Avoid failing scans outright when encountering extraction failures

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

Author: egibs

cmd/mal/mal.go

@@ -50,6 +50,7 @@ var (
 	allFlag                   bool
 	concurrencyFlag           int
 	diffImageFlag             bool
+	exitExtractionFlag        bool
 	exitFirstHitFlag          bool
 	exitFirstMissFlag         bool
 	fileRiskChangeFlag        bool
@@ -262,6 +263,7 @@ func main() {
 
 			mc = malcontent.Config{
 				Concurrency:           concurrency,
+				ExitExtraction:        exitExtractionFlag,
 				ExitFirstHit:          exitFirstHitFlag,
 				ExitFirstMiss:         exitFirstMissFlag,
 				IgnoreSelf:            ignoreSelfFlag,
@@ -287,6 +289,12 @@ func main() {
 				Usage:       "Ignore nothing within a provided scan path",
 				Destination: &allFlag,
 			},
+			&cli.BoolFlag{
+				Name:        "exit-extraction",
+				Value:       true,
+				Usage:       "Exit when encountering file extraction errors",
+				Destination: &exitExtractionFlag,
+			},
 			&cli.BoolFlag{
 				Name:        "exit-first-miss",
 				Value:       false,

pkg/action/archive_test.go

@@ -260,6 +260,89 @@ func TestScanArchive(t *testing.T) {
 	}
 }
 
+func extractError(e error) error {
+	if strings.Contains(e.Error(), "not a valid gzip archive") {
+		return nil
+	}
+	return e
+}
+
+func TestScanInvalidArchive(t *testing.T) {
+	t.Parallel()
+	ctx := slogtest.Context(t)
+	clog.FromContext(ctx).With("test", "scan_archive")
+
+	var out bytes.Buffer
+	r, err := render.New("json", &out)
+	if err != nil {
+		t.Fatalf("render: %v", err)
+	}
+
+	rfs := []fs.FS{rules.FS, thirdparty.FS}
+	yrs, err := CachedRules(ctx, rfs)
+	if err != nil {
+		t.Fatalf("rules: %v", err)
+	}
+
+	mc := malcontent.Config{
+		Concurrency:    runtime.NumCPU(),
+		ExitExtraction: true,
+		IgnoreSelf:     false,
+		MinFileRisk:    0,
+		MinRisk:        0,
+		Renderer:       r,
+		Rules:          yrs,
+		ScanPaths:      []string{"testdata/joblib_0.9.4.dev0_compressed_cache_size_pickle_py35_np19.gz"},
+	}
+	_, err = Scan(ctx, mc)
+	err = extractError(err)
+	if err != nil {
+		t.Fatal(err)
+	}
+}
+
+func TestScanInvalidArchiveIgnore(t *testing.T) {
+	t.Parallel()
+	ctx := slogtest.Context(t)
+	clog.FromContext(ctx).With("test", "scan_archive")
+
+	var out bytes.Buffer
+	r, err := render.New("json", &out)
+	if err != nil {
+		t.Fatalf("render: %v", err)
+	}
+
+	rfs := []fs.FS{rules.FS, thirdparty.FS}
+	yrs, err := CachedRules(ctx, rfs)
+	if err != nil {
+		t.Fatalf("rules: %v", err)
+	}
+
+	mc := malcontent.Config{
+		Concurrency:    runtime.NumCPU(),
+		ExitExtraction: false,
+		IgnoreSelf:     false,
+		MinFileRisk:    0,
+		MinRisk:        0,
+		Renderer:       r,
+		Rules:          yrs,
+		ScanPaths:      []string{"testdata/joblib_0.9.4.dev0_compressed_cache_size_pickle_py35_np19.gz"},
+	}
+	res, err := Scan(ctx, mc)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if err := r.Full(ctx, nil, res); err != nil {
+		t.Fatalf("full: %v", err)
+	}
+
+	got := out.String()
+	want := "{}\n"
+	if diff := cmp.Diff(want, got); diff != "" {
+		t.Errorf("output mismatch: (-want +got):\n%s", diff)
+	}
+}
+
 func TestGetExt(t *testing.T) {
 	tests := []struct {
 		path string

pkg/action/scan.go

@@ -630,7 +630,12 @@ func processArchive(ctx context.Context, c malcontent.Config, rfs []fs.FS, archi
 
 	tmpRoot, err := archive.ExtractArchiveToTempDir(ctx, archivePath)
 	if err != nil {
-		return nil, fmt.Errorf("extract to temp: %w", err)
+		// Avoid failing an entire scan when encountering problematic archives
+		// e.g., joblib_0.8.4_compressed_pickle_py27_np17.gz: not a valid gzip archive
+		if c.ExitExtraction {
+			return nil, fmt.Errorf("extract to temp: %w", err)
+		}
+		return nil, nil
 	}
 	// Ensure that tmpRoot is removed before returning if created successfully
 	defer func() {

pkg/action/testdata/joblib_0.9.4.dev0_compressed_cache_size_pickle_py35_np19.gz

@@ -23,6 +23,7 @@ type Renderer interface {
 
 type Config struct {
 	Concurrency           int
+	ExitExtraction        bool
 	ExitFirstHit          bool
 	ExitFirstMiss         bool
 	FileRiskChange        bool