Skip to content

🐛 Fix nil pointer dereferences in EC2, Elasticsearch, Config, Inspector#6924

Merged
vjeffrey merged 1 commit intomainfrom
tsmith/fix-aws-nil-deref-2
Mar 16, 2026
Merged

🐛 Fix nil pointer dereferences in EC2, Elasticsearch, Config, Inspector#6924
vjeffrey merged 1 commit intomainfrom
tsmith/fix-aws-nil-deref-2

Conversation

@tas50
Copy link
Copy Markdown
Member

@tas50 tas50 commented Mar 16, 2026

Summary

  • EC2 (aws_ec2.go): Guard device.Ebs, instance.Monitoring, and instance.State against nil before accessing their fields in gatherInstanceInfo. Instance-store volumes have nil Ebs, and the Monitoring/State pointers can also be nil.
  • Elasticsearch (aws_es.go): Nil-check EncryptionAtRestOptions and NodeToNodeEncryptionOptions before accessing .Enabled, matching the existing pattern in aws_opensearch.go.
  • Config (aws_config.go): Nil-check RecordingGroup before accessing .ResourceTypes, .AllSupported, and .IncludeGlobalResourceTypes.
  • Inspector (aws_inspector.go): Nil-check ScanStatus before accessing .Reason and .StatusCode. Nil-check AmiId (*string) before dereferencing it.

Test plan

  • Build AWS provider (go build ./providers/aws/...) -- verified locally
  • Run mql run aws -c "aws.ec2.instances { state, detailedMonitoring, deviceMappings }" against an account with instance-store backed instances
  • Run mql run aws -c "aws.es.domains { encryptionAtRestEnabled, nodeToNodeEncryptionEnabled }" against an account with legacy ES domains
  • Run mql run aws -c "aws.config.recorders" against an account where some recorders have no recording group
  • Run mql run aws -c "aws.inspector.coverages { statusReason, statusCode, ec2Instance }" against an account with Inspector coverage

🤖 Generated with Claude Code

@tas50 @claude
🐛 Fix nil pointer dereferences in EC2, Elasticsearch, Config, Inspector
ab9c494 
- EC2: guard device.Ebs, instance.Monitoring, instance.State against nil
- Elasticsearch: nil-check EncryptionAtRestOptions and
  NodeToNodeEncryptionOptions (matching OpenSearch pattern)
- Config: nil-check RecordingGroup before accessing fields
- Inspector: nil-check ScanStatus and AmiId before dereferencing

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
mondoo-code-review[bot]
mondoo-code-review bot approved these changes Mar 16, 2026
View reviewed changes
Copy link
Copy Markdown

@mondoo-code-review mondoo-code-review bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixes multiple nil pointer dereferences that could crash AWS provider queries for EC2 instances, Inspector coverage, Config recorders, and Elasticsearch domains.

@tas50 tas50 changed the title Fix nil pointer dereferences in EC2, Elasticsearch, Config, Inspector 🐛 Fix nil pointer dereferences in EC2, Elasticsearch, Config, Inspector Mar 16, 2026
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Mar 16, 2026

Test Results

5 452 tests  ±0   5 448 ✅ ±0   2m 9s ⏱️ +11s
  412 suites ±0       4 💤 ±0 
   31 files   ±0       0 ❌ ±0 

Results for commit ab9c494. ± Comparison against base commit 04a4fcc.

@vjeffrey vjeffrey merged commit 33800a2 into main Mar 16, 2026
22 checks passed
@vjeffrey vjeffrey deleted the tsmith/fix-aws-nil-deref-2 branch March 16, 2026 16:22
@github-actions github-actions bot locked and limited conversation to collaborators Mar 16, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@mondoo-code-review mondoo-code-review[bot] mondoo-code-review[bot] approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@tas50 @vjeffrey