🐛 Fix nil pointer dereferences in EC2, Elasticsearch, Config, Inspector (#6924)

- EC2: guard device.Ebs, instance.Monitoring, instance.State against nil
- Elasticsearch: nil-check EncryptionAtRestOptions and
  NodeToNodeEncryptionOptions (matching OpenSearch pattern)
- Config: nil-check RecordingGroup before accessing fields
- Inspector: nil-check ScanStatus and AmiId before dereferencing

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: tas50

providers/aws/resources/aws_config.go

@@ -73,16 +73,22 @@ func (a *mqlAwsConfig) getRecorders(conn *connection.AwsConnection) []*jobpool.J
 					recording = val.recording
 					lastStatus = val.lastStatus
 				}
-				resourceTypesInterface := make([]any, len(r.RecordingGroup.ResourceTypes))
-				for i, resourceType := range r.RecordingGroup.ResourceTypes {
-					resourceTypesInterface[i] = string(resourceType)
+				var resourceTypesInterface []any
+				var allSupported, includeGlobalResourceTypes bool
+				if r.RecordingGroup != nil {
+					resourceTypesInterface = make([]any, len(r.RecordingGroup.ResourceTypes))
+					for i, resourceType := range r.RecordingGroup.ResourceTypes {
+						resourceTypesInterface[i] = string(resourceType)
+					}
+					allSupported = r.RecordingGroup.AllSupported
+					includeGlobalResourceTypes = r.RecordingGroup.IncludeGlobalResourceTypes
 				}
 				mqlRecorder, err := CreateResource(a.MqlRuntime, "aws.config.recorder",
 					map[string]*llx.RawData{
 						"name":                       llx.StringDataPtr(r.Name),
 						"roleArn":                    llx.StringDataPtr(r.RoleARN),
-						"allSupported":               llx.BoolData(r.RecordingGroup.AllSupported),
-						"includeGlobalResourceTypes": llx.BoolData(r.RecordingGroup.IncludeGlobalResourceTypes),
+						"allSupported":               llx.BoolData(allSupported),
+						"includeGlobalResourceTypes": llx.BoolData(includeGlobalResourceTypes),
 						"resourceTypes":              llx.ArrayData(resourceTypesInterface, types.String),
 						"recording":                  llx.BoolData(recording),
 						"region":                     llx.StringData(region),

providers/aws/resources/aws_ec2.go

@@ -1084,6 +1084,9 @@ func (a *mqlAwsEc2) gatherInstanceInfo(instances []ec2types.Instance, regionVal
 	for _, instance := range instances {
 		mqlDevices := []any{}
 		for _, device := range instance.BlockDeviceMappings {
+			if device.Ebs == nil {
+				continue
+			}
 			mqlInstanceDevice, err := CreateResource(a.MqlRuntime, ResourceAwsEc2InstanceDevice,
 				map[string]*llx.RawData{
 					"deleteOnTermination": llx.BoolData(convert.ToValue(device.Ebs.DeleteOnTermination)),
@@ -1112,11 +1115,19 @@ func (a *mqlAwsEc2) gatherInstanceInfo(instances []ec2types.Instance, regionVal
 				stateTransitionTime = llx.NeverPastTime
 			}
 		}
+		var detailedMonitoring string
+		if instance.Monitoring != nil {
+			detailedMonitoring = string(instance.Monitoring.State)
+		}
+		var stateName string
+		if instance.State != nil {
+			stateName = string(instance.State.Name)
+		}
 		instanceArn := fmt.Sprintf(ec2InstanceArnPattern, regionVal, conn.AccountId(), convert.ToValue(instance.InstanceId))
 		args := map[string]*llx.RawData{
 			"architecture":       llx.StringData(string(instance.Architecture)),
 			"arn":                llx.StringData(instanceArn),
-			"detailedMonitoring": llx.StringData(string(instance.Monitoring.State)),
+			"detailedMonitoring": llx.StringData(detailedMonitoring),
 			"deviceMappings":     llx.ArrayData(mqlDevices, types.Type(ResourceAwsEc2InstanceDevice)),
 			"ebsOptimized":       llx.BoolDataPtr(instance.EbsOptimized),
 			"enaSupported":       llx.BoolDataPtr(instance.EnaSupport),
@@ -1134,7 +1145,7 @@ func (a *mqlAwsEc2) gatherInstanceInfo(instances []ec2types.Instance, regionVal
 			"region":             llx.StringData(regionVal),
 			"rootDeviceName":     llx.StringDataPtr(instance.RootDeviceName),
 			"rootDeviceType":     llx.StringData(string(instance.RootDeviceType)),
-			"state":              llx.StringData(string(instance.State.Name)),
+			"state":              llx.StringData(stateName),
 			"stateReason":        llx.MapData(stateReason, types.Any),
 			// "iamInstanceProfile":    llx.MapData(iamInstanceProfile, types.Any),
 			"stateTransitionReason": llx.StringDataPtr(instance.StateTransitionReason),

