Skip to content

Commit 78972f2

Browse files
authored
Malcontent: change extraction error default (#1085)
* mal: always report when archive extraction fails malcontent by default bails out when it hits an extraction error like so: ``` $ mal scan mlflow-3.2.0-r0.apk 🔎 Scanning "mlflow-3.2.0-r0.apk" time=2025-08-12T14:30:08.221-07:00 level=ERROR source=$HOME/git/chainguard-dev/malcontent/pkg/action/scan.go:546 msg="unable to process mlflow-3.2.0-r0.apk: extract to temp: failed to walk directory: failed to extract archive: not a valid gzip archive: $HOME/tmp/mlflow-3.2.0-r0.apk2501165934/usr/share/mlflow/lib/python3.13/site-packages/joblib/test/data/joblib_0.10.0_compressed_pickle_py27_np17.gz" 💣 scan: extract to temp: failed to walk directory: failed to extract archive: not a valid gzip archive: $HOME/tmp/mlflow-3.2.0-r0.apk2501165934/usr/share/mlflow/lib/python3.13/site-packages/joblib/test/data/joblib_0.10.0_compressed_pickle_py27_np17.gz ``` However, when told to not exit on extraction errors, it then silently skips them: ``` $ mal --exit-extraction=false scan mlflow-3.2.0-r0.apk 🔎 Scanning "mlflow-3.2.0-r0.apk" ``` This patch adjusts malcontent to report failures to extract archives, even when continuing to process files, like so: ``` $ ~/git/chainguard-dev/malcontent/mal.adjusted --exit-extraction=false scan mlflow-3.2.0-r0.apk 🔎 Scanning "mlflow-3.2.0-r0.apk" time=2025-08-12T14:29:40.086-07:00 level=ERROR source=$HOME/git/chainguard-dev/malcontent/pkg/action/scan.go:546 msg="unable to process mlflow-3.2.0-r0.apk: extract to temp: failed to walk directory: failed to extract archive: not a valid gzip archive: $HOME/tmp/mlflow-3.2.0-r0.apk1123830767/usr/share/mlflow/lib/python3.13/site-packages/joblib/test/data/joblib_0.10.0_compressed_pickle_py27_np17.gz" $ echo $? 0 ``` But still returns an error code when set to exit on extraction failures: ``` $ ~/git/chainguard-dev/malcontent/mal.adjusted scan mlflow-3.2.0-r0.apk 🔎 Scanning "mlflow-3.2.0-r0.apk" time=2025-08-12T14:38:36.544-07:00 level=ERROR source=$HOME/git/chainguard-dev/malcontent/pkg/action/scan.go:546 msg="unable to process mlflow-3.2.0-r0.apk: extract to temp: failed to walk directory: failed to extract archive: not a valid gzip archive: $HOME/tmp/mlflow-3.2.0-r0.apk3305705399/usr/share/mlflow/lib/python3.13/site-packages/joblib/test/data/joblib_0.10.0_compressed_pickle_py27_np17.gz" 💣 scan: extract to temp: failed to walk directory: failed to extract archive: not a valid gzip archive: $HOME/tmp/mlflow-3.2.0-r0.apk3305705399/usr/share/mlflow/lib/python3.13/site-packages/joblib/test/data/joblib_0.10.0_compressed_pickle_py27_np17.gz $ echo $? 2 ``` Signed-off-by: Steve Beattie <steve.beattie@chainguard.dev> * mal: don't exit on extraction errors by default malcontent defaults to exiting on extraction errors by default, which ends up being something a lot of people trip over when trying to figure out what's being detected in an artifact. Fix that by defaulting to not exiting on extraction errors (with the prior change, malcontent will still report them). Signed-off-by: Steve Beattie <steve.beattie@chainguard.dev> --------- Signed-off-by: Steve Beattie <steve.beattie@chainguard.dev>
1 parent d423a56 commit 78972f2

2 files changed

Lines changed: 6 additions & 7 deletions

File tree

cmd/mal/mal.go

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -291,7 +291,7 @@ func main() {
291291
},
292292
&cli.BoolFlag{
293293
Name: "exit-extraction",
294-
Value: true,
294+
Value: false,
295295
Usage: "Exit when encountering file extraction errors",
296296
Destination: &exitExtractionFlag,
297297
},

pkg/action/scan.go

Lines changed: 5 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -538,7 +538,11 @@ func handleArchiveFile(ctx context.Context, path string, c malcontent.Config, r
538538
frs, err := processArchive(ctx, c, c.RuleFS, path, logger)
539539
if err != nil {
540540
logger.Errorf("unable to process %s: %v", path, err)
541-
return err
541+
// Avoid failing an entire scan when encountering problematic archives
542+
// e.g., joblib_0.8.4_compressed_pickle_py27_np17.gz: not a valid gzip archive
543+
if c.ExitExtraction {
544+
return err
545+
}
542546
}
543547

544548
if !c.OCI && (c.ExitFirstHit || c.ExitFirstMiss) {
@@ -664,11 +668,6 @@ func processArchive(ctx context.Context, c malcontent.Config, rfs []fs.FS, archi
664668

665669
tmpRoot, err := archive.ExtractArchiveToTempDir(ctx, archivePath)
666670
if err != nil {
667-
// Avoid failing an entire scan when encountering problematic archives
668-
// e.g., joblib_0.8.4_compressed_pickle_py27_np17.gz: not a valid gzip archive
669-
if !c.ExitExtraction {
670-
return nil, nil
671-
}
672671
return nil, fmt.Errorf("extract to temp: %w", err)
673672
}
674673
// Ensure that tmpRoot is removed before returning if created successfully

0 commit comments

Comments
 (0)