skip to Main Content

I have currently initialized a simple React project using the command

npx create-react-app my-app --template typescript

Then I cam across a static code analyzer Bearer which I installed using the following commands

sudo apt-get install apt-transport-https
echo "deb [trusted=yes] https://apt.fury.io/bearer/ /" | sudo tee -a /etc/apt/sources.list.d/fury.list
sudo apt-get update
sudo apt-get install bearer

Then as per their documentation, I have initialized a config file

bearer init

This created the following file

report:
  format: ''
  output: ''
  report: security
  severity: critical,high,medium,low,warning
rule:
  disable-default-rules: false
  only-rule: []
  skip-rule: []
scan:
  context: ''
  data_subject_mapping: ''
  debug: false
  disable-domain-resolution: true
  domain-resolution-timeout: 3s
  external-rule-dir: []
  force: true
  internal-domains: []
  quiet: false
  scanner:
    - sast
  skip-path: []

NOTE: This created a bin/bearer file in the root directory of my React project.

Then as per their commands section I ran the scan using the following command where my pwd was the root directory of my React project

bearer scan

This failed with the following error

Loading rules
bearer: dl-call-libc-early-init.c:37: _dl_call_libc_early_init: Assertion `sym != NULL' failed.
SIGABRT: abort
PC=0x1103c2c m=0 sigcode=18446744073709551610
signal arrived during cgo execution

goroutine 28 [syscall]:
runtime.cgocall(0xee7050, 0xc00006c598)
    /opt/hostedtoolcache/go/1.19.7/x64/src/runtime/cgocall.go:158 +0x5c fp=0xc00006c570 sp=0xc00006c538 pc=0x408b3c
net._C2func_getaddrinfo(0xc00133d510, 0x0, 0xc001358660, 0xc000127aa0)
    _cgo_gotypes.go:94 +0x56 fp=0xc00006c598 sp=0xc00006c570 pc=0x61bf16
net.cgoLookupIPCNAME.func1({0xc00133d510, 0x0?, 0x0?}, 0xc000155c20?, 0x620cfb?)
    /opt/hostedtoolcache/go/1.19.7/x64/src/net/cgo_unix.go:160 +0x9f fp=0xc00006c5f0 sp=0xc00006c598 pc=0x61d7bf
net.cgoLookupIPCNAME({0x13bfdbd, 0x3}, {0xc000155c20, 0xe})
    /opt/hostedtoolcache/go/1.19.7/x64/src/net/cgo_unix.go:160 +0x173 fp=0xc00006c738 sp=0xc00006c5f0 pc=0x61d013
net.cgoIPLookup(0x3fc8d30?, {0x13bfdbd?, 0xc000155c38?}, {0xc000155c20?, 0xc000168dc0?})
    /opt/hostedtoolcache/go/1.19.7/x64/src/net/cgo_unix.go:217 +0x3b fp=0xc00006c7a8 sp=0xc00006c738 pc=0x61d87b
net.cgoLookupIP.func1()
    /opt/hostedtoolcache/go/1.19.7/x64/src/net/cgo_unix.go:227 +0x36 fp=0xc00006c7e0 sp=0xc00006c7a8 pc=0x61dcb6
runtime.goexit()
    /opt/hostedtoolcache/go/1.19.7/x64/src/runtime/asm_amd64.s:1594 +0x1 fp=0xc00006c7e8 sp=0xc00006c7e0 pc=0x46cee1
created by net.cgoLookupIP
    /opt/hostedtoolcache/go/1.19.7/x64/src/net/cgo_unix.go:227 +0x12a

