chore: migrate syft to use mholt/archives instead of anchore fork#4029
Merged
spiffcs merged 16 commits intoanchore:mainfrom Nov 13, 2025
Merged
chore: migrate syft to use mholt/archives instead of anchore fork#4029spiffcs merged 16 commits intoanchore:mainfrom
spiffcs merged 16 commits intoanchore:mainfrom
Conversation
spiffcs
reviewed
Oct 13, 2025
| cleanupFn := func() error { | ||
| return os.RemoveAll(tempDir) | ||
| visitor := func(_ context.Context, file archives.FileInfo) error { | ||
| destPath, err := intFile.SafeJoin(tempDir, file.NameInArchive) |
Contributor
There was a problem hiding this comment.
I updated this to use the same kind of SafeJoin functionality so we don't escape the tmpDir like we do in other parts of syft. If the archives library already handles this internally apologies I just couldn't find it on a quick inspection.
Contributor
|
@wagoodman I've looked at this one and added a small protection. The visitor now uses a path aware directory join and cannot write outside the temp directory. Also, I don't know what Static Analysis is on about here. I've checked out this branch even on a different machine and it's told me the go.mod and go.sum are tidy locally |
spiffcs
previously approved these changes
Oct 13, 2025
Contributor
spiffcs
left a comment
spiffcs
left a comment
There was a problem hiding this comment.
This one now looks good to me after a first pass review. I identified a section in the visitor where we might be able to escape and write files to paths outside the temp directory so added a fix for this. I'd like additional 👀 from someone on @anchore/tools to check my work.
spiffcs
dismissed
their stale review
one more change is needed here where we also protect against symlink attacks
This was referenced Nov 6, 2025
Signed-off-by: Kudryavcev Nikolay <kydry.nikolau@gmail.com>
Signed-off-by: Kudryavcev Nikolay <kydry.nikolau@gmail.com>
Signed-off-by: Kudryavcev Nikolay <kydry.nikolau@gmail.com>
Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
Signed-off-by: Christopher Phillips <spiffcs@users.noreply.github.com>
Signed-off-by: Christopher Phillips <spiffcs@users.noreply.github.com>
spiffcs
force-pushed
the
upgrade-deprecated-archiver
branch
from
923d9a8 to
cfad5bb
Compare
Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
Signed-off-by: Christopher Angelo Phillips <32073428+spiffcs@users.noreply.github.com>
Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
wagoodman
reviewed
Nov 10, 2025
Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
kzantow
reviewed
Nov 10, 2025
Contributor
kzantow
left a comment
kzantow
left a comment
There was a problem hiding this comment.
Overall LGTM the SafeJoin usage I think is good 👍 main things I think we should update:
- don't ever need to log.Error close problems, there's a CloseAndLogError utility to simplify a bunch of those calls anyway
- the tests don't seem to be actually testing the function we want to verify: UnzipToDir
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
wagoodman
reviewed
Nov 13, 2025
Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
wagoodman
approved these changes
Nov 13, 2025
Signed-off-by: Christopher Angelo Phillips <32073428+spiffcs@users.noreply.github.com>
Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
spiffcs
changed the title
l-qing
pushed a commit
to AlaudaDevops/syft
that referenced
this pull request
Dec 24, 2025
9 tasks
l-qing
pushed a commit
to AlaudaDevops/syft
that referenced
this pull request
Dec 24, 2025
l-qing
pushed a commit
to AlaudaDevops/syft
that referenced
this pull request
Dec 24, 2025
…chore#4029) --------- Signed-off-by: Kudryavcev Nikolay <kydry.nikolau@gmail.com> Signed-off-by: Christopher Phillips <spiffcs@users.noreply.github.com> Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
l-qing
added a commit
to AlaudaDevops/syft
that referenced
this pull request
Dec 24, 2025
* chore: migrate syft to use mholt/archives instead of anchore fork (anchore#4029) --------- Signed-off-by: Kudryavcev Nikolay <kydry.nikolau@gmail.com> Signed-off-by: Christopher Phillips <spiffcs@users.noreply.github.com> Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * fix(java): initialize license scanner in archive parser This commit addresses a potential vulnerability where the license scanner was not properly initialized before use in the Java archive parser, which could lead to nil pointer dereference. Additionally, updates test fixtures and assertions to reflect: - Updated package versions in Rocky Linux (curl-minimal, httpd) - Refactored deduplication tests to index by package name for better resilience to version changes - Added comprehensive test documentation --------- Signed-off-by: Kudryavcev Nikolay <kydry.nikolau@gmail.com> Signed-off-by: Christopher Phillips <spiffcs@users.noreply.github.com> Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> Co-authored-by: Kudryavcev Nikolay <35200428+Rupikz@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Rewritten deprecated fork github.com/anchore/archiver to github.com/mholt/archives
Type of change
Checklist: