more improvements

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

Author: egibs

README.md

@@ -66,6 +66,7 @@ GLOBAL OPTIONS:
    --jobs int, -j int          Concurrently scan files within target scan paths (default: 12)
    --max-depth int             Maximum depth for archive extraction (-1 for unlimited) (default: 32)
    --max-files int             Maximum number of files to scan (-1 for unlimited) (default: 2097152)
+   --max-image-size int        Maximum OCI image size in bytes (0 or -1 for unlimited) (default: 17179869184)
    --min-file-level int        Obsoleted by --min-file-risk (default: -1)
    --min-file-risk string      Only show results for files which meet the given risk level (any, low, medium, high, critical) (default: "low")
    --min-level int             Obsoleted by --min-risk (default: -1)

cmd/mal/mal.go

@@ -61,6 +61,7 @@ var (
 	ignoreTagsFlag            string
 	includeDataFilesFlag      bool
 	maxDepthFlag              int
+	maxImageSizeFlag          int64
 	maxScanFilesFlag          int
 	minFileLevelFlag          int
 	minFileRiskFlag           string
@@ -261,6 +262,7 @@ func main() {
 				IgnoreTags:            ignoreTags,
 				IncludeDataFiles:      includeDataFiles,
 				MaxDepth:              maxDepthFlag,
+				MaxImageSize:          maxImageSizeFlag,
 				MaxScanFiles:          maxScanFilesFlag,
 				MinFileRisk:           minFileRisk,
 				MinRisk:               minRisk,
@@ -348,17 +350,24 @@ func main() {
 			&cli.IntFlag{
 				Name:        "max-depth",
 				Value:       32,
-				Usage:       "Maximum depth for archive extraction (-1 for unlimited)",
+				Usage:       "Maximum depth for archive extraction (0 or -1 for unlimited)",
 				Destination: &maxDepthFlag,
 				Local:       false,
 			},
 			&cli.IntFlag{
 				Name:        "max-files",
 				Value:       1 << 21, // ~2 million files
-				Usage:       "Maximum number of files to scan (-1 for unlimited)",
+				Usage:       "Maximum number of files to scan (0 or -1 for unlimited)",
 				Destination: &maxScanFilesFlag,
 				Local:       false,
 			},
+			&cli.Int64Flag{
+				Name:        "max-image-size",
+				Value:       1 << 34, // ~16 GB
+				Usage:       "Maximum OCI image size in bytes (0 or -1 for unlimited)",
+				Destination: &maxImageSizeFlag,
+				Local:       false,
+			},
 			&cli.IntFlag{
 				Name:        "min-file-level",
 				Value:       -1,

pkg/action/archive_test.go

@@ -15,13 +15,30 @@ import (
 
 	"github.com/chainguard-dev/clog"
 	"github.com/chainguard-dev/malcontent/pkg/archive"
+	"github.com/chainguard-dev/malcontent/pkg/file"
 	"github.com/chainguard-dev/malcontent/pkg/malcontent"
 	"github.com/chainguard-dev/malcontent/pkg/render"
 	"github.com/chainguard-dev/malcontent/rules"
 	thirdparty "github.com/chainguard-dev/malcontent/third_party"
 	"github.com/google/go-cmp/cmp"
 )
 
+// readTestFile reads a file using file.GetContents for consistency with production code.
+func readTestFile(t *testing.T, path string) []byte {
+	t.Helper()
+	f, err := os.Open(path)
+	if err != nil {
+		t.Fatalf("failed to open test file %s: %v", path, err)
+	}
+	defer f.Close()
+	buf := make([]byte, file.ExtractBuffer)
+	data, err := file.GetContents(f, buf)
+	if err != nil {
+		t.Fatalf("failed to read test file %s: %v", path, err)
+	}
+	return data
+}
+
 func TestExtractionMethod(t *testing.T) {
 	tests := []struct {
 		name string
@@ -256,10 +273,7 @@ func TestScanArchive(t *testing.T) {
 
 	got := out.String()
 
-	td, err := os.ReadFile("testdata/scan_archive")
-	if err != nil {
-		t.Fatalf("testdata read failed: %v", err)
-	}
+	td := readTestFile(t, "testdata/scan_archive")
 	want := string(td)
 
 	if diff := cmp.Diff(want, got); diff != "" {
@@ -303,10 +317,7 @@ func TestScanDeb(t *testing.T) {
 
 	got := out.String()
 
-	td, err := os.ReadFile("testdata/scan_deb")
-	if err != nil {
-		t.Fatalf("testdata read failed: %v", err)
-	}
+	td := readTestFile(t, "testdata/scan_deb")
 	want := string(td)
 
 	if diff := cmp.Diff(want, got); diff != "" {
@@ -350,10 +361,7 @@ func TestScanRPM(t *testing.T) {
 
 	got := out.String()
 
-	td, err := os.ReadFile("testdata/scan_rpm")
-	if err != nil {
-		t.Fatalf("testdata read failed: %v", err)
-	}
+	td := readTestFile(t, "testdata/scan_rpm")
 	want := string(td)
 
 	if diff := cmp.Diff(want, got); diff != "" {
@@ -397,10 +405,7 @@ func TestScanZlib(t *testing.T) {
 
 	got := out.String()
 
