Do not dereference go dependency fields without checking the length o…

…f fields first (#3598)

Or else malformed patches might cause us trouble.

internal/engine/ingester/diff/parse.go

@@ -172,21 +172,29 @@ func extractGoDepFromPatchLine(line string) *pb.Dependency {
 	if strings.HasPrefix(line, "+") && !strings.HasPrefix(line, "+++") && !strings.Contains(line, "// indirect") {
 		// Extract the part after the '+' sign.
 		lineContent := line[1:]
+
 		fields := strings.Fields(lineContent)
 		if len(fields) < 2 {
 			// No match
 			return nil
 		}
+
 		dep := &pb.Dependency{
 			Ecosystem: pb.DepEcosystem_DEP_ECOSYSTEM_GO,
 		}
 		if fields[0] == "require" && fields[1] != "(" {
+			if len(fields) < 3 {
+				return nil
+			}
 			dep.Name = fields[1]
 			dep.Version = fields[2]
 		} else if strings.HasPrefix(lineContent, "\t") {
 			dep.Name = fields[0]
 			dep.Version = fields[1]
 		} else if fields[0] == "replace" && strings.Contains(lineContent, "=>") && len(fields) >= 5 {
+			if len(fields) < 5 {
+				return nil
+			}
 			// For lines with version replacements, the new version is after the "=>"
 			// Assuming format is module path version => newModulePath newVersion
 			dep.Name = fields[3]

internal/engine/ingester/diff/parse_test.go

@@ -105,6 +105,28 @@ func TestGoParse(t *testing.T) {
 				},
 			},
 		},
+		{
+			description: "Bad Replace",
+			content: `
+	k8s.io/klog/v2 v2.110.1 // indirect
+	sigs.k8s.io/yaml v1.4.0 // indirect
+)
++
++replace github.com/opencontainers/runc => `,
+			expectedCount:        0,
+			expectedDependencies: []*pb.Dependency{},
+		},
+		{
+			description: "Bad Require",
+			content: `
+	k8s.io/klog/v2 v2.110.1 // indirect
+	sigs.k8s.io/yaml v1.4.0 // indirect
+)
++
++require github.com/opencontainers/runc`,
+			expectedCount:        0,
+			expectedDependencies: []*pb.Dependency{},
+		},
 	}
 	for _, tt := range tests {
 		tt := tt