Skip to content

fix: update grype to v0.91.0 to resolve nil pointer panic#316

Merged
kylos101 merged 2 commits intomainfrom
kb/fix-grype-nil-pointer-panic
Dec 26, 2025
Merged

fix: update grype to v0.91.0 to resolve nil pointer panic#316
kylos101 merged 2 commits intomainfrom
kb/fix-grype-nil-pointer-panic

Conversation

@kylos101
Copy link
Contributor

@kylos101 kylos101 commented Dec 26, 2025

Description

Updates grype from v0.90.0 to v0.91.0 to fix a nil pointer dereference panic during vulnerability database hydration.

Problem

Grype v0.90.0 contains a bug where the Hydrater() function attempts to close a database store without checking if it's nil. When database initialization fails, this causes a segmentation fault.

Solution

Upgrade to grype v0.91.0, which includes the fix from anchore/grype#2546.

Changes

  • Update github.com/anchore/grype from v0.90.0 to v0.91.0
  • Update transitive dependencies via go mod tidy

kylos101 and others added 2 commits December 26, 2025 12:09
@kylos101 @ona-agent
fix: update grype to v0.91.0 to resolve nil pointer panic
d3b2318 
Grype v0.90.0 has a bug in the Hydrater() function that causes a panic
when database initialization fails. The function attempts to close a nil
store pointer without checking if it's nil first.

This was fixed in v0.91.0 via anchore/grype#2546.

Co-authored-by: Ona <no-reply@ona.com>
@kylos101 @ona-agent
style: remove trailing whitespace
394e89a 
Co-authored-by: Ona <no-reply@ona.com>
@kylos101
Copy link
Contributor Author

kylos101 commented Dec 26, 2025

Changes in 394e89a were to fix golang ci lint errors.

@kylos101 kylos101 marked this pull request as ready for review December 26, 2025 12:14
@kylos101
Copy link
Contributor Author

kylos101 commented Dec 26, 2025

I didn't bump to the latest version of grype. This is because that results in a conflict with runc, which we'd need to also update, but is a bigger change than I'd like to take on in this PR.

Background:

Grype v0.104.3 requires filepath-securejoin@v0.6.0, which is incompatible with runc@v1.2.3.

Summary of the Build Error
Bumping grype to v0.104.3 causes a dependency conflict:

grype v0.104.3 → requires filepath-securejoin@v0.6.0
runc v1.2.3 → requires filepath-securejoin@v0.3.5 and uses the old API
Go's module system resolves to filepath-securejoin@v0.6.1 (the newer version)
runc v1.2.3 code breaks because MkdirAllHandle was removed from the root package in v0.6.x
The error:

/go/pkg/mod/github.com/opencontainers/runc@v1.2.3/libcontainer/utils/utils_unix.go:337:20:
undefined: securejoin.MkdirAllHandle
Why it happens:

In filepath-securejoin@v0.3.5: MkdirAllHandle is in the root package
In filepath-securejoin@v0.6.x: MkdirAllHandle was moved to pathrs-lite subpackage and removed from root
To fix this, you would need:

Either downgrade grype (what we did with v0.91.0)
Or update runc to a version compatible with filepath-securejoin v0.6.x
Or wait for grype to update its dependencies to resolve this conflict
This is why v0.91.0 is the safe choice - it doesn't require Go version bumps and avoids this dependency conflict.

leodido
leodido approved these changes Dec 26, 2025
View reviewed changes
Copy link
Contributor

@leodido leodido left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

SGTM (unblock)

@kylos101 kylos101 merged commit 0b10eee into main Dec 26, 2025
7 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@leodido leodido leodido approved these changes

@corneliusludmann corneliusludmann Awaiting requested review from corneliusludmann

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@kylos101 @leodido