Support for fail-on-error for container sbom generation. Env variable…

… to force non-strict tar extraction. Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com>
CycloneDX · Dec 26, 2024 · 0a08b74 · 0a08b74
1 parent f0e70a6
commit 0a08b74
Show file tree

Hide file tree

Showing 4 changed files with 22 additions and 3 deletions.
diff --git a/lib/managers/binary.js b/lib/managers/binary.js
@@ -499,6 +499,9 @@ export function getOSPackages(src) {
       }
       if (osReleaseData["VERSION_ID"]) {
         distro_id = `${distro_id}-${osReleaseData["VERSION_ID"]}`;
+        if (OS_DISTRO_ALIAS[distro_id]) {
+          distro_codename = OS_DISTRO_ALIAS[distro_id];
+        }
       }
       const tmpDependencies = {};
       (tmpBom.dependencies || []).forEach((d) => {

diff --git a/lib/managers/docker.js b/lib/managers/docker.js
@@ -782,6 +782,15 @@ export const getImage = async (fullImageName) => {
  * @param entry {tar.ReadEntry} ReadEntry object from node-tar
  */
 function handleAbsolutePath(entry) {
+  // Don't waste time with gibberish path
+  if (
+    !entry ||
+    !entry.path ||
+    entry.path.startsWith("{") ||
+    entry.path.includes("\n")
+  ) {
+    return;
+  }
   if (entry.path === "/" || win32.isAbsolute(entry.path)) {
     entry.path = stripAbsolutePath(entry.path);
   }
@@ -808,10 +817,13 @@ export const extractTar = async (fullImageName, dir, options) => {
         filter: (path, entry) => {
           // Some files are known to cause issues with extract
           return !(
+            path.startsWith("{") ||
+            path.includes("\n") ||
             path.includes("etc/machine-id") ||
             path.includes("etc/gshadow") ||
             path.includes("etc/shadow") ||
             path.endsWith("etc/passwd") ||
+            path.endsWith("etc/ssl/certs") ||
             path.includes("usr/lib/systemd/") ||
             path.includes("usr/lib64/libdevmapper.so") ||
             path.includes("usr/sbin/") ||
@@ -876,8 +888,12 @@ export const extractTar = async (fullImageName, dir, options) => {
        * 1) TAR_ENTRY_INFO is an informative error indicating that an entry is being modified.
        * 2) TAR_ENTRY_INVALID indicates that a given entry is not valid tar archive entry and will be skipped.
        */
-    } else if (!["TAR_ENTRY_INFO", "TAR_ENTRY_INVALID"].includes(err.code)) {
+    } else if (
+      DEBUG_MODE &&
+      ["TAR_ENTRY_INFO", "TAR_ENTRY_INVALID"].includes(err.code)
+    ) {
       console.log(err);
+      return false;
     } else if (DEBUG_MODE) {
       console.log(err.code, "is not handled yet in extractTar method.");
     }

diff --git a/types/lib/managers/binary.d.ts.map b/types/lib/managers/binary.d.ts.map
diff --git a/types/lib/managers/docker.d.ts.map b/types/lib/managers/docker.d.ts.map