Skip to content

Migrate syft to use archives instead of anchore fork #4029

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 8 commits into
base: main
Choose a base branch
from
Open

Migrate syft to use archives instead of anchore fork #4029

wants to merge 8 commits into from

Conversation

@Rupikz
Copy link
Contributor

@Rupikz Rupikz commented Jun 26, 2025

Description

Rewritten deprecated fork github.com/anchore/archiver to github.com/mholt/archives

Type of change

  • Bug fix (non-breaking change which fixes an issue)
  • Chore (improve the developer experience, fix a test flake, etc, without changing the visible behavior of Syft)

Checklist:

  • I have tested my code in common scenarios and confirmed there are no regressions

@spiffcs
fix: protect against traversal in file source
3f14eb7 
Signed-off-by: Christopher Phillips <[email protected]>
@spiffcs
fix: lint-fix
a00076a 
Signed-off-by: Christopher Phillips <[email protected]>
spiffcs
spiffcs reviewed Oct 13, 2025
View reviewed changes
syft/source/filesource/file_source.go
cleanupFn := func() error {
return os.RemoveAll(tempDir)
visitor := func(_ context.Context, file archives.FileInfo) error {
destPath, err := intFile.SafeJoin(tempDir, file.NameInArchive)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I updated this to use the same kind of SafeJoin functionality so we don't escape the tmpDir like we do in other parts of syft. If the archives library already handles this internally apologies I just couldn't find it on a quick inspection.

@spiffcs
Copy link
Contributor

spiffcs commented Oct 13, 2025
edited
Loading

@wagoodman I've looked at this one and added a small protection.

The visitor now uses a path aware directory join and cannot write outside the temp directory.
Tests also added.
Can you give a second pair of 👀 on this since I added a commit and would like a second review before we 🟢.

Also, I don't know what Static Analysis is on about here. I've checked out this branch even on a different machine and it's told me the go.mod and go.sum are tidy locally ☹️. I ended up doing a manual edit to fix the go.sum, but that seems super wrong.

@spiffcs spiffcs requested a review from wagoodman October 13, 2025 16:38
@spiffcs
docs: docs to trigger ci
c00cce1 
Signed-off-by: Christopher Phillips <[email protected]>
@spiffcs
chore: fix tidy again
923d9a8 
Signed-off-by: Christopher Phillips <[email protected]>
spiffcs
spiffcs previously approved these changes Oct 13, 2025
View reviewed changes
Copy link
Contributor

@spiffcs spiffcs left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This one now looks good to me after a first pass review. I identified a section in the visitor where we might be able to escape and write files to paths outside the temp directory so added a fix for this. I'd like additional 👀 from someone on @anchore/tools to check my work.

@spiffcs spiffcs self-requested a review October 13, 2025 19:52
@spiffcs spiffcs dismissed their stale review October 13, 2025 19:53

one more change is needed here where we also protect against symlink attacks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@wagoodman wagoodman Awaiting requested review from wagoodman

@spiffcs spiffcs Awaiting requested review from spiffcs

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Rupikz @spiffcs