SIGSEGV when dealing with unsupported file in indexer #525
Description
Describe the bug
ScaResults is a ptr in TargetResults struct but there are missing checks to cope with it.
Current behavior
$ JFROG_CLI_LOG_LEVEL=DEBUG ~/Downloads/jfrog-cli-mac-arm64-2.78.2 scan go.mod
...
14:15:37 [Debug] JFrog CLI version: 2.78.2
14:15:37 [Debug] OS/Arch: darwin/arm64
14:15:37 [Debug] Trace ID for JFrog Platform logs: 04ebfad0fba6811a
14:15:37 [Debug] Using <uat2> server-id configuration
14:15:37 [Debug] Refreshing token...
14:15:37 [Debug] Creating lock in: /Users/rlavoie/.jfrog/locks/config
14:15:37 [Debug] Lock hasn't been acquired.
14:15:37 [Debug] Removing lock file /Users/rlavoie/.jfrog/locks/config/jfrog-cli.conf.lck.34647.1754504044789259000 since the creating process is no longer running
14:15:37 [Debug] Releasing lock: /Users/rlavoie/.jfrog/locks/config/jfrog-cli.conf.lck.34647.1754504044789259000
...
14:15:53 [🔵Info] [Thread 2] Indexing file: go.mod
14:15:53 [Debug] Artifactory response: 200
14:15:53 [Debug] Artifactory Call Home: Sending info...
14:15:53 [Debug] Refreshing token...
14:15:53 [Debug] Creating lock in: /Users/rlavoie/.jfrog/locks/config
14:15:53 [Debug] Fetched new token from config.
14:15:53 [Debug] Releasing lock: /Users/rlavoie/.jfrog/locks/config/jfrog-cli.conf.lck.34720.1754504153891101000
14:15:53 [Debug] Refreshing token...
...
14:15:53 [Debug] Creating lock in: /Users/rlavoie/.jfrog/locks/config
14:15:56 [Debug] File go.mod is not supported by Xray indexer app.
14:15:56 [Debug] No components found in the SBOM for target go.mod, skipping SCA scan.
14:15:56 [Debug] file not supported, skipping scans on file go.mod
14:15:56 [Debug] No information to print
Vulnerable Components
┌───────────────────────────────────────────┐
│ ✨ No vulnerable components were found ✨ │
└───────────────────────────────────────────┘
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x2 addr=0x40 pc=0x105e28f40]
goroutine 1 [running]:
github.com/jfrog/jfrog-cli-security/utils/results.checkIfFailBuildWithoutConsideringApplicability(...)
/Users/runner/go/pkg/mod/github.com/jfrog/[email protected]/utils/results/common.go:119
github.com/jfrog/jfrog-cli-security/utils/results.CheckIfFailBuild(0x140006c0000)
/Users/runner/go/pkg/mod/github.com/jfrog/[email protected]/utils/results/common.go:65 +0x70
github.com/jfrog/jfrog-cli-security/commands/scan.(*ScanCommand).RunAndRecordResults(0x14000001680, {0x10649b8c8?, 0x10501fc10?}, 0x140006475c8)
/Users/runner/go/pkg/mod/github.com/jfrog/[email protected]/commands/scan/scan.go:251 +0x3bc
github.com/jfrog/jfrog-cli-security/commands/scan.(*ScanCommand).Run(0x14000647618?)
/Users/runner/go/pkg/mod/github.com/jfrog/[email protected]/commands/scan/scan.go:199 +0x3c
github.com/jfrog/jfrog-cli-core/v2/common/commands.Exec({0x106f98f20, 0x14000001680})
/Users/runner/go/pkg/mod/github.com/jfrog/jfrog-cli-core/[email protected]/common/commands/command.go:36 +0x9c
github.com/jfrog/jfrog-cli-security/cli.ScanCmd(0x140005e80f0)
/Users/runner/go/pkg/mod/github.com/jfrog/[email protected]/cli/scancommands.go:305 +0x6dc
github.com/jfrog/jfrog-cli-core/v2/plugins/components.convertCommand.getActionFunc.func2(0x14000647718?)
/Users/runner/go/pkg/mod/github.com/jfrog/jfrog-cli-core/[email protected]/plugins/components/conversionlayer.go:377 +0x58
github.com/urfave/cli.HandleAction({0x106b43ae0?, 0x14000285610?}, 0x4?)
/Users/runner/go/pkg/mod/github.com/urfave/[email protected]/app.go:522 +0x58
github.com/urfave/cli.Command.Run({{0x10649497d, 0x4}, {0x0, 0x0}, {0x140002846f0, 0x1, 0x1}, {0x10656e5c8, 0x36}, {0x140004123c0, ...}, ...}, ...)
/Users/runner/go/pkg/mod/github.com/urfave/[email protected]/command.go:175 +0x524
github.com/urfave/cli.(*App).Run(0x14000353180, {0x1400003a1e0, 0x3, 0x3})
/Users/runner/go/pkg/mod/github.com/urfave/[email protected]/app.go:277 +0x7e0
main.execMain()
/Users/runner/work/jfrog-cli/jfrog-cli/main.go:136 +0x4e8
main.main()
/Users/runner/work/jfrog-cli/jfrog-cli/main.go:71 +0x20
Reproduction steps
Scan an unsupported file, such as go.mod
Expected behavior
No SIGSEGV
JFrog CLI-Security version
1.20.2
JFrog CLI version (if applicable)
2.78.2
Operating system type and version
MacOS Sequoia 15.3.2
JFrog Xray version
No response