Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ParseMavenLock hangs when parsing some Maven archetypes files #293

Closed
spencerschrock opened this issue Mar 13, 2023 · 5 comments · Fixed by #294
Closed

ParseMavenLock hangs when parsing some Maven archetypes files #293

spencerschrock opened this issue Mar 13, 2023 · 5 comments · Fixed by #294

Comments

@spencerschrock
Copy link
Contributor

Both of these small pom.xml files seem to cause osv-scanner to hang. One invocation ran for 5+ hours before the program was terminated for other reasons.

Reproducible with:

osv-scanner -L ./pom.xml

https://github.com/Open-Wide/owsi-nuxeo-boilerplate/blob/96a65826d8f610d17b269d0da1d577bbb5d46cb1/archetype/src/main/resources/archetype-resources/pom.xml

https://github.com/BeOne-PL/promena/blob/adbc25d2cd3acf1990f7188938fee25d834aa0db/sdk/promena-transformer/promena-transformer-archetype/src/main/resources/archetype-resources/configuration/pom.xml
@G-Rath
Copy link
Collaborator

G-Rath commented Mar 13, 2023

Looks like it's because these are technically invalid XML - not sure why it doesn't just crash though; might require implementing a custom parser to properly support 🤔

@spencerschrock
Copy link
Contributor Author

Do you know if this is a problem with encoding/xml, or with func (p *MavenLockProperties) UnmarshalXML?

My profiler seemed to end up in a loop with the latter

@G-Rath
Copy link
Collaborator

G-Rath commented Mar 13, 2023

Yup doesn't surprise me that the problem is there

@spencerschrock
Copy link
Contributor Author

Knowing that it's invalid XML helped narrow it down.
Adding some logic to handle the error that d.Token returns here seems to break the loop.

osv-scanner/pkg/lockfile/parse-maven-lock.go

Lines 75 to 81 in 96a62e9

func (p *MavenLockProperties) UnmarshalXML(d *xml.Decoder, start xml.StartElement) error {
p.m = map[string]string{}
for {
t, _ := d.Token()
switch tt := t.(type) {

Let me know if you'd prefer to handle it, or I can send a PR.

@G-Rath
Copy link
Collaborator

G-Rath commented Mar 13, 2023

I've got about half a day of work left before I can look into this more deeply, so if you're ready to do a PR right now go for it

@spencerschrock spencerschrock mentioned this issue Mar 14, 2023
Merged
another-rex pushed a commit that referenced this issue Mar 14, 2023
@spencerschrock
fix: avoid infinite loops parsing Maven poms with syntax errors (#294)
b76e5ad 
Resolves #293

Signed-off-by: Spencer Schrock <[email protected]>
@chenrui333 chenrui333 mentioned this issue Mar 28, 2023
Merged
julieqiu pushed a commit to julieqiu/osv-scanner that referenced this issue May 2, 2023
@spencerschrock @julieqiu
fix: avoid infinite loops parsing Maven poms with syntax errors (goog…
f5a17b6 
…le#294)

Resolves google#293

Signed-off-by: Spencer Schrock <[email protected]>
julieqiu pushed a commit to julieqiu/osv-scanner that referenced this issue May 2, 2023
@spencerschrock @julieqiu
fix: avoid infinite loops parsing Maven poms with syntax errors (goog…
1edcb3c 
…le#294)

Resolves google#293

Signed-off-by: Spencer Schrock <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: avoid infinite loops parsing Maven poms with syntax errors spencerschrock/osv-scanner
2 participants
@G-Rath @spencerschrock