From 1e3004ad559b7d0da8ed4b377a086170069bdaa8 Mon Sep 17 00:00:00 2001 From: Dima R <90623914+cx-dmitri-rivin@users.noreply.github.com> Date: Mon, 8 Dec 2025 14:27:06 +0200 Subject: [PATCH 1/3] prefix bug fixed --- internal/commands/scan.go | 8 ++++++++ internal/commands/scan_test.go | 17 +++++++++++++++++ 2 files changed, 25 insertions(+) diff --git a/internal/commands/scan.go b/internal/commands/scan.go index 675057787..d81347554 100644 --- a/internal/commands/scan.go +++ b/internal/commands/scan.go @@ -3558,6 +3558,14 @@ func validateContainerImageFormat(containerImage string) error { return validatePrefixedContainerImage(containerImage, getPrefixFromInput(containerImage, knownSources)) } + // Check if this looks like an invalid prefix attempt (e.g., "invalid-prefix:file.tar") + // If the "tag" ends with .tar and the "image name" looks like a simple prefix (no / or .) + // then the user likely intended to use a prefix format but used an unknown prefix + lowerTag := strings.ToLower(imageTag) + if strings.HasSuffix(lowerTag, ".tar") && !strings.Contains(imageName, "/") && !strings.Contains(imageName, ".") { + return errors.Errorf("Invalid value for --container-images flag. Unknown prefix '%s:'. Supported prefixes are: docker:, podman:, containerd:, registry:, docker-archive:, oci-archive:, oci-dir:, file:", imageName) + } + return nil // Valid image:tag format } diff --git a/internal/commands/scan_test.go b/internal/commands/scan_test.go index b6cede85c..bd97770e7 100644 --- a/internal/commands/scan_test.go +++ b/internal/commands/scan_test.go @@ -2448,6 +2448,23 @@ func TestValidateContainerImageFormat_Comprehensive(t *testing.T) { expectedError: "Invalid value for --container-images flag. The 'dir:' prefix is not supported", }, + // ==================== Unknown Prefix Tests ==================== + { + name: "Invalid - unknown prefix with tar file", + containerImage: "invalid-prefix:test-image.tar", + expectedError: "Invalid value for --container-images flag. Unknown prefix 'invalid-prefix:'", + }, + { + name: "Invalid - typo in prefix (dcoker)", + containerImage: "dcoker:my-image.tar", + expectedError: "Invalid value for --container-images flag. Unknown prefix 'dcoker:'", + }, + { + name: "Invalid - custom prefix with tar", + containerImage: "myprefix:archive.tar", + expectedError: "Invalid value for --container-images flag. Unknown prefix 'myprefix:'", + }, + // ==================== Edge Cases ==================== { name: "Complex registry with multiple colons", From 0aa534e74ef44975d5275e5ca0f9c6d7bf6700bd Mon Sep 17 00:00:00 2001 From: Dima R <90623914+cx-dmitri-rivin@users.noreply.github.com> Date: Wed, 10 Dec 2025 10:19:44 +0200 Subject: [PATCH 2/3] version upgrade --- go.mod | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/go.mod b/go.mod index ce49ce4a6..10839310f 100644 --- a/go.mod +++ b/go.mod @@ -3,7 +3,7 @@ module github.com/checkmarx/ast-cli go 1.24.11 require ( - github.com/Checkmarx/containers-resolver v1.0.27 + github.com/Checkmarx/containers-resolver v1.0.28 github.com/Checkmarx/containers-types v1.0.9 github.com/Checkmarx/gen-ai-prompts