sha256:a16e98724c05975ee8c40d8fe389c3481373d34ab20a1cf52ea2accc43f71f4c sha256:4922e3cc7ed009f6fe362467ac861ca6ff0c745e3ca828b53d6fb2779465d344 sha256:aefe42347b5ea2fd3f566995c67596a8ea3dd7c59c38382e9a2bb90b8e80f040 sha256:0a23b29b4e893d93c023520d4b6ba8e191732e0dc02b7ae56e62c35de47e764d]
2025-03-24T12:40:29+06:00	DEBUG	Specified ignore file does not exist	file=".trivyignore"
2025-03-24T12:40:29+06:00	DEBUG	[vex] VEX filtering is disabled
2025-03-24T12:40:29+06:00	INFO	Table result includes only package filenames. Use '--format json' option to get the full path to the package file.

Report Summary
...

gregory-hive Mar 24, 2025
Author

What kind of server settings can be useful besides the ones I've already provided?

DmitriyLewen Mar 24, 2025
Maintainer

I need commands how you install (helm commands) and run
how you set ports so that docker with the client connects to the server
any other configurations that you use for the server

alexrashed · 2025-03-17T12:37:01Z

alexrashed
Mar 17, 2025

Hi there! Chiming in from the side as I just tried to create an issue for this without properly reading the contribution guidelines 😅
Here is a one-line reproducer using the latest version-tagged docker image:

docker run --rm -it --entrypoint sh aquasec/trivy:0.60.0 -c \
  "trivy image --format json --scanners vuln --output trivy-results.json python:3.4-alpine && \
  TRIVY_SCANNERS='vuln' trivy convert --format table --output trivy-results.txt trivy-results.json"

This results in the following error message:

panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x58 pc=0x3c77dbb]

goroutine 1 [running]:
github.com/aquasecurity/trivy/pkg/report/table.splitAggregatedVulns({{0xc000a684d0, 0x6}, {0xc000a684d6, 0x9}, {0xc000a684e0, 0xa}, {0x0, 0x0, 0x0}, {0xc00115b508, ...}, ...})
	/home/runner/work/trivy/trivy/pkg/report/table/summary.go:266 +0x33b
github.com/aquasecurity/trivy/pkg/report/table.splitAggregatedPackages({0xc000603a40?, 0xc001286660?, 0x52b1900?})
	/home/runner/work/trivy/trivy/pkg/report/table/summary.go:247 +0x33b
github.com/aquasecurity/trivy/pkg/report/table.(*summaryRenderer).Render(_, {0x2, {0x275d8bf8, 0xedf6a094a, 0x0}, {0xc001116618, 0x11}, {0xc0008079f0, 0xf}, {0x0, ...}, ...})
	/home/runner/work/trivy/trivy/pkg/report/table/summary.go:174 +0x3fb
github.com/aquasecurity/trivy/pkg/report/table.(*Writer).Write(_, {_, _}, {0x2, {0x275d8bf8, 0xedf6a094a, 0x0}, {0xc001116618, 0x11}, {0xc0008079f0, ...}, ...})
	/home/runner/work/trivy/trivy/pkg/report/table/table.go:94 +0xfa
github.com/aquasecurity/trivy/pkg/report.Write({_, _}, {0x2, {0x275d8bf8, 0xedf6a094a, 0x0}, {0xc001116618, 0x11}, {0xc0008079f0, 0xf}, ...}, ...)
	/home/runner/work/trivy/trivy/pkg/report/writer.go:105 +0x9a6
github.com/aquasecurity/trivy/pkg/commands/convert.Run({_, _}, {{{0x51659ec, 0xa}, 0x0, 0x0, 0x0, 0x0, 0x45d964b800, {0xc000b2dcb0, ...}, ...}, ...})
	/home/runner/work/trivy/trivy/pkg/commands/convert/run.go:56 +0x810
github.com/aquasecurity/trivy/pkg/commands.NewConvertCommand.func2(0xc000d12f08, {0xc0007741e0, 0x1, 0x5})
	/home/runner/work/trivy/trivy/pkg/commands/app.go:554 +0x199
github.com/spf13/cobra.(*Command).execute(0xc000d12f08, {0xc000197db0, 0x5, 0x5})
	/home/runner/go/pkg/mod/github.com/spf13/[email protected]/command.go:1015 +0xa94
github.com/spf13/cobra.(*Command).ExecuteC(0xc000ae9b08)
	/home/runner/go/pkg/mod/github.com/spf13/[email protected]/command.go:1148 +0x40c
github.com/spf13/cobra.(*Command).Execute(0x51bbeaf?)
	/home/runner/go/pkg/mod/github.com/spf13/[email protected]/command.go:1071 +0x13
main.run()
	/home/runner/work/trivy/trivy/cmd/trivy/main.go:45 +0x113
main.main()
	/home/runner/work/trivy/trivy/cmd/trivy/main.go:19 +0x1f

