chainguard-dev
diff --git a/‎Makefile‎
Lines changed: 1 addition & 1 deletion b/‎Makefile‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎go.mod‎
Lines changed: 4 additions & 0 deletions b/‎go.mod‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎go.sum‎
Lines changed: 11 additions & 1 deletion b/‎go.sum‎
Lines changed: 11 additions & 1 deletion
diff --git a/‎pkg/action/scan.go‎
Lines changed: 87 additions & 77 deletions b/‎pkg/action/scan.go‎
Lines changed: 87 additions & 77 deletions
@@ -124,7 +124,7 @@ install-yara-x: out/$(YARAX_REPO)/.git/commit-$(YARAX_COMMIT)
 	mkdir -p out/include
 	cd out/$(YARAX_REPO) && \
 	cargo install cargo-c --locked && \
-	cargo cinstall -p yara-x-capi --release --prefix="$(LINT_ROOT)/out" --libdir="$(LINT_ROOT)/out/lib"
+	cargo cinstall -p yara-x-capi --features=native-code-serialization --release --prefix="$(LINT_ROOT)/out" --libdir="$(LINT_ROOT)/out/lib"
 
 # unit tests only
 .PHONY: test
 
@@ -13,12 +13,14 @@ require (
 	github.com/charmbracelet/bubbles v0.21.0
 	github.com/charmbracelet/bubbletea v1.3.4
 	github.com/charmbracelet/lipgloss v1.1.0
+	github.com/cosnicolaou/pbzip2 v1.0.5
 	github.com/egibs/go-debian v0.18.0
 	github.com/fatih/color v1.18.0
 	github.com/gabriel-vasile/mimetype v1.4.9
 	github.com/google/go-cmp v0.7.0
 	github.com/google/go-containerregistry v0.20.3
 	github.com/klauspost/compress v1.18.0
+	github.com/klauspost/pgzip v1.2.6
 	github.com/olekukonko/tablewriter v0.0.5
 	github.com/shirou/gopsutil/v4 v4.25.3
 	github.com/ulikunitz/xz v0.5.12
@@ -45,6 +47,7 @@ require (
 	github.com/ebitengine/purego v0.8.2 // indirect
 	github.com/erikgeiser/coninput v0.0.0-20211004153227-1c3628e74d0f // indirect
 	github.com/go-ole/go-ole v1.3.0 // indirect
+	github.com/kr/pretty v0.1.0 // indirect
 	github.com/lucasb-eyer/go-colorful v1.2.0 // indirect
 	github.com/lufia/plan9stats v0.0.0-20240909124753-873cd0166683 // indirect
 	github.com/mailru/easyjson v0.9.0 // indirect
@@ -74,5 +77,6 @@ require (
 	golang.org/x/sys v0.32.0 // indirect
 	golang.org/x/text v0.24.0 // indirect
 	google.golang.org/protobuf v1.36.3 // indirect
+	gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127 // indirect
 	pault.ag/go/topsort v0.1.1 // indirect
 )
@@ -30,6 +30,8 @@ github.com/charmbracelet/x/term v0.2.1 h1:AQeHeLZ1OqSXhrAWpYUtZyX1T3zVxfpZuEQMIQ
 github.com/charmbracelet/x/term v0.2.1/go.mod h1:oQ4enTYFV7QN4m0i9mzHrViD7TQKvNEEkHUMCmsxdUg=
 github.com/containerd/stargz-snapshotter/estargz v0.16.3 h1:7evrXtoh1mSbGj/pfRccTampEyKpjpOnS3CyiV1Ebr8=
 github.com/containerd/stargz-snapshotter/estargz v0.16.3/go.mod h1:uyr4BfYfOj3G9WBVE8cOlQmXAbPN9VEQpBBeJIuOipU=
+github.com/cosnicolaou/pbzip2 v1.0.5 h1:+PZ8yRBx6bRXncOJWQvEThyFm8XhF9Yb6WUMN6KsgrA=
+github.com/cosnicolaou/pbzip2 v1.0.5/go.mod h1:uCNfm0iE2wIKGRlLyq31M4toziFprNhEnvueGmh5u3M=
 github.com/cpuguy83/go-md2man/v2 v2.0.6 h1:XJtiaUW6dEEqVuZiMTn1ldk455QWwEIsMIJlo5vtkx0=
 github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
@@ -61,6 +63,13 @@ github.com/google/go-containerregistry v0.20.3 h1:oNx7IdTI936V8CQRveCjaxOiegWwvM
 github.com/google/go-containerregistry v0.20.3/go.mod h1:w00pIgBRDVUDFM6bq+Qx8lwNWK+cxgCuX1vd3PIBDNI=
 github.com/klauspost/compress v1.18.0 h1:c/Cqfb0r+Yi+JtIEq73FWXVkRonBlf0CRNYc8Zttxdo=
 github.com/klauspost/compress v1.18.0/go.mod h1:2Pp+KzxcywXVXMr50+X0Q/Lsb43OQHYWRCY2AiWywWQ=
+github.com/klauspost/pgzip v1.2.6 h1:8RXeL5crjEUFnR2/Sn6GJNWtSQ3Dk8pq4CL3jvdDyjU=
+github.com/klauspost/pgzip v1.2.6/go.mod h1:Ch1tH69qFZu15pkjo5kYi6mth2Zzwzt50oCQKQE9RUs=
+github.com/kr/pretty v0.1.0 h1:L/CwN0zerZDmRFUapSPitk6f+Q3+0za1rQkzVuMiMFI=
+github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
+github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
+github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE=
+github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/lucasb-eyer/go-colorful v1.2.0 h1:1nnpGOrhyZZuNyfu1QjKiUICQ74+3FNCN69Aj6K7nkY=
 github.com/lucasb-eyer/go-colorful v1.2.0/go.mod h1:R4dSotOR9KMtayYi1e77YzuveK+i7ruzyGqttikkLy0=
 github.com/lufia/plan9stats v0.0.0-20240909124753-873cd0166683 h1:7UMa6KCCMjZEMDtTVdcGu0B1GmmC7QJKiCCjyTAWQy0=
@@ -149,8 +158,9 @@ golang.org/x/text v0.24.0 h1:dd5Bzh4yt5KYA8f9CJHCP4FB4D51c2c6JvN37xJJkJ0=
 golang.org/x/text v0.24.0/go.mod h1:L8rBsPeo2pSS+xqN0d5u2ikmjtmoJbDBT1b7nHvFCdU=
 google.golang.org/protobuf v1.36.3 h1:82DV7MYdb8anAVi3qge1wSnMDrnKK7ebr+I0hHRN1BU=
 google.golang.org/protobuf v1.36.3/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
-gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127 h1:qIbj1fsPNlZgppZ+VLlY7N33q108Sa+fhmuc+sWQYwY=
+gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 
@@ -48,6 +48,8 @@ var (
 )
 