-	td, err := os.ReadFile("testdata/scan_zlib")
-	if err != nil {
-		t.Fatalf("testdata read failed: %v", err)
-	}
+	td := readTestFile(t, "testdata/scan_zlib")
 	want := string(td)
 
 	if diff := cmp.Diff(want, got); diff != "" {
@@ -444,10 +449,7 @@ func TestScanZstd(t *testing.T) {
 
 	got := out.String()
 
-	td, err := os.ReadFile("testdata/scan_zstd")
-	if err != nil {
-		t.Fatalf("testdata read failed: %v", err)
-	}
+	td := readTestFile(t, "testdata/scan_zstd")
 	want := string(td)
 
 	if diff := cmp.Diff(want, got); diff != "" {
@@ -582,10 +584,7 @@ func TestScanConflictingArchiveFiles(t *testing.T) {
 	}
 
 	got := out.String()
-	td, err := os.ReadFile("testdata/scan_conflict")
-	if err != nil {
-		t.Fatalf("testdata read failed: %v", err)
-	}
+	td := readTestFile(t, "testdata/scan_conflict")
 	want := string(td)
 
 	if diff := cmp.Diff(want, got); diff != "" {

pkg/action/diff.go

@@ -221,11 +221,11 @@ func Diff(ctx context.Context, c malcontent.Config, _ *clog.Logger) (*malcontent
 	)
 
 	if c.OCI {
-		srcPath, err = archive.OCI(ctx, srcPath, c.OCIAuth)
+		srcPath, err = archive.OCI(ctx, srcPath, c.OCIAuth, c.MaxImageSize)
 		if err != nil {
 			return nil, fmt.Errorf("failed to prepare scan path: %w", err)
 		}
-		destPath, err = archive.OCI(ctx, destPath, c.OCIAuth)
+		destPath, err = archive.OCI(ctx, destPath, c.OCIAuth, c.MaxImageSize)
 		if err != nil {
 			return nil, fmt.Errorf("failed to prepare scan path: %w", err)
 		}

pkg/action/oci_test.go

@@ -7,7 +7,6 @@ import (
 	"bytes"
 	"context"
 	"io/fs"
-	"os"
 	"runtime"
 	"testing"
 
@@ -55,10 +54,7 @@ func TestOCI(t *testing.T) {
 
 	got := out.String()
 
-	td, err := os.ReadFile("testdata/scan_oci")
-	if err != nil {
-		t.Fatalf("testdata read failed: %v", err)
-	}
+	td := readTestFile(t, "testdata/scan_oci")
 	want := string(td)
 
 	if diff := cmp.Diff(want, got); diff != "" {

pkg/action/scan.go

@@ -355,7 +355,7 @@ func handleScanPath(ctx context.Context, scanPath string, c malcontent.Config, r
 		c.Renderer.Scanning(ctx, scanPath)
 	}
 
-	scanInfo, err := prepareScanPath(ctx, scanPath, c.OCI, c.OCIAuth, logger)
+	scanInfo, err := prepareScanPath(ctx, scanPath, c.OCI, c.OCIAuth, c.MaxImageSize, logger)
 	if err != nil {
 		return fmt.Errorf("failed to prepare scan path: %w", err)
 	}
@@ -376,7 +376,7 @@ func handleScanPath(ctx context.Context, scanPath string, c malcontent.Config, r
 	return processPaths(ctx, paths, scanInfo, c, r, matchChan, matchOnce, logger)
 }
 
-func prepareScanPath(ctx context.Context, scanPath string, isOCI, useAuth bool, logger *clog.Logger) (scanPathInfo, error) {
+func prepareScanPath(ctx context.Context, scanPath string, isOCI, useAuth bool, maxImageSize int64, logger *clog.Logger) (scanPathInfo, error) {
 	if ctx.Err() != nil {
 		return scanPathInfo{}, ctx.Err()
 	}
@@ -391,7 +391,7 @@ func prepareScanPath(ctx context.Context, scanPath string, isOCI, useAuth bool,
 	}
 
 	info.imageURI = scanPath
-	ociPath, err := archive.OCI(ctx, info.imageURI, useAuth)
+	ociPath, err := archive.OCI(ctx, info.imageURI, useAuth, maxImageSize)
 	if err != nil {
 		return info, fmt.Errorf("failed to prepare OCI image for scanning: %w", err)
 	}

pkg/archive/archive.go

@@ -6,6 +6,8 @@ package archive
 import (
 	"archive/tar"
 	"context"
+	"crypto/rand"
+	"encoding/hex"
 	"errors"
 	"fmt"
 	"io"
@@ -15,7 +17,6 @@ import (
 	"runtime"
 	"strings"
 	"sync"
-	"time"
 
