Add additional guardrails and checks against nil pointers; clean up some confusing code as well

pkg/action/diff.go

@@ -60,7 +60,9 @@ func relPath(from string, fr *malcontent.FileReport, isArchive bool, isImage boo
 		from = fr.Path
 		if strings.Contains(fr.Path, "∴") {
 			parts := strings.Split(fr.Path, "∴")
-			from = strings.TrimSpace(parts[0])
+			if len(parts) > 0 {
+				from = strings.TrimSpace(parts[0])
+			}
 		}
 		base, err = filepath.Abs(from)
 		if err != nil {

pkg/action/scan.go

@@ -167,9 +167,7 @@ func scanSinglePath(ctx context.Context, c malcontent.Config, path string, ruleF
 	initializeOnce.Do(func() {
 		scannerPool = pool.NewScannerPool(yrs, getMaxConcurrency(c.Concurrency))
 	})
-
-	scanner := scannerPool.Get()
-	defer scannerPool.Put(scanner)
+	scanner := scannerPool.Get(yrs)
 
 	fc, mrs, size, checksum, err := scanFD(scanner, fd, logger)
 	if err != nil {
@@ -195,6 +193,7 @@ func scanSinglePath(ctx context.Context, c malcontent.Config, path string, ruleF
 	}
 
 	defer func() {
+		scannerPool.Put(scanner)
 		fc = nil
 		mrs = nil
 	}()
@@ -788,20 +787,22 @@ func Scan(ctx context.Context, c malcontent.Config) (*malcontent.Report, error)
 		return r, err
 	}
 
-	r.Files.Range(func(key, value any) bool {
-		if scanCtx.Err() != nil {
-			return false
-		}
-		if key == nil || value == nil {
-			return true
-		}
-		if fr, ok := value.(*malcontent.FileReport); ok {
-			if fr.RiskScore < c.MinFileRisk {
-				r.Files.Delete(key)
+	if r != nil {
+		r.Files.Range(func(key, value any) bool {
+			if scanCtx.Err() != nil {
+				return false
 			}
-		}
-		return true
-	})
+			if key == nil || value == nil {
+				return true
+			}
+			if fr, ok := value.(*malcontent.FileReport); ok {
+				if fr.RiskScore < c.MinFileRisk {
+					r.Files.Delete(key)
+				}
+			}
+			return true
+		})
+	}
 	if scanCtx.Err() == nil && c.Stats && c.Renderer.Name() != "JSON" && c.Renderer.Name() != "YAML" {
 		err = render.Statistics(&c, r)
 		if err != nil {

pkg/archive/archive.go

@@ -244,7 +244,7 @@ func handleDirectory(target string) error {
 
 // handleFile extracts valid files within .deb or .tar archives.
 func handleFile(target string, tr *tar.Reader) error {
-	buf := tarPool.Get(extractBuffer)
+	buf := tarPool.Get(extractBuffer) //nolint:nilaway // the buffer pool is created above
 	defer tarPool.Put(buf)
 
 	if err := os.MkdirAll(filepath.Dir(target), 0o700); err != nil {

pkg/archive/bz2.go

@@ -31,7 +31,7 @@ func ExtractBz2(ctx context.Context, d, f string) error {
 		return nil
 	}
 
-	buf := archivePool.Get(extractBuffer)
+	buf := archivePool.Get(extractBuffer) //nolint:nilaway // the buffer pool is created in archive.go
 
 	tf, err := os.Open(f)
 	if err != nil {

pkg/archive/gzip.go

@@ -53,7 +53,7 @@ func ExtractGzip(ctx context.Context, d string, f string) error {
 		return nil
 	}
 
-	buf := archivePool.Get(extractBuffer)
+	buf := archivePool.Get(extractBuffer) //nolint:nilaway // the buffer pool is created in archive.go
 
 	gf, err := os.Open(f)
 	if err != nil {

pkg/archive/rpm.go

@@ -40,7 +40,7 @@ func ExtractRPM(ctx context.Context, d, f string) error {
 		return nil
 	}
 
-	buf := archivePool.Get(extractBuffer)
+	buf := archivePool.Get(extractBuffer) //nolint:nilaway // the buffer pool is created in archive.go
 	defer archivePool.Put(buf)
 
 	pkg, err := rpm.Read(rpmFile)

pkg/archive/tar.go

@@ -48,7 +48,7 @@ func ExtractTar(ctx context.Context, d string, f string) error {
 		return nil
 	}
 
