Bug: panic: proto: file "extensions/extension.proto" is already registered

[fruwe]

• terrascan version: latest (sha256:630917cbc67d1c04a1a0793e89fee2d9ff3626e7f7fd74ba175847af50c8f9f3)
• Operating System: MacOS Sonoma 14.6.1 (23G93) / Github Actions Ubuntu

Description

I tried running TerraScan as usual, but today it started to fail.
I expected TerraScan to work as usual.

What I Did

I tried running terrascan with the latest docker image, which failed with the following log.

❯ docker run --rm -it --pull always -v `pwd`:`pwd` -w `pwd` tenable/terrascan:latest scan -d "stacks/development/20-shared/202-spanner" -i terraform --iac-version v15 -t gcp -v --repo-url ${REPO_URL}
latest: Pulling from tenable/terrascan
Digest: sha256:630917cbc67d1c04a1a0793e89fee2d9ff3626e7f7fd74ba175847af50c8f9f3
Status: Image is up to date for tenable/terrascan:latest
panic: proto: file "extensions/extension.proto" is already registered
		previously from: "github.com/google/gnostic-models/extensions"
		currently from:  "github.com/googleapis/gnostic/extensions"
	See https://protobuf.dev/reference/go/faq#namespace-conflict


goroutine 1 [running]:
google.golang.org/protobuf/reflect/protoregistry.init.func1({0x4baa9d0?, 0x2bfe880?}, {0x32502c0, 0x40002bbd30})
	/go/pkg/mod/google.golang.org/[email protected]/reflect/protoregistry/registry.go:56 +0x1f8
google.golang.org/protobuf/reflect/protoregistry.(*Files).RegisterFile(0x400019c5d0, {0x328d6b8, 0x4000354c40})
	/go/pkg/mod/google.golang.org/[email protected]/reflect/protoregistry/registry.go:130 +0x9b0
google.golang.org/protobuf/internal/filedesc.Builder.Build({{0x2263f51, 0x28}, {0x49fd1c0, 0x282, 0x282}, 0x0, 0x4, 0x0, 0x0, {0x325e2c8, ...}, ...})
	/go/pkg/mod/google.golang.org/[email protected]/internal/filedesc/build.go:112 +0x1a0
google.golang.org/protobuf/internal/filetype.Builder.Build({{{0x2263f51, 0x28}, {0x49fd1c0, 0x282, 0x282}, 0x0, 0x4, 0x0, 0x0, {0x0, ...}, ...}, ...})
	/go/pkg/mod/google.golang.org/[email protected]/internal/filetype/build.go:138 +0x158
github.com/googleapis/gnostic/extensions.file_extensions_extension_proto_init()
	/go/pkg/mod/github.com/googleapis/[email protected]/extensions/extension.pb.go:456 +0x144
github.com/googleapis/gnostic/extensions.init.0()
	/go/pkg/mod/github.com/googleapis/[email protected]/extensions/extension.pb.go:388 +0x1c

The latest tag (which is not the tag latest) according to https://hub.docker.com/r/tenable/terrascan/tags is 36dd9a, which also fails but for a different reason.

❯ docker run --rm -it --pull always -v `pwd`:`pwd` -w `pwd` tenable/terrascan:sha256-36dd9a09d55b37ac7d9dc185c6376529b5da90f3ebeb2607ce4c510f249ebf38.sig scan -d "stacks/development/20-shared/202-spanner" -i terraform --iac-version v15 -t gcp -v --repo-url ${REPO_URL}
sha256-36dd9a09d55b37ac7d9dc185c6376529b5da90f3ebeb2607ce4c510f249ebf38.sig: Pulling from tenable/terrascan
docker: failed to unpack image on snapshotter overlayfs: mismatched image rootfs and manifest layers.
See 'docker run --help'.

tenable/terrascan:1.19.2 works:

docker run --rm -it --pull always -v `pwd`:`pwd` -w `pwd` tenable/terrascan:1.19.2 scan -d "stacks/development/20-shared/202-spanner" -i terraform --iac-version v15 -t gcp -v --repo-url xxx
1.19.2: Pulling from tenable/terrascan
Digest: sha256:c992549dde65e730cd0764deecce4602f71f41efb0bbcd0d5ef59a1d8a046b46
Status: Image is up to date for tenable/terrascan:1.19.2


Scan Errors -

	IaC Type            :	terraform
	Directory           :	/xxx/stacks/development/20-shared/202-spanner
	Error Message       :	directory '/xxx/stacks/development/20-shared/202-spanner' has no terraform config files

	-----------------------------------------------------------------------



Scan Summary -

	File/Folder         :	https://github.com/xxx
	IaC Type            :	terraform
	Scanned At          :	2024-09-10 09:00:36.093790421 +0000 UTC
	Policies Validated  :	231
	Violated Policies   :	0
	Low                 :	0
	Medium              :	0
	High                :	0

[stefanb]

I suspect the workaround is proposed in

• Fix warnings in terrascan for protobuf by adding compile time flag in go releaser #1703

[fruwe]

Thank you for the update, @stefanb !