In GitHub Actions, I get this problem when running the action as follows:

      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: python:3.4-alpine
          format: 'json'
          scanners: 'vuln'
          output: trivy-results.json

      - name: Store Trivy table results
        run: trivy convert --format table --output trivy-results.txt trivy-results.json

Setting the environment variable TRIVY_SCANNERS to an empty string in the second step fixes the issue:

      - name: Store Trivy table results
        env:
          # TODO remove this after https://github.com/aquasecurity/trivy/discussions/8537 is resolved
          TRIVY_SCANNERS: ""
        run: trivy convert --format table --output trivy-results.txt trivy-results.json

12 replies

alexrashed Mar 18, 2025

I only execute the scan once. The two following commands are convert commands. My report is only about the convert command failing when TRIVY_SCANNERS is not an empty string.

DmitriyLewen Mar 18, 2025
Maintainer

in order for the conversion to be performed correctly, your json file (trivy-results.json) must contain all the necessary fields.
therefore, the --list-all-pkgs flag must be used specifically when scanning (trivy image ... in your case)

alexrashed Mar 18, 2025

Then why is this command working just fine?

docker run --rm -it --entrypoint sh aquasec/trivy:0.60.0 -c \
    "trivy image --format json --scanners vuln --output trivy-results.json python:3.4-alpine && \
    TRIVY_SCANNERS='' trivy convert --format table --output trivy-results-wo-all.txt trivy-results.json && \
    cat trivy-results-wo-all.txt"

The resulting table contains all the found vulnerabilities. No list-all-pkgs anywhere in this command. But I also don't really understand why this is relevant here.

DmitriyLewen Mar 18, 2025
Maintainer

But in convert mode scanners are not enabled, so by default we do not see summary table (only detailed tables).
...
And users can configure scanners to look at the summary table, as for fs, image, etc. modes.
In this case your report doesn't contain summary table.

in other words - you forcibly turn off all scanners. In this case, Trivi does not draw the total error and you do not see the error.

DmitriyLewen Mar 18, 2025
Maintainer

➜  ~ docker run --rm -it --entrypoint sh aquasec/trivy:0.60.0 -c \
    "trivy image --format json --scanners vuln --output trivy-results.json --list-all-pkgs python:3.4-alpine && \
    TRIVY_SCANNERS='' trivy convert --format table --output trivy-results-wo-all.txt trivy-results.json && \
    cat trivy-results-wo-all.txt"
2025-03-18T09:46:32Z	INFO	[vulndb] Need to update DB
2025-03-18T09:46:32Z	INFO	[vulndb] Downloading vulnerability DB...
2025-03-18T09:46:32Z	INFO	[vulndb] Downloading artifact...	repo="mirror.gcr.io/aquasec/trivy-db:2"
60.95 MiB / 60.95 MiB [--------------------------------------------------------------------------------------------------------------------------------------------------------] 100.00% 3.25 MiB p/s 19s
2025-03-18T09:46:53Z	INFO	[vulndb] Artifact successfully downloaded	repo="mirror.gcr.io/aquasec/trivy-db:2"
2025-03-18T09:46:53Z	INFO	[vuln] Vulnerability scanning is enabled
2025-03-18T09:47:01Z	INFO	[python] Licenses acquired from one or more METADATA files may be subject to additional terms. Use `--debug` flag to see all affected packages.
2025-03-18T09:47:07Z	INFO	Detected OS	family="alpine" version="3.9.2"
2025-03-18T09:47:07Z	INFO	[alpine] Detecting vulnerabilities...	os_version="3.9" repository="3.9" pkg_num=28
2025-03-18T09:47:07Z	INFO	Number of language-specific files	num=1
2025-03-18T09:47:07Z	INFO	[python-pkg] Detecting vulnerabilities...
2025-03-18T09:47:07Z	WARN	This OS version is no longer supported by the distribution	family="alpine" version="3.9.2"
2025-03-18T09:47:07Z	WARN	The vulnerability detection may be insufficient because security updates are not provided
2025-03-18T09:47:07Z	INFO	[convert] To display the summary table, enable the scanners used during JSON report generation.
2025-03-18T09:47:07Z	INFO	Table result includes only package filenames. Use '--format json' option to get the full path to the package file.