 // scanSinglePath YARA scans a single path and converts it to a fileReport.
+//
+//nolint:cyclop // ignore complexity of 38
 func scanSinglePath(ctx context.Context, c malcontent.Config, path string, ruleFS []fs.FS, absPath string, archiveRoot string) (*malcontent.FileReport, error) {
 	if ctx.Err() != nil {
 		return &malcontent.FileReport{}, ctx.Err()
@@ -56,30 +58,22 @@ func scanSinglePath(ctx context.Context, c malcontent.Config, path string, ruleF
 	logger := clog.FromContext(ctx)
 	logger = logger.With("path", path)
 
-	var yrs *yarax.Rules
-	var err error
-	if c.Rules == nil {
-		yrs, err = CachedRules(ctx, ruleFS)
-		if err != nil {
-			return nil, fmt.Errorf("rules: %w", err)
-		}
-	} else {
-		yrs = c.Rules
-	}
+	isArchive := archiveRoot != ""
 
-	initializeOnce.Do(func() {
-		filePool = pool.NewBufferPool()
-		scannerPool = pool.NewScannerPool(yrs, c.Concurrency)
-	})
+	fi, err := os.Stat(path)
+	if err != nil {
+		return nil, err
+	}
 
-	scanner := scannerPool.Get()
-	// Scanner should not be nil here, but guard against it anyway
-	if scanner == nil {
-		scanner = yarax.NewScanner(yrs)
+	size := fi.Size()
+	if size == 0 {
+		fr := &malcontent.FileReport{Skipped: "zero-sized file", Path: path}
+		if isArchive {
+			defer os.RemoveAll(path)
+		}
+		return fr, nil
 	}
-	defer scannerPool.Put(scanner)
 
