security-code-scan panics: index out of range error

Summary

security-code-scan v2.18.1 panics when scanning a C# repository:

panic: runtime error: index out of range [2] with length 0

The error is caused by the parse function of convert.go because it doesn't check the slice of strings before using it.

Steps to reproduce

create a C# project
enable SAST by including the SAST CI template in the CI configuration file
create a pipeline

Example Project

See failing jobs for csharp-dotnetcore-multiproject (test project used for QA):

What is the current bug behavior?

The analyzer panics.

What is the expected correct behavior?

The analyzer scans the repo and generates a SAST security report.

Relevant logs and/or screenshots

See https://gitlab.com/gitlab-org/security-products/tests/csharp-dotnetcore-multiproject/-/jobs/1022565431#L249

[INFO] [security-code-scan] [2021-02-11T01:11:40Z] ▶ GitLab security-code-scan analyzer v2.18.1
[INFO] [security-code-scan] [2021-02-11T01:11:40Z] ▶ Detecting project
[INFO] [security-code-scan] [2021-02-11T01:11:40Z] ▶ Found project in /builds/gitlab-org/security-products/tests/csharp-dotnetcore-multiproject
[INFO] [security-code-scan] [2021-02-11T01:11:40Z] ▶ Running analyzer
[INFO] [security-code-scan] [2021-02-11T01:11:40Z] ▶ Found solution /builds/gitlab-org/security-products/tests/csharp-dotnetcore-multiproject/DotNetMultiProject.sln
[INFO] [security-code-scan] [2021-02-11T01:12:05Z] ▶ Creating report
panic: runtime error: index out of range [2] with length 0
goroutine 1 [running]:
main.parse(0xc00001a210, 0xab, 0xc000156340, 0x4, 0x4)
	/go/src/buildapp/convert.go:103 +0x286
main.convert(0x7f92f0b51658, 0xc0001a8030, 0x68491c, 0x1, 0xc0001a8030, 0x1, 0x0)
	/go/src/buildapp/convert.go:45 +0x105
gitlab.com/gitlab-org/security-products/analyzers/common/v2/command.Run.func1(0xc000082ac0, 0x0, 0x0)
	/go/pkg/mod/gitlab.com/gitlab-org/security-products/analyzers/common/v2@v2.22.1/command/run.go:149 +0x688
github.com/urfave/cli/v2.(*Command).Run(0xc0000e6000, 0xc000082780, 0x0, 0x0)
	/go/pkg/mod/github.com/urfave/cli/v2@v2.3.0/command.go:163 +0x4ed
github.com/urfave/cli/v2.(*App).RunContext(0xc000076b60, 0x6d5ac0, 0xc00001c090, 0xc00000c080, 0x2, 0x2, 0x0, 0x0)
	/go/pkg/mod/github.com/urfave/cli/v2@v2.3.0/app.go:313 +0x81f
github.com/urfave/cli/v2.(*App).Run(...)
	/go/pkg/mod/github.com/urfave/cli/v2@v2.3.0/app.go:224
main.main()
	/go/src/buildapp/main.go:37 +0x446

gemnasium is also affected by this issue. See failing job

Output of checks

Results of GitLab environment info

Expand for output related to GitLab environment info


(For installations with omnibus-gitlab package run and paste the output of:
`sudo gitlab-rake gitlab:env:info`)

(For installations from source run and paste the output of:
`sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)

Results of GitLab application Check

Expand for output related to the GitLab application check

(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true)
(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true)
(we will only investigate if the tests are passing)

Possible fixes

Skip line or throw an error when m doesn't have the expected size. See https://gitlab.com/gitlab-org/security-products/analyzers/security-code-scan/-/blob/v2.18.1/convert.go#L103

Edited Feb 11, 2021 by Fabien Catteau