<!--- Please read this! Before opening a new issue, make sure to search for keywords in the issues filtered by the "regression" or "bug" label: - https://gitlab.com/gitlab-org/gitlab/issues?label_name%5B%5D=regression - https://gitlab.com/gitlab-org/gitlab/issues?label_name%5B%5D=bug and verify the issue you're about to submit isn't a duplicate. ---> ### Summary [security-code-scan](https://gitlab.com/gitlab-org/security-products/analyzers/security-code-scan) v2.18.1 panics when scanning a C# repository: ``` panic: runtime error: index out of range [2] with length 0 ``` The error is caused by the [`parse` function](https://gitlab.com/gitlab-org/security-products/analyzers/security-code-scan/-/blob/v2.18.1/convert.go#L103) of [convert.go](https://gitlab.com/gitlab-org/security-products/analyzers/security-code-scan/-/blob/v2.18.1/convert.go) because it doesn't check the slice of strings before using it. ### Steps to reproduce - create a C# project - enable SAST by including the SAST CI template in the CI configuration file - create a pipeline ### Example Project See failing jobs for [csharp-dotnetcore-multiproject](https://gitlab.com/gitlab-org/security-products/tests/csharp-dotnetcore-multiproject) (test project used for QA): - https://gitlab.com/gitlab-org/security-products/tests/csharp-dotnetcore-multiproject/-/jobs/1022565431 - https://gitlab.com/gitlab-org/security-products/tests/csharp-dotnetcore-multiproject/-/jobs/1022565443 - https://gitlab.com/gitlab-org/security-products/tests/csharp-dotnetcore-multiproject/-/jobs/1022565467 ### What is the current *bug* behavior? The analyzer panics. ### What is the expected *correct* behavior? The analyzer scans the repo and generates a SAST security report. ### Relevant logs and/or screenshots See https://gitlab.com/gitlab-org/security-products/tests/csharp-dotnetcore-multiproject/-/jobs/1022565431#L249 ``` [INFO] [security-code-scan] [2021-02-11T01:11:40Z] ▶ GitLab security-code-scan analyzer v2.18.1 [INFO] [security-code-scan] [2021-02-11T01:11:40Z] ▶ Detecting project [INFO] [security-code-scan] [2021-02-11T01:11:40Z] ▶ Found project in /builds/gitlab-org/security-products/tests/csharp-dotnetcore-multiproject [INFO] [security-code-scan] [2021-02-11T01:11:40Z] ▶ Running analyzer [INFO] [security-code-scan] [2021-02-11T01:11:40Z] ▶ Found solution /builds/gitlab-org/security-products/tests/csharp-dotnetcore-multiproject/DotNetMultiProject.sln [INFO] [security-code-scan] [2021-02-11T01:12:05Z] ▶ Creating report panic: runtime error: index out of range [2] with length 0 goroutine 1 [running]: main.parse(0xc00001a210, 0xab, 0xc000156340, 0x4, 0x4) /go/src/buildapp/convert.go:103 +0x286 main.convert(0x7f92f0b51658, 0xc0001a8030, 0x68491c, 0x1, 0xc0001a8030, 0x1, 0x0) /go/src/buildapp/convert.go:45 +0x105 gitlab.com/gitlab-org/security-products/analyzers/common/v2/command.Run.func1(0xc000082ac0, 0x0, 0x0) /go/pkg/mod/gitlab.com/gitlab-org/security-products/analyzers/common/v2@v2.22.1/command/run.go:149 +0x688 github.com/urfave/cli/v2.(*Command).Run(0xc0000e6000, 0xc000082780, 0x0, 0x0) /go/pkg/mod/github.com/urfave/cli/v2@v2.3.0/command.go:163 +0x4ed github.com/urfave/cli/v2.(*App).RunContext(0xc000076b60, 0x6d5ac0, 0xc00001c090, 0xc00000c080, 0x2, 0x2, 0x0, 0x0) /go/pkg/mod/github.com/urfave/cli/v2@v2.3.0/app.go:313 +0x81f github.com/urfave/cli/v2.(*App).Run(...) /go/pkg/mod/github.com/urfave/cli/v2@v2.3.0/app.go:224 main.main() /go/src/buildapp/main.go:37 +0x446 ``` [gemnasium](https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium) is also affected by this issue. See [failing job](https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium/-/jobs/1023098686) ### Output of checks <!-- If you are reporting a bug on GitLab.com, write: This bug happens on GitLab.com --> #### Results of GitLab environment info <!-- Input any relevant GitLab environment information if needed. --> <details> <summary>Expand for output related to GitLab environment info</summary> <pre> (For installations with omnibus-gitlab package run and paste the output of: `sudo gitlab-rake gitlab:env:info`) (For installations from source run and paste the output of: `sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`) </pre> </details> #### Results of GitLab application Check <!-- Input any relevant GitLab application check information if needed. --> <details> <summary>Expand for output related to the GitLab application check</summary> <pre> (For installations with omnibus-gitlab package run and paste the output of: `sudo gitlab-rake gitlab:check SANITIZE=true`) (For installations from source run and paste the output of: `sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true`) (we will only investigate if the tests are passing) </pre> </details> ### Possible fixes Skip line or throw an error when `m` doesn't have the expected size. See https://gitlab.com/gitlab-org/security-products/analyzers/security-code-scan/-/blob/v2.18.1/convert.go#L103