-	isArchive := archiveRoot != ""
 	mime := "<unknown>"
 	kind, err := programkind.File(path)
 	if err != nil && !interactive(c) {
@@ -88,6 +82,7 @@ func scanSinglePath(ctx context.Context, c malcontent.Config, path string, ruleF
 	if kind != nil {
 		mime = kind.MIME
 	}
+
 	if !c.IncludeDataFiles && kind == nil {
 		logger.Debugf("skipping %s [%s]: data file or empty", path, mime)
 		fr := &malcontent.FileReport{Skipped: "data file or empty", Path: path}
@@ -99,33 +94,51 @@ func scanSinglePath(ctx context.Context, c malcontent.Config, path string, ruleF
 	}
 	logger = logger.With("mime", mime)
 
-	f, err := os.Open(path)
-	if err != nil {
-		return nil, err
+	var yrs *yarax.Rules
+	if c.Rules == nil {
+		yrs, err = CachedRules(ctx, ruleFS)
+		if err != nil {
+			return nil, fmt.Errorf("rules: %w", err)
+		}
+	} else {
+		yrs = c.Rules
 	}
-	defer f.Close()
 
-	fi, err := f.Stat()
-	if err != nil {
-		return nil, err
+	initializeOnce.Do(func() {
+		filePool = pool.NewBufferPool(c.Concurrency + 1)
+		scannerPool = pool.NewScannerPool(yrs, c.Concurrency+1)
+	})
+
+	scanner := scannerPool.Get()
+	if scanner == nil {
+		scanner = yarax.NewScanner(yrs)
 	}
-	size := fi.Size()
+	defer scannerPool.Put(scanner)
 
-	if size == 0 {
-		fr := &malcontent.FileReport{Skipped: "zero-sized file", Path: path}
-		defer os.RemoveAll(path)
-		return fr, nil
+	f, err := os.Open(path)
+	if err != nil {
+		return nil, err
 	}
+	defer f.Close()
 
 	fc := filePool.Get(size)
 	defer filePool.Put(fc)
-	if _, err := io.ReadFull(f, fc); err != nil {
-		return nil, err
+
+	var bytesRead int
+	var totalRead int64
+	for totalRead < size {
+		bytesRead, err = f.Read(fc[totalRead:])
+		if errors.Is(err, io.EOF) {
+			break
+		}
+		if err != nil {
+			return nil, err
+		}
+		totalRead += int64(bytesRead)
 	}
 
-	// Immediately remove archive files read into memory
-	if isArchive {
-		defer os.RemoveAll(path)
+	if totalRead < size && err != nil {
+		return nil, fmt.Errorf("incomplete read: got %d bytes, expected %d: %w", totalRead, size, err)
 	}
 
 	mrs, err := scanner.Scan(fc)
@@ -137,9 +150,12 @@ func scanSinglePath(ctx context.Context, c malcontent.Config, path string, ruleF
 	// If running a scan, only generate reports for mrs that satisfy the risk threshold of 3
 	// This is a short-circuit that avoids any report generation logic
 	risk := report.HighestMatchRisk(mrs)
-	if c.Scan && risk < 3 {
+	threshold := max(3, c.MinFileRisk, c.MinRisk)
+	if c.Scan && risk < threshold {
 		fr := &malcontent.FileReport{Skipped: "overall risk too low for scan", Path: path}
-		os.RemoveAll(path)
+		if isArchive {
+			os.RemoveAll(path)
+		}
 		return fr, nil
 	}
 
@@ -166,15 +182,13 @@ func scanSinglePath(ctx context.Context, c malcontent.Config, path string, ruleF
 		fr.ArchiveRoot = archiveRootAbs
 		fr.FullPath = pathAbs
 		clean = formatPath(cleanPath(pathAbs, archiveRootAbs))
-	}
 
-	// If absPath is provided, use it instead of the path if they are different.
-	// This is useful when scanning images and archives.
-	if absPath != "" && absPath != path && (isArchive || c.OCI) {
-		if len(c.TrimPrefixes) > 0 {
-			absPath = report.TrimPrefixes(absPath, c.TrimPrefixes)
+		if absPath != "" && absPath != path && (isArchive || c.OCI) {
+			if len(c.TrimPrefixes) > 0 {
+				absPath = report.TrimPrefixes(absPath, c.TrimPrefixes)
+			}
+			fr.Path = fmt.Sprintf("%s ∴ %s", absPath, clean)
 		}
-		fr.Path = fmt.Sprintf("%s ∴ %s", absPath, clean)
 	}
 
 	if len(fr.Behaviors) == 0 {
@@ -396,17 +410,17 @@ func processPaths(ctx context.Context, paths []string, scanInfo scanPathInfo, c
 		cancel()
 	}()
 