 	"github.com/chainguard-dev/clog"
 	"github.com/chainguard-dev/malcontent/pkg/file"
@@ -140,7 +141,9 @@ func extractNestedArchive(ctx context.Context, c malcontent.Config, d string, f
 	// if we encounter this, replace the name with something that won't collide
 	if _, err := os.Stat(archivePath); err == nil {
 		logger.Debugf("duplicate file name already exists, modifying directory name for %s", archivePath)
-		archivePath = fmt.Sprintf("%s%d", archivePath, time.Now().UnixNano())
+		var suffix [8]byte
+		_, _ = rand.Read(suffix[:])
+		archivePath = fmt.Sprintf("%s_%s", archivePath, hex.EncodeToString(suffix[:]))
 	}
 
 	if err := os.MkdirAll(archivePath, 0o700); err != nil {

pkg/archive/bz2.go

@@ -61,8 +61,6 @@ func ExtractBz2(ctx context.Context, d, f string) error {
 		return fmt.Errorf("failed to create directory for file: %w", err)
 	}
 
-	// #nosec G115 // ignore Type conversion which leads to integer overflow
-	// header.Mode is int64 and FileMode is uint32
 	out, err := os.OpenFile(target, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0o600)
 	if err != nil {
 		return fmt.Errorf("failed to create file: %w", err)

pkg/archive/deb.go

@@ -18,7 +18,13 @@ import (
 )
 
 // ExtractDeb extracts .deb packages.
-func ExtractDeb(ctx context.Context, d, f string) error {
+func ExtractDeb(ctx context.Context, d, f string) (retErr error) {
+	// Recover from panics in third-party deb parsing library.
+	defer func() {
+		if r := recover(); r != nil {
+			retErr = fmt.Errorf("recovered from panic during deb extraction: %v", r)
+		}
+	}()
 	if ctx.Err() != nil {
 		return ctx.Err()
 	}

pkg/archive/fuzz_test.go

@@ -12,10 +12,22 @@ import (
 	"testing"
 	"time"
 
+	"github.com/chainguard-dev/malcontent/pkg/file"
 	"github.com/chainguard-dev/malcontent/pkg/malcontent"
 	"github.com/chainguard-dev/malcontent/pkg/programkind"
 )
 
+// readTestFile reads a file using file.GetContents for consistency with production code.
+func readTestFile(path string) ([]byte, error) {
+	f, err := os.Open(path)
+	if err != nil {
+		return nil, err
+	}
+	defer f.Close()
+	buf := make([]byte, file.ExtractBuffer)
+	return file.GetContents(f, buf)
+}
+
 // FuzzExtractTar tests tar extraction with random inputs to find crashes,
 // path traversal vulnerabilities, and other issues.
 func FuzzExtractTar(f *testing.F) {
@@ -30,7 +42,7 @@ func FuzzExtractTar(f *testing.F) {
 	}
 
 	for _, td := range testdata {
-		if data, err := os.ReadFile(td); err == nil {
+		if data, err := readTestFile(td); err == nil {
 			f.Add(data)
 		}
 	}
@@ -85,7 +97,7 @@ func FuzzExtractZip(f *testing.F) {
 	}
 
 	for _, td := range testdata {
-		if data, err := os.ReadFile(td); err == nil {
+		if data, err := readTestFile(td); err == nil {
 			f.Add(data)
 		}
 	}
@@ -152,7 +164,7 @@ func FuzzExtractArchive(f *testing.F) {
 	}
 
 	for _, td := range testdata {
-		if data, err := os.ReadFile(td); err == nil {
+		if data, err := readTestFile(td); err == nil {
 			switch {
 			case strings.HasSuffix(td, ".tar.gz"):
 				f.Add(data, ".tar.gz")
@@ -270,7 +282,7 @@ func FuzzExtractGzip(f *testing.F) {
 	}
 
 	for _, td := range testdata {
-		if data, err := os.ReadFile(td); err == nil {
+		if data, err := readTestFile(td); err == nil {
 			f.Add(data)
 		}
 	}
@@ -367,7 +379,7 @@ func FuzzExtractZstd(f *testing.F) {
 	}
 
 	for _, td := range testdata {
-		if data, err := os.ReadFile(td); err == nil {
+		if data, err := readTestFile(td); err == nil {
 			f.Add(data)
 		}
 	}
@@ -419,7 +431,7 @@ func FuzzExtractZlib(f *testing.F) {
 	}
 
 	for _, td := range testdata {
-		if data, err := os.ReadFile(td); err == nil {
+		if data, err := readTestFile(td); err == nil {
 			f.Add(data)
 		}
 	}
@@ -473,7 +485,7 @@ func FuzzExtractRPM(f *testing.F) {
 	}
 
 	for _, td := range testdata {
-		if data, err := os.ReadFile(td); err == nil {
+		if data, err := readTestFile(td); err == nil {
 			f.Add(data)
 		}
 	}
@@ -530,7 +542,7 @@ func FuzzExtractDeb(f *testing.F) {
 	}
 
 	for _, td := range testdata {
-		if data, err := os.ReadFile(td); err == nil {
+		if data, err := readTestFile(td); err == nil {
 			f.Add(data)
 		}
 	}