python:3.4-alpine (alpine 3.9.2)
================================
Total: 37 (UNKNOWN: 0, LOW: 4, MEDIUM: 16, HIGH: 13, CRITICAL: 4)

➜  ~ docker run --rm -it --entrypoint sh aquasec/trivy:0.60.0 -c \
    "trivy image --format json --scanners vuln --output trivy-results.json --list-all-pkgs python:3.4-alpine && \
    TRIVY_SCANNERS='vuln' trivy convert --format table --output trivy-results-wo-all.txt trivy-results.json && \
    cat trivy-results-wo-all.txt"
2025-03-18T09:47:45Z	INFO	[vulndb] Need to update DB
2025-03-18T09:47:45Z	INFO	[vulndb] Downloading vulnerability DB...
2025-03-18T09:47:45Z	INFO	[vulndb] Downloading artifact...	repo="mirror.gcr.io/aquasec/trivy-db:2"
60.95 MiB / 60.95 MiB [--------------------------------------------------------------------------------------------------------------------------------------------------------] 100.00% 2.32 MiB p/s 26s
2025-03-18T09:48:14Z	INFO	[vulndb] Artifact successfully downloaded	repo="mirror.gcr.io/aquasec/trivy-db:2"
2025-03-18T09:48:14Z	INFO	[vuln] Vulnerability scanning is enabled
2025-03-18T09:48:21Z	INFO	[python] Licenses acquired from one or more METADATA files may be subject to additional terms. Use `--debug` flag to see all affected packages.
2025-03-18T09:48:29Z	INFO	Detected OS	family="alpine" version="3.9.2"
2025-03-18T09:48:29Z	INFO	[alpine] Detecting vulnerabilities...	os_version="3.9" repository="3.9" pkg_num=28
2025-03-18T09:48:29Z	INFO	Number of language-specific files	num=1
2025-03-18T09:48:29Z	INFO	[python-pkg] Detecting vulnerabilities...
2025-03-18T09:48:29Z	WARN	This OS version is no longer supported by the distribution	family="alpine" version="3.9.2"
2025-03-18T09:48:29Z	WARN	The vulnerability detection may be insufficient because security updates are not provided
2025-03-18T09:48:29Z	INFO	Table result includes only package filenames. Use '--format json' option to get the full path to the package file.

Report Summary

┌────────────────────────────────────────────────────────────────────────────┬────────────┬─────────────────┐
│                                   Target                                   │    Type    │ Vulnerabilities │
├────────────────────────────────────────────────────────────────────────────┼────────────┼─────────────────┤
│ python:3.4-alpine (alpine 3.9.2)                                           │   alpine   │       37        │
├────────────────────────────────────────────────────────────────────────────┼────────────┼─────────────────┤
│ usr/local/lib/python3.4/site-packages/pip-19.0.3.dist-info/METADATA        │ python-pkg │        3        │
├────────────────────────────────────────────────────────────────────────────┼────────────┼─────────────────┤
│ usr/local/lib/python3.4/site-packages/setuptools-40.8.0.dist-info/METADATA │ python-pkg │        2        │
├────────────────────────────────────────────────────────────────────────────┼────────────┼─────────────────┤
│ usr/local/lib/python3.4/site-packages/wheel-0.33.1.dist-info/METADATA      │ python-pkg │        1        │
└────────────────────────────────────────────────────────────────────────────┴────────────┴─────────────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)


python:3.4-alpine (alpine 3.9.2)
================================
Total: 37 (UNKNOWN: 0, LOW: 4, MEDIUM: 16, HIGH: 13, CRITICAL: 4

eiju-akahane · 2025-03-18T02:12:26Z

eiju-akahane
Mar 18, 2025

I encountered the same panic few days ago.
I replaced docker image setting from docker.io/aquasec/trivy:latest to docker.io/aquasec/trivy:0.59.1 in my CI pipeline and the panic was gone.

7 replies

DmitriyLewen Mar 18, 2025
Maintainer

Do you have any information on how the Trivy server is running?

eiju-akahane Mar 19, 2025

I don't have the detail information but the server must be started by the trivy helm-chart in this site:
https://aquasecurity.github.io/helm-charts/

DmitriyLewen Mar 19, 2025
Maintainer

I installed Trivy from helm.
And i still can't reproduce error 😞

➜  ~ trivy -q image --server http://localhost:4954 python:3.11-slim --table-mode summary