-	g := setupErrorGroup(maxConcurrency)
+	g, gCtx := errgroup.WithContext(scanCtx)
+	g.SetLimit(maxConcurrency)
 
-	setupMatchHandler(scanCtx, matchChan, c, cancel, logger)
+	setupMatchHandler(gCtx, matchChan, c, cancel, logger)
 
 	pc := make(chan string, len(paths))
 	go func() {
 		defer close(pc)
-
 		for _, path := range paths {
 			select {
-			case <-scanCtx.Done():
+			case <-gCtx.Done():
 				return
 			case pc <- path:
 			}
@@ -415,10 +429,10 @@ func processPaths(ctx context.Context, paths []string, scanInfo scanPathInfo, c
 
 	for path := range pc {
 		g.Go(func() error {
-			if scanCtx.Err() != nil {
+			if gCtx.Err() != nil {
 				return scanCtx.Err()
 			}
-			return processPath(scanCtx, path, scanInfo, c, r, matchChan, matchOnce, logger)
+			return processPath(gCtx, path, scanInfo, c, r, matchChan, matchOnce, logger)
 		})
 	}
 
@@ -447,21 +461,6 @@ func getMaxConcurrency(configured int) int {
 	return configured
 }
 
-func createPathChannel(paths []string) chan string {
-	pc := make(chan string, len(paths))
-	for _, path := range paths {
-		pc <- path
-	}
-	close(pc)
-	return pc
-}
-
-func setupErrorGroup(maxConcurrency int) *errgroup.Group {
-	g := &errgroup.Group{}
-	g.SetLimit(maxConcurrency)
-	return g
-}
-
 func setupMatchHandler(ctx context.Context, matchChan chan matchResult, c malcontent.Config, cancel context.CancelFunc, logger *clog.Logger) {
 	if ctx.Err() != nil {
 		return
@@ -634,13 +633,12 @@ func processArchive(ctx context.Context, c malcontent.Config, rfs []fs.FS, archi
 		return nil, fmt.Errorf("extract to temp: %w", err)
 	}
 	// Ensure that tmpRoot is removed before returning if created successfully
-	if tmpRoot != "" {
-		defer func() {
-			if err := os.RemoveAll(tmpRoot); err != nil {
-				logger.Errorf("remove %s: %v", tmpRoot, err)
-			}
-		}()
-	}
+	defer func() {
+		if err := os.RemoveAll(tmpRoot); err != nil {
+			logger.Errorf("remove %s: %v", tmpRoot, err)
+		}
+	}()
+
 	// macOS will prefix temporary directories with `/private`
 	// update tmpRoot with this prefix to allow strings.TrimPrefix to work
 	if runtime.GOOS == "darwin" {
@@ -652,16 +650,28 @@ func processArchive(ctx context.Context, c malcontent.Config, rfs []fs.FS, archi
 		return nil, fmt.Errorf("find: %w", err)
 	}
 
+	ep := make(chan string, len(extractedPaths))
+	go func() {
+		defer close(ep)
+		for _, path := range extractedPaths {
+			select {
+			case <-ctx.Done():
+				return
+			case ep <- path:
+			}
+		}
+	}()
+
 	maxConcurrency := getMaxConcurrency(c.Concurrency)
 	scanCtx, cancel := context.WithCancel(ctx)
 	defer cancel()
 
-	g := setupErrorGroup(maxConcurrency)
+	g, gCtx := errgroup.WithContext(scanCtx)
+	g.SetLimit(maxConcurrency)
 
-	ep := createPathChannel(extractedPaths)
 	for path := range ep {
 		g.Go(func() error {
-			fr, err := processFile(scanCtx, c, rfs, path, archivePath, tmpRoot, logger)
+			fr, err := processFile(gCtx, c, rfs, path, archivePath, tmpRoot, logger)
 			if err != nil {
 				return err
 			}