providers/aws/resources/aws_es.go

@@ -139,8 +139,16 @@ func initAwsEsDomain(runtime *plugin.Runtime, args map[string]*llx.RawData) (map
 	if err != nil {
 		return nil, nil, err
 	}
-	args["encryptionAtRestEnabled"] = llx.BoolData(convert.ToValue(domainDetails.DomainStatus.EncryptionAtRestOptions.Enabled))
-	args["nodeToNodeEncryptionEnabled"] = llx.BoolData(convert.ToValue(domainDetails.DomainStatus.NodeToNodeEncryptionOptions.Enabled))
+	var encryptionAtRestEnabled bool
+	if domainDetails.DomainStatus.EncryptionAtRestOptions != nil {
+		encryptionAtRestEnabled = convert.ToValue(domainDetails.DomainStatus.EncryptionAtRestOptions.Enabled)
+	}
+	args["encryptionAtRestEnabled"] = llx.BoolData(encryptionAtRestEnabled)
+	var nodeToNodeEncryptionEnabled bool
+	if domainDetails.DomainStatus.NodeToNodeEncryptionOptions != nil {
+		nodeToNodeEncryptionEnabled = convert.ToValue(domainDetails.DomainStatus.NodeToNodeEncryptionOptions.Enabled)
+	}
+	args["nodeToNodeEncryptionEnabled"] = llx.BoolData(nodeToNodeEncryptionEnabled)
 	args["endpoint"] = llx.StringDataPtr(domainDetails.DomainStatus.Endpoint)
 	args["arn"] = llx.StringDataPtr(domainDetails.DomainStatus.ARN)
 	args["elasticsearchVersion"] = llx.StringDataPtr(domainDetails.DomainStatus.ElasticsearchVersion)

providers/aws/resources/aws_inspector.go

@@ -73,14 +73,19 @@ func (a *mqlAwsInspector) getCoverage(conn *connection.AwsConnection) []*jobpool
 					if coverage.AccountId == nil || coverage.ResourceId == nil {
 						continue
 					}
+					var statusReason, statusCode string
+					if coverage.ScanStatus != nil {
+						statusReason = string(coverage.ScanStatus.Reason)
+						statusCode = string(coverage.ScanStatus.StatusCode)
+					}
 					mqlCoverage, err := CreateResource(a.MqlRuntime, "aws.inspector.coverage",
 						map[string]*llx.RawData{
 							"accountId":     llx.StringDataPtr(coverage.AccountId),
 							"resourceId":    llx.StringDataPtr(coverage.ResourceId),
 							"resourceType":  llx.StringData(string(coverage.ResourceType)),
 							"lastScannedAt": llx.TimeDataPtr(coverage.LastScannedAt),
-							"statusReason":  llx.StringData(string(coverage.ScanStatus.Reason)),
-							"statusCode":    llx.StringData(string(coverage.ScanStatus.StatusCode)),
+							"statusReason":  llx.StringData(statusReason),
+							"statusCode":    llx.StringData(statusCode),
 							"scanType":      llx.StringData(string(coverage.ScanType)),
 							"region":        llx.StringData(region),
 						},
@@ -131,7 +136,9 @@ func (a *mqlAwsInspectorCoverage) ec2Instance() (*mqlAwsInspectorCoverageInstanc
 		}
 		mqlEc2Instance, err := CreateResource(a.MqlRuntime, "aws.inspector.coverage.instance", args)
 		if err == nil {
-			mqlEc2Instance.(*mqlAwsInspectorCoverageInstance).cacheAmiId = *a.cacheCoverage.ResourceMetadata.Ec2.AmiId
+			if a.cacheCoverage.ResourceMetadata.Ec2.AmiId != nil {
+				mqlEc2Instance.(*mqlAwsInspectorCoverageInstance).cacheAmiId = *a.cacheCoverage.ResourceMetadata.Ec2.AmiId
+			}
 			return mqlEc2Instance.(*mqlAwsInspectorCoverageInstance), err
 		}
 	}