-	buf := tarPool.Get(extractBuffer)
+	buf := tarPool.Get(extractBuffer) //nolint:nilaway // the buffer pool is created in archive.go
 
 	filename := filepath.Base(f)
 	tf, err := os.Open(f)

pkg/archive/zip.go

@@ -123,7 +123,7 @@ func extractFile(ctx context.Context, file *zip.File, destDir string, logger *cl
 		}
 	}
 
-	buf := zipPool.Get(zipBuffer)
+	buf := zipPool.Get(zipBuffer) //nolint:nilaway // the buffer pool is created in archive.go
 
 	clean := filepath.Clean(filepath.ToSlash(file.Name))
 	if strings.Contains(clean, "..") {

pkg/archive/zlib.go

@@ -30,7 +30,7 @@ func ExtractZlib(ctx context.Context, d string, f string) error {
 		return nil
 	}
 
-	buf := archivePool.Get(extractBuffer)
+	buf := archivePool.Get(extractBuffer) //nolint:nilaway // the buffer pool is created in archive.go
 	defer archivePool.Put(buf)
 
 	zf, err := os.Open(f)

pkg/archive/zstd.go

@@ -30,7 +30,7 @@ func ExtractZstd(ctx context.Context, d string, f string) error {
 		return nil
 	}
 
-	buf := archivePool.Get(extractBuffer)
+	buf := archivePool.Get(extractBuffer) //nolint:nilaway // the buffer pool is created in archive.go
 
 	uncompressed := strings.TrimSuffix(filepath.Base(f), ".zstd")
 	uncompressed = strings.TrimSuffix(uncompressed, ".zst")

pkg/compile/compile.go

@@ -217,7 +217,5 @@ func Recursive(ctx context.Context, fss []fs.FS) (*yarax.Rules, error) {
 		return nil, fmt.Errorf("compile errors encountered: %v", errors)
 	}
 
-	yrs := yxc.Build()
-
-	return yrs, nil
+	return yxc.Build(), nil
 }

pkg/pool/pool.go

@@ -46,11 +46,11 @@ func (bp *BufferPool) Get(size int64) []byte {
 	bufInterface := bp.pool.Get()
 
 	bufPtr, ok := bufInterface.(*[]byte)
-	if !ok || bufPtr == nil {
+	if !ok {
 		return make([]byte, size)
 	}
 
-	if cap(*bufPtr) < int(size) {
+	if bufPtr != nil && cap(*bufPtr) < int(size) {
 		bp.pool.Put(bufPtr)
 		return make([]byte, size)
 	}
@@ -95,8 +95,13 @@ func NewScannerPool(yrs *yarax.Rules, count int) *ScannerPool {
 }
 
 // Get retrieves a scanner from the scanner pool, blocking if none are available.
-func (sp *ScannerPool) Get() *yarax.Scanner {
-	return <-sp.scanners
+func (sp *ScannerPool) Get(yrs *yarax.Rules) *yarax.Scanner {
+	if sp != nil {
+		return <-sp.scanners
+	}
+	// Guard against a nil scanner pool and
+	// create a new scanner with the cached rules as a fallback
+	return yarax.NewScanner(yrs)
 }
 
 // Put returns a scanner to the scanner pool.

pkg/programkind/programkind.go

@@ -259,7 +259,7 @@ func File(path string) (*FileType, error) {
 
 	initializeHeaderPool()
 
-	buf := headerPool.Get(int64(headerSize))
+	buf := headerPool.Get(int64(headerSize)) //nolint:nilaway // the buffer pool is created above
 	defer headerPool.Put(buf)
 
 	f, err := os.Open(path)

pkg/render/json.go

@@ -33,6 +33,11 @@ func (r JSON) Full(ctx context.Context, c *malcontent.Config, rep *malcontent.Re
 		return ctx.Err()
 	}
 
+	// guard against nil reports
+	if rep == nil {
+		return nil
+	}
+
 	jr := Report{
 		Diff:   rep.Diff,
 		Files:  make(map[string]*malcontent.FileReport),
@@ -61,7 +66,9 @@ func (r JSON) Full(ctx context.Context, c *malcontent.Config, rep *malcontent.Re
 	})
 
 	if c != nil && c.Stats && jr.Diff == nil {
-		jr.Stats = serializedStats(c, rep)
+		if s := serializedStats(c, rep); s != nil {
+			jr.Stats = s
+		}
 	}
 
 	j, err := json.MarshalIndent(jr, "", "    ")

pkg/render/markdown.go

@@ -68,7 +68,7 @@ func (r Markdown) Full(ctx context.Context, _ *malcontent.Config, rep *malconten
 		return ctx.Err()
 	}
 