goroutine 1 [select]:
runtime.gopark(0xc00109e810?, 0x4?, 0x18?, 0x0?, 0xc00109e6b8?)
    /opt/hostedtoolcache/go/1.19.7/x64/src/runtime/proc.go:363 +0xd6 fp=0xc00109e510 sp=0xc00109e4f0 pc=0x43f196
runtime.selectgo(0xc00109e810, 0xc00109e6b0, 0xc001353520?, 0x0, 0x0?, 0x1)
    /opt/hostedtoolcache/go/1.19.7/x64/src/runtime/select.go:328 +0x7bc fp=0xc00109e650 sp=0xc00109e510 pc=0x44e69c
net/http.(*Transport).getConn(0x3c2ec80, 0xc00133e240, {{}, 0x0, {0xc001308540, 0x5}, {0xc000155c20, 0x12}, 0x0})
    /opt/hostedtoolcache/go/1.19.7/x64/src/net/http/transport.go:1376 +0x5c6 fp=0xc00109e868 sp=0xc00109e650 pc=0x711546
net/http.(*Transport).roundTrip(0x3c2ec80, 0xc00133a400)
    /opt/hostedtoolcache/go/1.19.7/x64/src/net/http/transport.go:582 +0x75e fp=0xc00109ea90 sp=0xc00109e868 pc=0x70d1fe
net/http.(*Transport).RoundTrip(0x203000?, 0x19f7740?)
    /opt/hostedtoolcache/go/1.19.7/x64/src/net/http/roundtrip.go:17 +0x19 fp=0xc00109eab0 sp=0xc00109ea90 pc=0x6f4f99
net/http.send(0xc00133a400, {0x19f7740, 0x3c2ec80}, {0x13964a0?, 0x1?, 0x0?})
    /opt/hostedtoolcache/go/1.19.7/x64/src/net/http/client.go:251 +0x5f7 fp=0xc00109eca8 sp=0xc00109eab0 pc=0x6b6697
net/http.(*Client).send(0x3fc9700, 0xc00133a400, {0xc000411cb0?, 0x30?, 0x0?})
    /opt/hostedtoolcache/go/1.19.7/x64/src/net/http/client.go:175 +0x9b fp=0xc00109ed20 sp=0xc00109eca8 pc=0x6b5f1b
net/http.(*Client).do(0x3fc9700, 0xc00133a400)
    /opt/hostedtoolcache/go/1.19.7/x64/src/net/http/client.go:715 +0x8fc fp=0xc00109ef10 sp=0xc00109ed20 pc=0x6b829c
net/http.(*Client).Do(...)
    /opt/hostedtoolcache/go/1.19.7/x64/src/net/http/client.go:581
github.com/google/go-github/github.(*Client).Do(0xc001313cc0, {0x19fee58, 0xc000130000}, 0xc00133a300, {0x13813e0, 0xc001345ea0})
    /home/runner/go/pkg/mod/github.com/google/[email protected]+incompatible/github/github.go:473 +0x255 fp=0xc00109f028 sp=0xc00109ef10 pc=0x729495
github.com/google/go-github/github.(*RepositoriesService).getSingleRelease(0xc001313d48, {0x19fee58, 0xc000130000}, {0xc000145800?, 0x2?})
    /home/runner/go/pkg/mod/github.com/google/[email protected]+incompatible/github/repos_releases.go:121 +0x8d fp=0xc00109f080 sp=0xc00109f028 pc=0x72b14d
github.com/google/go-github/github.(*RepositoriesService).GetLatestRelease(0xc000113c80?, {0x19fee58, 0xc000130000}, {0x13dcdea?, 0x7f6542d735b8?}, {0x13dcdea, 0x6})
    /home/runner/go/pkg/mod/github.com/google/[email protected]+incompatible/github/repos_releases.go:103 +0xc5 fp=0xc00109f0e0 sp=0xc00109f080 pc=0x72b065
github.com/bearer/bearer/pkg/commands/artifact.Run({_, _}, {{{0x0, 0x0}, {0x0, 0x0}, {0x0, 0x0}}, {{0xc00133c568, 0x4}, ...}, ...}, ...)
    /home/runner/work/bearer/bearer/pkg/commands/artifact/run.go:223 +0xbc fp=0xc00109f8a0 sp=0xc00109f0e0 pc=0xdf653c
github.com/bearer/bearer/pkg/commands.NewScanCommand.func2(0xc00131c900, {0xc0012ed490?, 0x1, 0x1})
    /home/runner/work/bearer/bearer/pkg/commands/scan.go:93 +0x4a5 fp=0xc00109fd00 sp=0xc00109f8a0 pc=0xee6665
github.com/spf13/cobra.(*Command).execute(0xc00131c900, {0xc0012ed450, 0x1, 0x1})
    /home/runner/go/pkg/mod/github.com/spf13/[email protected]/command.go:916 +0x862 fp=0xc00109fe38 sp=0xc00109fd00 pc=0x8bba42
github.com/spf13/cobra.(*Command).ExecuteC(0xc00131c000)
    /home/runner/go/pkg/mod/github.com/spf13/[email protected]/command.go:1044 +0x3bd fp=0xc00109fef0 sp=0xc00109fe38 pc=0x8bc2bd
github.com/spf13/cobra.(*Command).Execute(...)
    /home/runner/go/pkg/mod/github.com/spf13/[email protected]/command.go:968
main.run()
    /home/runner/work/bearer/bearer/cmd/bearer/main.go:21 +0x3a fp=0xc00109ff20 sp=0xc00109fef0 pc=0xee6f5a
main.main()
    /home/runner/work/bearer/bearer/cmd/bearer/main.go:13 +0x1d fp=0xc00109ff80 sp=0xc00109ff20 pc=0xee6e7d
runtime.main()
    /opt/hostedtoolcache/go/1.19.7/x64/src/runtime/proc.go:250 +0x212 fp=0xc00109ffe0 sp=0xc00109ff80 pc=0x43edd2
runtime.goexit()
    /opt/hostedtoolcache/go/1.19.7/x64/src/runtime/asm_amd64.s:1594 +0x1 fp=0xc00109ffe8 sp=0xc00109ffe0 pc=0x46cee1