v0.0.0-20240807143411-708ceec12b63 github.com/Checkmarx/gen-ai-wrapper v1.0.3 From 05a88c4b2f8a0b438425123b647f83d262cb706d Mon Sep 17 00:00:00 2001 From: Dima R <90623914+cx-dmitri-rivin@users.noreply.github.com> Date: Wed, 10 Dec 2025 10:24:29 +0200 Subject: [PATCH 3/3] vendor/tidy --- go.mod | 4 ++-- go.sum | 12 ++++++------ 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/go.mod b/go.mod index 10839310f..66c3442b4 100644 --- a/go.mod +++ b/go.mod @@ -48,8 +48,8 @@ require ( github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c // indirect github.com/BobuSumisu/aho-corasick v1.0.3 // indirect github.com/BurntSushi/toml v1.5.0 // indirect - github.com/Checkmarx/containers-images-extractor v1.0.20 - github.com/Checkmarx/containers-syft-packages-extractor v1.0.22 // indirect + github.com/Checkmarx/containers-images-extractor v1.0.21 + github.com/Checkmarx/containers-syft-packages-extractor v1.0.23 // indirect github.com/CycloneDX/cyclonedx-go v0.9.2 // indirect github.com/DataDog/zstd v1.5.6 // indirect github.com/Masterminds/goutils v1.1.1 // indirect diff --git a/go.sum b/go.sum index 3a262d010..9b188b533 100644 --- a/go.sum +++ b/go.sum @@ -65,12 +65,12 @@ github.com/BurntSushi/toml v0.4.1/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbi github.com/BurntSushi/toml v1.5.0 h1:W5quZX/G/csjUnuI8SUYlsHs9M38FC7znL0lIO+DvMg= github.com/BurntSushi/toml v1.5.0/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2lLoLwho= github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo= -github.com/Checkmarx/containers-images-extractor v1.0.20 h1:PGTtBMsjF77HrTtnmzzVGywFkuUtXfc/PBo46kMYORw= -github.com/Checkmarx/containers-images-extractor v1.0.20/go.mod h1:HyzVb8TtTDf56hGlSakalPXtzjJ6VhTYe9fmAcOS+V8= -github.com/Checkmarx/containers-resolver v1.0.27 h1:fEZkgQR+PLyIOunLRQAzofUX97I9qKGG9gAoKNI4ajw= -github.com/Checkmarx/containers-resolver v1.0.27/go.mod h1:zxQja33k9SvDXG7eWq03U8WxkHIu/XchzjXsoKfhDFY= -github.com/Checkmarx/containers-syft-packages-extractor v1.0.22 h1:5zzTrAgKOiqFvAwSS0DRmWyWuKK66jXj54wc8xroObQ= -github.com/Checkmarx/containers-syft-packages-extractor v1.0.22/go.mod h1:OPGYISPnKtVFl2mZrClErv83ZLjUPKjdQQsXLmx++oY= +github.com/Checkmarx/containers-images-extractor v1.0.21 h1:SEo4FyxUZnOkZnHqdpqDLcztHj/1IyEkvAnlTNBsNOA= +github.com/Checkmarx/containers-images-extractor v1.0.21/go.mod h1:HyzVb8TtTDf56hGlSakalPXtzjJ6VhTYe9fmAcOS+V8= +github.com/Checkmarx/containers-resolver v1.0.28 h1:FikNmHIAYqJ1G1qHixASDUjJirl+Dp635TuMYq/RfUY= +github.com/Checkmarx/containers-resolver v1.0.28/go.mod h1:X6KwE/vFIDlgyBZKnkhRGitt65hWCZp0sdvgNTRyvSw= +github.com/Checkmarx/containers-syft-packages-extractor v1.0.23 h1:qP4OBlCVF6BbOO0gzcoOzAtfdx7+M1kU3OsY2xBvy8E= +github.com/Checkmarx/containers-syft-packages-extractor v1.0.23/go.mod h1:OPGYISPnKtVFl2mZrClErv83ZLjUPKjdQQsXLmx++oY= github.com/Checkmarx/containers-types v1.0.9 h1:LbHDj9LZ0x3f28wDx398WC19sw0U0EfEewHMLStBwvs= github.com/Checkmarx/containers-types v1.0.9/go.mod h1:KR0w8XCosq3+6jRCfQrH7i//Nj2u11qaUJM62CREFZA= github.com/Checkmarx/gen-ai-prompts v0.0.0-20240807143411-708ceec12b63 h1:SCuTcE+CFvgjbIxUNL8rsdB2sAhfuNx85HvxImKta3g=