Report Summary

┌─────────────────────────────────────────────────────────────────────────────┬────────────┬─────────────────┬─────────┐
│                                   Target                                    │    Type    │ Vulnerabilities │ Secrets │
├─────────────────────────────────────────────────────────────────────────────┼────────────┼─────────────────┼─────────┤
│ python:3.11-slim (debian 12.10)                                             │   debian   │       98        │    -    │
├─────────────────────────────────────────────────────────────────────────────┼────────────┼─────────────────┼─────────┤
│ usr/local/lib/python3.11/site-packages/pip-24.0.dist-info/METADATA          │ python-pkg │        0        │    -    │
├─────────────────────────────────────────────────────────────────────────────┼────────────┼─────────────────┼─────────┤
│ usr/local/lib/python3.11/site-packages/setuptools-65.5.1.dist-info/METADATA │ python-pkg │        1        │    -    │
├─────────────────────────────────────────────────────────────────────────────┼────────────┼─────────────────┼─────────┤
│ usr/local/lib/python3.11/site-packages/wheel-0.45.1.dist-info/METADATA      │ python-pkg │        0        │    -    │
└─────────────────────────────────────────────────────────────────────────────┴────────────┴─────────────────┴─────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)

eiju-akahane Mar 21, 2025

The following is the client command lines we are using. Hope this helps...

trivy clean --scan-cache
trivy image --server http://trivy:4954 --exit-code 0 --format template --template <template setting> --output <output xml path> --timeout 5m <our image path>
trivy image --server http://trivy:4954 --exit-code 0 --timeout 5m <our image path> 
  (panic in this command)

DmitriyLewen Mar 21, 2025
Maintainer

The problem is that the Trivy server returns Vulnerabilities without Packages.
So the problem is on the server side. The client side does not help with detecting the cause of this case.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Trivy is crashing with "panic: runtime error: invalid memory address or nil pointer dereference" when scanning for HIGH/CRIT vulnerabilities #8537

{{title}}

Replies: 4 comments 36 replies

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{title}}

{{title}}

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

Select a reply

Trivy is crashing with "panic: runtime error: invalid memory address or nil pointer dereference" when scanning for HIGH/CRIT vulnerabilities #8537

gregory-hive Mar 12, 2025

Description

Desired Behavior

Actual Behavior

Reproduction Steps

Target

Scanner

Output Format

Mode

Debug Output

Operating System

Version

Checklist

Replies: 4 comments · 36 replies

knqyf263 Mar 12, 2025 Maintainer

DmitriyLewen Mar 14, 2025 Maintainer

knqyf263 Mar 14, 2025 Maintainer

DmitriyLewen Mar 14, 2025 Maintainer

knqyf263 Apr 7, 2025 Maintainer

DmitriyLewen Apr 7, 2025 Maintainer

DmitriyLewen Mar 12, 2025 Maintainer

DmitriyLewen Mar 18, 2025 Maintainer

gregory-hive Mar 21, 2025 Author

DmitriyLewen Mar 24, 2025 Maintainer

gregory-hive Mar 24, 2025 Author

DmitriyLewen Mar 24, 2025 Maintainer

alexrashed Mar 17, 2025

alexrashed Mar 18, 2025

DmitriyLewen Mar 18, 2025 Maintainer

alexrashed Mar 18, 2025

DmitriyLewen Mar 18, 2025 Maintainer

DmitriyLewen Mar 18, 2025 Maintainer

eiju-akahane Mar 18, 2025

DmitriyLewen Mar 18, 2025 Maintainer

eiju-akahane Mar 19, 2025

DmitriyLewen Mar 19, 2025 Maintainer

eiju-akahane Mar 21, 2025

DmitriyLewen Mar 21, 2025 Maintainer

gregory-hive
Mar 12, 2025

Replies: 4 comments 36 replies

knqyf263
Mar 12, 2025
Maintainer

DmitriyLewen Mar 14, 2025
Maintainer

knqyf263 Mar 14, 2025
Maintainer

DmitriyLewen Mar 14, 2025
Maintainer

knqyf263 Apr 7, 2025
Maintainer

DmitriyLewen Apr 7, 2025
Maintainer

DmitriyLewen
Mar 12, 2025
Maintainer

DmitriyLewen Mar 18, 2025
Maintainer

gregory-hive Mar 21, 2025
Author

DmitriyLewen Mar 24, 2025
Maintainer

gregory-hive Mar 24, 2025
Author

DmitriyLewen Mar 24, 2025
Maintainer

alexrashed
Mar 17, 2025

DmitriyLewen Mar 18, 2025
Maintainer

DmitriyLewen Mar 18, 2025
Maintainer

DmitriyLewen Mar 18, 2025
Maintainer

eiju-akahane
Mar 18, 2025

DmitriyLewen Mar 18, 2025
Maintainer

DmitriyLewen Mar 19, 2025
Maintainer

DmitriyLewen Mar 21, 2025
Maintainer