goroutine 2 [force gc (idle)]:
runtime.gopark(0x0?, 0x0?, 0x0?, 0x0?, 0x0?)
    /opt/hostedtoolcache/go/1.19.7/x64/src/runtime/proc.go:363 +0xd6 fp=0xc00006efb0 sp=0xc00006ef90 pc=0x43f196
runtime.goparkunlock(...)
    /opt/hostedtoolcache/go/1.19.7/x64/src/runtime/proc.go:369
runtime.forcegchelper()
    /opt/hostedtoolcache/go/1.19.7/x64/src/runtime/proc.go:302 +0xad fp=0xc00006efe0 sp=0xc00006efb0 pc=0x43f02d
runtime.goexit()
    /opt/hostedtoolcache/go/1.19.7/x64/src/runtime/asm_amd64.s:1594 +0x1 fp=0xc00006efe8 sp=0xc00006efe0 pc=0x46cee1
created by runtime.init.6
    /opt/hostedtoolcache/go/1.19.7/x64/src/runtime/proc.go:290 +0x25

goroutine 3 [GC sweep wait]:
runtime.gopark(0x1?, 0x0?, 0x0?, 0x0?, 0x0?)
    /opt/hostedtoolcache/go/1.19.7/x64/src/runtime/proc.go:363 +0xd6 fp=0xc00006f790 sp=0xc00006f770 pc=0x43f196
runtime.goparkunlock(...)
    /opt/hostedtoolcache/go/1.19.7/x64/src/runtime/proc.go:369
runtime.bgsweep(0x0?)
    /opt/hostedtoolcache/go/1.19.7/x64/src/runtime/mgcsweep.go:297 +0xd7 fp=0xc00006f7c8 sp=0xc00006f790 pc=0x429cf7
runtime.gcenable.func1()
    /opt/hostedtoolcache/go/1.19.7/x64/src/runtime/mgc.go:178 +0x26 fp=0xc00006f7e0 sp=0xc00006f7c8 pc=0x41e966
runtime.goexit()
    /opt/hostedtoolcache/go/1.19.7/x64/src/runtime/asm_amd64.s:1594 +0x1 fp=0xc00006f7e8 sp=0xc00006f7e0 pc=0x46cee1
created by runtime.gcenable
    /opt/hostedtoolcache/go/1.19.7/x64/src/runtime/mgc.go:178 +0x6b

goroutine 18 [GC scavenge wait]:
runtime.gopark(0xc000098000?, 0x19f2b58?, 0x0?, 0x0?, 0x0?)
    /opt/hostedtoolcache/go/1.19.7/x64/src/runtime/proc.go:363 +0xd6 fp=0xc00006a770 sp=0xc00006a750 pc=0x43f196
runtime.goparkunlock(...)
    /opt/hostedtoolcache/go/1.19.7/x64/src/runtime/proc.go:369
runtime.(*scavengerState).park(0x3fcb320)
    /opt/hostedtoolcache/go/1.19.7/x64/src/runtime/mgcscavenge.go:389 +0x53 fp=0xc00006a7a0 sp=0xc00006a770 pc=0x427d53
runtime.bgscavenge(0x0?)
    /opt/hostedtoolcache/go/1.19.7/x64/src/runtime/mgcscavenge.go:622 +0x65 fp=0xc00006a7c8 sp=0xc00006a7a0 pc=0x428345
runtime.gcenable.func2()
    /opt/hostedtoolcache/go/1.19.7/x64/src/runtime/mgc.go:179 +0x26 fp=0xc00006a7e0 sp=0xc00006a7c8 pc=0x41e906
runtime.goexit()
    /opt/hostedtoolcache/go/1.19.7/x64/src/runtime/asm_amd64.s:1594 +0x1 fp=0xc00006a7e8 sp=0xc00006a7e0 pc=0x46cee1
created by runtime.gcenable
    /opt/hostedtoolcache/go/1.19.7/x64/src/runtime/mgc.go:179 +0xaa

....... THE FULL LENGTH ERROR HAS NOT BEEN MENTIONED HERE IN MY QUESTION SINCE IT WAS TOO LARGE

When running uname -a the following output shows up

Linux MAVIS 5.15.0-50-generic #56~20.04.1-Ubuntu SMP Tue Sep 27 15:51:29 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux

Could someone help me understand what went wrong and how may I fix it?

2

Answers


  1. It seems weird that you have the binary installed inside your project in <Project_Path>/bin/bearer with apt-get install. Try removing that binary and run bearer command again to see if that resolves the issue.

    Thanks

    Login or Signup to reply.

  2. Running it from Docker should work for you:


    Some explanation of why you can’t run it locally without docker:

    We were able to replicate your bug by using your Ubuntu version, the thing is ubuntu you are using Ubuntu 20.04.1 is different from ubuntu we are using to compile our bearer binary. We are using Ubuntu 22.04.2.

    Due to different versions of glibc and ours being higher than yours, you can’t run our released compiled bearer binary on your machine.

    We are currently working on solving that problem and discussing potential solutions in order to support older versions of linux. I know the situation is far from ideal for you.

    If you want to run bearer for your host now, consider cloning and compiling our repository yourself(https://github.com/bearer/bearer). It is fairly straightforward, and you probably only need to install golang on your machine.
    Checkout a certain tag(bearer version) from our repo and just do go mod download to install our project dependencies.

    After that, you can use it as go run ./cmd/bearer/main.go instead of bearer.

    So it would be go run ./cmd/bearer/main.go scan . to scan the current directory.

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search