ensure shbang check only checks valid shbangs

Signed-off-by: Josh Wolf <josh@wolfs.io>
chainguard-dev · Apr 23, 2024 · 6fd96bb · 6fd96bb
1 parent 03bc0ff
commit 6fd96bb
Show file tree

Hide file tree

Showing 3 changed files with 21 additions and 1 deletion.
diff --git a/pkg/sca/sca.go b/pkg/sca/sca.go
@@ -583,7 +583,7 @@ func getShbang(fp fs.File) (string, error) {
 		return "", err
 	}
 
-	if buf[0] != '#' && buf[1] != '!' {
+	if buf[0] != '#' || buf[1] != '!' {
 		return "", nil
 	}
 

diff --git a/pkg/sca/testdata/shbang-test-1-r1.apk b/pkg/sca/testdata/shbang-test-1-r1.apk
diff --git a/pkg/sca/testdata/shbang-test.yaml b/pkg/sca/testdata/shbang-test.yaml
@@ -74,6 +74,26 @@ pipeline:
       }
       EOF
 
+      wbin "ignore1" <<"EOF"
+      ## Ingore1
+      EOF
+
+      wbin "ignore5" <<"EOF"
+      !! Ignore5
+      EOF
+
+      wbin "ignore2" <<"EOF"
+      !# Ignore2
+      EOF
+
+      wbin "ignore3" <<"EOF"
+      ! Ignore3
+      EOF
+
+      wbin "ignore4" <<"EOF"
+      # Ignore4
+      EOF
+
       gcc -o hello hello.c && strip hello && cp hello "$BD/usr/bin/hello"
 
 update: