bug: run latest sbom score returns with panic

[kid9]

I installed latest sbomqs binary with go install command, and run sbomqs score commands. It returned with panic:

executed command

sbomqs score -j sboms/389-ds-base-1.3.11.1-1.0.2.an7.x86_64.rpm.spdx.json

returned results

panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x8 pc=0x7e1102]

goroutine 1 [running]:
github.com/interlynk-io/sbomqs/pkg/sbom.(*spdxDoc).parseComps(0xc0005420d0)
	/root/go/pkg/mod/github.com/interlynk-io/[email protected]/pkg/sbom/spdx.go:193 +0x3c2
github.com/interlynk-io/sbomqs/pkg/sbom.(*spdxDoc).parse(0xbc9180?)
	/root/go/pkg/mod/github.com/interlynk-io/[email protected]/pkg/sbom/spdx.go:139 +0x4f
github.com/interlynk-io/sbomqs/pkg/sbom.newSPDXDoc({0xbcdb08?, 0xc0002cb500}, {0xbcb960, 0xc0003e0268}, {0x9d47ef, 0x4})
	/root/go/pkg/mod/github.com/interlynk-io/[email protected]/pkg/sbom/spdx.go:89 +0x31e
github.com/interlynk-io/sbomqs/pkg/sbom.NewSBOMDocument({0xbcdb08, 0xc0002cb500}, {0xbcb960, 0xc0003e0268})
	/root/go/pkg/mod/github.com/interlynk-io/[email protected]/pkg/sbom/sbom.go:157 +0x11e
github.com/interlynk-io/sbomqs/pkg/engine.processFile({0xbcdb08?, 0xc0002cb500}, 0xc0002b20c0, {0x7fff85abc593, 0x45})
	/root/go/pkg/mod/github.com/interlynk-io/[email protected]/pkg/engine/score.go:146 +0x185
github.com/interlynk-io/sbomqs/pkg/engine.handlePaths({0xbcdb08, 0xc0002cb500}, 0xc0002b20c0)
	/root/go/pkg/mod/github.com/interlynk-io/[email protected]/pkg/engine/score.go:101 +0x3a6
github.com/interlynk-io/sbomqs/pkg/engine.Run({0xbcdb08, 0xc0002cb500}, 0xc0002b20c0)
	/root/go/pkg/mod/github.com/interlynk-io/[email protected]/pkg/engine/score.go:63 +0xe5
github.com/interlynk-io/sbomqs/cmd.processScore(0xc0001ca700?, {0xc00013a3e0, 0x1, 0x2})
	/root/go/pkg/mod/github.com/interlynk-io/[email protected]/cmd/score.go:95 +0x1b5
github.com/spf13/cobra.(*Command).execute(0xf9d7e0, {0xc00013a3c0, 0x2, 0x2})
	/root/go/pkg/mod/github.com/spf13/[email protected]/command.go:983 +0xabc
github.com/spf13/cobra.(*Command).ExecuteC(0xf9d500)
	/root/go/pkg/mod/github.com/spf13/[email protected]/command.go:1115 +0x3ff
github.com/spf13/cobra.(*Command).Execute(...)
	/root/go/pkg/mod/github.com/spf13/[email protected]/command.go:1039
github.com/interlynk-io/sbomqs/cmd.Execute()
	/root/go/pkg/mod/github.com/interlynk-io/[email protected]/cmd/root.go:42 +0x1f
main.main()
	/root/go/pkg/mod/github.com/interlynk-io/[email protected]/main.go:20 +0xf

possible error

It seems that conditions in L192 of pkg/sbom/spdx.go is not correct

sbomqs/pkg/sbom/spdx.go

Lines 192 to 194 in 32d97df

	if sc.PackageOriginator != nil {
	nc.sourceCodeHash = sc.PackageVerificationCode.Value
	}

field PackageVerificationCode is provided only if fileAnalyzed field is true, it has no relation with originator field.

in the given spdx sbom file, the fileAnalyzed filed is false, which cased the PackageVerificationCode field to be null, so panic happend.

[riteshnoronha]

Oops. it was a typo on my end, was adding that feature for the new compliance TR-03183 reports. I have fixed it here #234

Will make a release towards the end of the week.

[riteshnoronha]

new version has been released to address this.