Unfortunately, I am still getting the same error with both tenable/terrascan:1.19.8 and tenable/terrascan:latest.

[stefanb]

@fruwe, I guess the workaround was merged, but it still needs to be released in a version.

[fruwe]

Awesome, thanks. Let's retry later then.

[fruwe]

@stefanb Do you know when the new version will be released?

[stefanb]

No, I don't.

[chenrui333]

the workaround does not work the new release, Homebrew/homebrew-core#184851 (still seeing the same issue)

[nmoretenable]

Can you please try the latest version 1.19.9. we have fixed the protobuf error
https://hub.docker.com/r/tenable/terrascan

[stefanb]

Opened

• terrascan 1.19.9 Homebrew/homebrew-core#191069

[fruwe]

@nmoretenable Thank you, this worked for me

latest: Pulling from tenable/terrascan
Digest: sha256:1fffb95fd064f53c997da5bb9b2fdb9b14abcad7391fbb7fe42b866358695b16
Status: Image is up to date for tenable/terrascan:latest



Scan Summary -

	File/Folder         :	https://github.com/xxx/xxx.git
	IaC Type            :	terraform
	Scanned At          :	2024-09-20 02:21:11.676906552 +0000 UTC
	Policies Validated  :	4
	Violated Policies   :	0
	Low                 :	0
	Medium              :	0
	High                :	0

[liamjones-pw]

Still seeing this in 1.19.9 when running via nix.

❯ nix-shell -p terrascan
warning: Nix search path entry '/nix/var/nix/profiles/per-user/root/channels' does not exist, ignoring
this path will be fetched (20.61 MiB download, 111.25 MiB unpacked):
  /nix/store/mfpha198lspqa87jkvgxx8ydmqkgc5f0-terrascan-1.19.9
copying path '/nix/store/mfpha198lspqa87jkvgxx8ydmqkgc5f0-terrascan-1.19.9' from 'https://cache.nixos.org'...

[nix-shell:~/blah]$ terrascan
panic: proto: file "extensions/extension.proto" is already registered
        previously from: "github.com/google/gnostic-models/extensions"
        currently from:  "github.com/googleapis/gnostic/extensions"
See https://protobuf.dev/reference/go/faq#namespace-conflict


goroutine 1 [running]:
google.golang.org/protobuf/reflect/protoregistry.init.func1({0x105cd8780?, 0x10411abc0?}, {0x1041bb9c0, 0x140002e7bf0})
        google.golang.org/[email protected]/reflect/protoregistry/registry.go:56 +0x1f8
google.golang.org/protobuf/reflect/protoregistry.(*Files).RegisterFile(0x140001a2570, {0x1041f8218, 0x14000358fc0})
        google.golang.org/[email protected]/reflect/protoregistry/registry.go:130 +0x9c4
google.golang.org/protobuf/internal/filedesc.Builder.Build({{0x1036c5de8, 0x28}, {0x105b28460, 0x282, 0x282}, 0x0, 0x4, 0x0, 0x0, {0x1041c94d8, ...}, ...})
        google.golang.org/[email protected]/internal/filedesc/build.go:112 +0x1a0
google.golang.org/protobuf/internal/filetype.Builder.Build({{{0x1036c5de8, 0x28}, {0x105b28460, 0x282, 0x282}, 0x0, 0x4, 0x0, 0x0, {0x0, ...}, ...}, ...})
        google.golang.org/[email protected]/internal/filetype/build.go:138 +0x158
github.com/googleapis/gnostic/extensions.file_extensions_extension_proto_init()
        github.com/googleapis/[email protected]/extensions/extension.pb.go:456 +0x144
github.com/googleapis/gnostic/extensions.init.0()
        github.com/googleapis/[email protected]/extensions/extension.pb.go:388 +0x1c