Skip to content

empty analysis.response results in "panic: runtime error: invalid memory address or nil pointer dereference" #148

Open
Open
empty analysis.response results in "panic: runtime error: invalid memory address or nil pointer dereference"#148
Labels
bugSomething isn't workinginvestigatingInvestigating the issue for validity and/or possible solutions.priority-high
@lucastheisen

Description

@lucastheisen
lucastheisen
opened on May 1, 2026

Running against an existing sbom:

$ sbom-utility vulnerability list --input-file /tmp/tmp.W3DdG5R96f/Docker_8ca4a1e_SBOM_Export_CycloneDX.json
Welcome to the sbom-utility! Version 'v0.18.1' (sbom-utility) (linux/amd64)
===========================================================================
[INFO] Loading (embedded) default schema config file: 'config.json'...
[INFO] Loading (embedded) default license policy file: 'license.json'...
[INFO] Attempting to load and unmarshal data from: '/tmp/tmp.W3DdG5R96f/Docker_8ca4a1e_SBOM_Export_CycloneDX.json'...
[INFO] Successfully unmarshalled data from: '/tmp/tmp.W3DdG5R96f/Docker_8ca4a1e_SBOM_Export_CycloneDX.json'
[INFO] Determining file's BOM format and version...
[INFO] Determined BOM format, version (variant): 'CycloneDX', '1.6' (latest)
[INFO] Matching BOM schema (for validation): schema/cyclonedx/1.6/bom-1.6.schema.json
[INFO] Scanning document for vulnerabilities...
[WARN] vulnerability ('CVE-2026-5358') missing `published` date
[WARN] vulnerability ('CVE-2026-5358') missing `created` date
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x8 pc=0x616eae]

goroutine 1 [running]:
github.com/CycloneDX/sbom-utility/schema.(*BOM).HashmapVulnerability(_, {{0xc000259ed0, 0xd}, 0x0, 0x0, 0x0, 0xc0005be8b8, 0xc0005be8a0, {0xc00011a230, 0x66}, ...}, ...)
        /github/workspace/schema/bom_hash.go:392 +0x6ae
github.com/CycloneDX/sbom-utility/schema.(*BOM).HashmapVulnerabilities(0xc000002000, {0xc0000e0000, 0xe2, 0x96af5d?}, {0x0, 0x0, 0x0})
        /github/workspace/schema/bom_hash.go:311 +0x1a5
github.com/CycloneDX/sbom-utility/cmd.loadDocumentVulnerabilities(0xc000002000, {0x0, 0x0, 0x0})
        /github/workspace/cmd/vulnerability.go:259 +0x159
github.com/CycloneDX/sbom-utility/cmd.ListVulnerabilities({0xb8d340, 0xc000126038}, {0x0, 0x0, 0x0, {0x7ffe0db52d18, 0x3d}, {0x0, 0x0}, {0x96a536, ...}, ...}, ...)
        /github/workspace/cmd/vulnerability.go:211 +0x191
github.com/CycloneDX/sbom-utility/cmd.vulnerabilityCmdImpl(0xc000228f08, {0xc00021e8d0, 0x1, 0x3})
        /github/workspace/cmd/vulnerability.go:165 +0x33e
github.com/spf13/cobra.(*Command).execute(0xc000228f08, {0xc00021e870, 0x3, 0x3})
        /go/pkg/mod/github.com/spf13/cobra@v1.7.0/command.go:940 +0x894
github.com/spf13/cobra.(*Command).ExecuteC(0xef16e0)
        /go/pkg/mod/github.com/spf13/cobra@v1.7.0/command.go:1068 +0x3a5
github.com/spf13/cobra.(*Command).Execute(...)
        /go/pkg/mod/github.com/spf13/cobra@v1.7.0/command.go:992
github.com/CycloneDX/sbom-utility/cmd.Execute()
        /github/workspace/cmd/root.go:284 +0x65
main.main()
        /github/workspace/main.go:96 +0x5e

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't workinginvestigatingInvestigating the issue for validity and/or possible solutions.priority-high

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions