Skip to content

Avoid failing scans outright when encountering extraction failures#962

Merged
egibs merged 5 commits into
chainguard-dev:mainfrom
egibs:failed-extraction-blast-radius
May 27, 2025
Merged

Avoid failing scans outright when encountering extraction failures#962
egibs merged 5 commits into
chainguard-dev:mainfrom
egibs:failed-extraction-blast-radius

Conversation

@egibs
Copy link
Copy Markdown
Member

@egibs egibs commented May 27, 2025
edited
Loading

We currently fail scans when encountering extraction errors which will prevent any report generation. This is not great when scanning many files wherein only one or a handful of files cannot be processed.

This PR introduces an opt-out flag (--exit-extraction) to ignore these failures. By default, the behavior remains the same but it's easy enough to default this to false in the future. I added two new test cases to cover the new configuration option and it behaves as expected.

I also addressed an inconsistency between mimetype.Detect and Path. The latter would not return a valid MIME type which would cause issues if we were expecting ft.MIME to be populated. We also need to keep a list of valid archive extensions and at least one MIME type in the supportedKind map. In cases like .zip or .gz extractions, we can do another lookup to cover additional types in cases where mimetype.Detect is used over Path.

FWIW, we do mitigate this in other places by doing something like:

if err != nil {
	if strings.Contains(err.Error(), "failed to extract") {
		log.Error(err.Error())
		return nil
	}
	return err
}

@egibs egibs requested review from antitree and eslerm May 27, 2025 14:14
@egibs
Avoid failing scans outright when encountering extraction failures
b6cda75 
Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>
@egibs egibs force-pushed the failed-extraction-blast-radius branch from 044e9f6 to b6cda75 Compare May 27, 2025 16:18
egibs added 3 commits May 27, 2025 13:06
@egibs
Address gap between mimetype.Detect and Path re: archives
3694159 
Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>
@egibs
Appease the linter
714a23f 
Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>
@egibs
Fix tests
d060097 
Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>
eslerm
eslerm approved these changes May 27, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

@eslerm eslerm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Appreciate that a minified test is included 🙏

@egibs
Add MIME type for 7z
d09043b 
Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>
@egibs egibs enabled auto-merge (squash) May 27, 2025 21:04
@egibs egibs merged commit c348e4b into chainguard-dev:main May 27, 2025
12 checks passed
@egibs egibs deleted the failed-extraction-blast-radius branch May 28, 2025 22:48
@BrewTestBot BrewTestBot mentioned this pull request Jun 4, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@eslerm eslerm eslerm approved these changes

@antitree antitree Awaiting requested review from antitree

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@egibs @eslerm