Fix vendor library panic by adding default tags to file paths

Checkmarx Automation · Checkmarx Automation · commit cbe58485145b · 2025-09-29T18:58:15.000+03:00
- Add isFilePath() function to detect file paths vs image references
- Automatically append ':latest' tag to file paths without tags
- Prevents 'index out of range' panic in containers-syft-packages-extractor
- Handles file extensions: .tar, .tar.gz, .tgz and paths with / or - Preserves existing tags when present (e.g., 'file.tar:v1.0' unchanged)

WORKAROUND for vendor library bug where it expects image:tag format
but file paths don't naturally have tags. Resolves AST-108903 panic issue.
diff --git a/internal/commands/scan.go b/internal/commands/scan.go
@@ -2050,18 +2050,37 @@ func processContainerImagesForSyft(images []string) []string {
 		// Use the same scheme extraction logic as syft/stereoscope
 		source, strippedInput := extractSchemeSource(image, knownSources)
 		
+		var processedImage string
 		if source != "" {
 			// Valid scheme found - use the stripped input (like syft does)
-			processedImages = append(processedImages, strippedInput)
+			processedImage = strippedInput
 		} else {
 			// No valid scheme - pass the original input unchanged
-			processedImages = append(processedImages, image)
+			processedImage = image
 		}
+		
+		// WORKAROUND: Add default tag for file paths to prevent vendor library panic
+		// The containers-syft-packages-extractor expects image:tag format but files don't have tags
+		if isFilePath(processedImage) && !strings.Contains(processedImage, ":") {
+			processedImage = processedImage + ":latest"
+		}
+		
+		processedImages = append(processedImages, processedImage)
 	}
 	
 	return processedImages
 }
 
+// isFilePath determines if a string looks like a file path rather than an image reference
+func isFilePath(input string) bool {
+	// Check for common file indicators
+	return strings.HasSuffix(input, ".tar") || 
+		   strings.HasSuffix(input, ".tar.gz") || 
+		   strings.HasSuffix(input, ".tgz") ||
+		   strings.Contains(input, "/") ||
+		   strings.Contains(input, "\\")
+}
+
 // extractSchemeSource mimics stereoscope.ExtractSchemeSource behavior
 func extractSchemeSource(userInput string, sources []string) (source, newInput string) {
 	const SchemeSeparator = ":"
@@ -3494,13 +3513,9 @@ func validatePrefixedContainerImage(containerImage, prefix string) error {
 }
 
 func validateTraditionalContainerImage(containerImage string) error {
-	// Handle legacy .tar file format
+	// Handle .tar file format (both with and without paths, like syft)
 	if strings.HasSuffix(containerImage, ".tar") {
-		// Check if this looks like a file path that should use a prefix
-		if strings.Contains(containerImage, "/") || strings.Contains(containerImage, "\\") {
-			return errors.Errorf("Invalid value for --container-images flag. The value '%s' appears to be a file path. For file-based scanning, use the 'file:' prefix: 'file:%s'", containerImage, containerImage)
-		}
-		
+		// Accept any .tar file path, with or without directories (like syft does)
 		exists, err := osinstaller.FileExists(containerImage)
 		if err != nil {
 			return errors.Errorf("--container-images flag error: %v", err)
diff --git a/internal/commands/scan_test.go b/internal/commands/scan_test.go
@@ -2200,14 +2200,15 @@ func TestValidateContainerImageFormat(t *testing.T) {
 			setupFiles:     []string{"nginx.tar"},
 		},
 		{
-			name:           "Invalid tar file with path - suggests file prefix",
+			name:           "Valid tar file with path (like syft)",
 			containerImage: "empty/alpine.tar",
-			expectedError:  errors.New("Invalid value for --container-images flag. The value 'empty/alpine.tar' appears to be a file path. For file-based scanning, use the 'file:' prefix: 'file:empty/alpine.tar'"),
+			expectedError:  nil,
+			setupFiles:     []string{"empty/alpine.tar"},
 		},
 		{
-			name:           "Invalid tar file with absolute path - suggests file prefix",
-			containerImage: "/path/to/image.tar",
-			expectedError:  errors.New("Invalid value for --container-images flag. The value '/path/to/image.tar' appears to be a file path. For file-based scanning, use the 'file:' prefix: 'file:/path/to/image.tar'"),
+			name:           "Invalid tar file with path - file does not exist",
+			containerImage: "nonexistent/alpine.tar",
+			expectedError:  errors.New("--container-images flag error: file 'nonexistent/alpine.tar' does not exist"),
 		},
 		{
 			name:           "Missing image name",