-	if rep.Diff == nil {
+	if rep == nil || rep.Diff == nil {
 		return nil
 	}
 

pkg/render/render.go

@@ -70,6 +70,11 @@ func riskEmoji(score int) string {
 }
 
 func serializedStats(c *malcontent.Config, r *malcontent.Report) *Stats {
+	// guard against nil reports
+	if r == nil {
+		return nil
+	}
+
 	pkgStats, _, totalBehaviors := PkgStatistics(c, &r.Files)
 	riskStats, totalRisks, processedFiles, skippedFiles := RiskStatistics(c, &r.Files)
 

pkg/render/simple.go

@@ -57,7 +57,8 @@ func (r Simple) Full(ctx context.Context, _ *malcontent.Config, rep *malcontent.
 		return ctx.Err()
 	}
 
-	if rep.Diff == nil {
+	// guard against nil reports
+	if rep == nil || rep.Diff == nil {
 		return nil
 	}
 

pkg/render/stats.go

@@ -117,6 +117,11 @@ func PkgStatistics(_ *malcontent.Config, files *sync.Map) ([]malcontent.StrMetri
 }
 
 func Statistics(c *malcontent.Config, r *malcontent.Report) error {
+	// guard against nil reports
+	if r == nil {
+		return fmt.Errorf("unexpected nil report")
+	}
+
 	riskStats, totalRisks, processedFiles, skippedFiles := RiskStatistics(c, &r.Files)
 	pkgStats, width, totalBehaviors := PkgStatistics(c, &r.Files)
 

pkg/render/strings.go

@@ -118,8 +118,9 @@ func (r StringMatches) Full(ctx context.Context, _ *malcontent.Config, rep *malc
 		return ctx.Err()
 	}
 
+	// guard against nil reports
 	// Non-diff files are handled on the fly by File()
-	if rep.Diff == nil {
+	if rep == nil || rep.Diff == nil {
 		return nil
 	}
 

pkg/render/terminal.go

@@ -101,8 +101,9 @@ func (r Terminal) Full(ctx context.Context, _ *malcontent.Config, rep *malconten
 		return ctx.Err()
 	}
 
+	// guard against nil reports
 	// Non-diff files are handled on the fly by File()
-	if rep.Diff == nil {
+	if rep == nil || rep.Diff == nil {
 		return nil
 	}
 
@@ -187,8 +188,14 @@ func nsLongName(s string) string {
 // split rule into namespace + resource/technique.
 func splitRuleID(s string) (string, string) {
 	parts := strings.Split(s, "/")
-	rest := strings.Join(parts[1:], "/")
-	return parts[0], rest
+	var id, rest string
+	if len(parts) > 0 {
+		id = parts[0]
+		if len(parts) > 1 {
+			rest = strings.Join(parts[1:], "/")
+		}
+	}
+	return id, rest
 }
 
 // suggestedWidth calculates a maximum terminal width to render against.

pkg/render/terminal_brief.go

@@ -78,8 +78,9 @@ func (r TerminalBrief) Full(ctx context.Context, _ *malcontent.Config, rep *malc
 		return ctx.Err()
 	}
 
+	// guard against nil reports
 	// Non-diff files are handled on the fly by File()
-	if rep.Diff == nil {
+	if rep == nil || rep.Diff == nil {
 		return nil
 	}
 

pkg/render/yaml.go

@@ -33,6 +33,11 @@ func (r YAML) Full(ctx context.Context, c *malcontent.Config, rep *malcontent.Re
 		return ctx.Err()
 	}
 
+	// guard against nil reports
+	if rep == nil {
+		return nil
+	}
+
 	// Make the sync.Map YAML-friendly
 	yr := Report{
 		Diff:   rep.Diff,
@@ -60,7 +65,9 @@ func (r YAML) Full(ctx context.Context, c *malcontent.Config, rep *malcontent.Re
 	})
 
 	if c != nil && c.Stats && yr.Diff == nil {
-		yr.Stats = serializedStats(c, rep)
+		if s := serializedStats(c, rep); s != nil {
+			yr.Stats = s
+		}
 	}
 
 	yaml, err := yaml.Marshal(yr)