encountering errors when parsing pnpm-lock #931
Description
Hi :)
When scanning pnpm-lock.yaml files with specific content I'll include below, via osv-scanner scan . (version 1.7.0), I'm consistently experiencing the following:
➜ testdir git:(main) ✗ osv-scanner scan .
Scanning dir .
panic: runtime error: index out of range [0] with length 0
goroutine 1 [running]:
github.com/google/osv-scanner/pkg/lockfile.extractPnpmPackageNameAndVersion({0xc0003f4150?, 0xa?})
github.com/google/osv-scanner/pkg/lockfile/parse-pnpm-lock.go:81 +0x26f
github.com/google/osv-scanner/pkg/lockfile.parsePnpmLock({0xc000786540?, 0xc0001e45a0?})
github.com/google/osv-scanner/pkg/lockfile/parse-pnpm-lock.go:127 +0x13b
github.com/google/osv-scanner/pkg/lockfile.PnpmLockExtractor.Extract({}, {0x4b99bf68, 0xc000306740})
github.com/google/osv-scanner/pkg/lockfile/parse-pnpm-lock.go:194 +0x25b
github.com/google/osv-scanner/pkg/lockfile.ExtractDeps({0x4b99bf68, 0xc000306740}, {0x0, 0x0})
github.com/google/osv-scanner/pkg/lockfile/extract.go:61 +0x24a
github.com/google/osv-scanner/pkg/osvscanner.scanLockfile({0x2ca1a68, 0xc0000e7f00}, {0xc00018eb90, 0x48}, {0x0, 0x0})
github.com/google/osv-scanner/pkg/osvscanner/osvscanner.go:359 +0x7fa
github.com/google/osv-scanner/pkg/osvscanner.scanDir.func1({0xc0003f4080?, 0x0?}, {0x2c9cd68, 0xc0003dc240}, {0x0?, 0x0?})
github.com/google/osv-scanner/pkg/osvscanner/osvscanner.go:160 +0x745
path/filepath.walkDir({0xc0003f4080, 0xe}, {0x2c9cd68, 0xc0003dc240}, 0xc000786ce8)
path/filepath/path.go:443 +0x50
path/filepath.walkDir({0x207ffb2e1, 0x1}, {0x2c9cfd0, 0xc0002d0cb0}, 0xc000786ce8)
path/filepath/path.go:465 +0x285
path/filepath.WalkDir({0x207ffb2e1, 0x1}, 0xc000786ce8)
path/filepath/path.go:533 +0x7b
github.com/google/osv-scanner/pkg/osvscanner.scanDir({0x2ca1a68?, 0xc0000e7f00?}, {0x207ffb2e1?, 0x1?}, 0x0?, 0x0?, 0x1?, 0x0?)
github.com/google/osv-scanner/pkg/osvscanner/osvscanner.go:118 +0x212
github.com/google/osv-scanner/pkg/osvscanner.DoScan({{0x0, 0x0, 0x0}, {0x0, 0x0, 0x0}, {0xc0002d0ac0, 0x1, 0x1}, {0x0, ...}, ...}, ...)
github.com/google/osv-scanner/pkg/osvscanner/osvscanner.go:786 +0xe1f
github.com/google/osv-scanner/cmd/osv-scanner/scan.action(0xc0000e7640, {0x2c90e18, 0xc000122048}, {0x2c90e18, 0xc000122050})
github.com/google/osv-scanner/cmd/osv-scanner/scan/main.go:202 +0xc90
github.com/google/osv-scanner/cmd/osv-scanner/scan.Command.func2(0xc000787ae0?)
github.com/google/osv-scanner/cmd/osv-scanner/scan/main.go:139 +0x2c
github.com/urfave/cli/v2.(*Command).Run(0xc0001e2dc0, 0xc0000e7640, {0xc0000a7200, 0x2, 0x2})
github.com/urfave/cli/v2@v2.27.1/command.go:279 +0x97d
github.com/urfave/cli/v2.(*Command).Run(0xc0001e3340, 0xc0000e7500, {0xc00011a2a0, 0x3, 0x3})
github.com/urfave/cli/v2@v2.27.1/command.go:272 +0xbb7
github.com/urfave/cli/v2.(*App).RunContext(0xc00029e400, {0x2c9cd30, 0x37086a0}, {0xc00011a2a0, 0x3, 0x3})
github.com/urfave/cli/v2@v2.27.1/app.go:337 +0x58b
github.com/urfave/cli/v2.(*App).Run(...)
github.com/urfave/cli/v2@v2.27.1/app.go:311
main.run({0xc00011a2a0, 0x3, 0x3}, {0x2c90e18, 0xc000122048}, {0x2c90e18, 0xc000122050})
github.com/google/osv-scanner/cmd/osv-scanner/main.go:50 +0x352
main.main()
github.com/google/osv-scanner/cmd/osv-scanner/main.go:121 +0x45
Here are the contents of the pnpm-lock.yaml to reproduce this:
lockfileVersion: '9.0'
settings:
autoInstallPeers: true
excludeLinksFromLockfile: false
packages:
'@zxing/text-encoding@0.9.0':
resolution: {integrity: xyz}
abab@2.0.6:
resolution: {integrity: xyz}
deprecated: Use your platform's native atob() and btoa() methods insteadHowever, after removing abab@2.0.6 from the file, as below, the scan completes successfully:
lockfileVersion: '9.0'
settings:
autoInstallPeers: true
excludeLinksFromLockfile: false
packages:
'@zxing/text-encoding@0.9.0':
resolution: {integrity: xyz}