Skip to content

fix: handle all tarfile extract errors #1206

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Oct 10, 2025
Merged

fix: handle all tarfile extract errors #1206

merged 1 commit into from
Oct 10, 2025

Conversation

@art1f1c3R
Copy link
Member

@art1f1c3R art1f1c3R commented Oct 9, 2025
edited
Loading

Summary

Addressing #1202, which occurred due to a tarfile.SpecialFileError, this case happened as the provided package had uploaded what linux classes as a character file (like a device file). Instead of handling specifically tarfile.ReadError, the download_package_sourcecode function how handles all tarfile errors using tarfile.TarError, the base error class.

Description of changes

In addition to those changes mentioned above, also included in this PR is modifying DetectMaliciousMetadataCheck.analyze_source to return SKIP instead of raising a HeuristicAnalyzerValueError from a SourceCodeError. This means that the result of the metadata analysis is still preserved and the analysis result does not result in UNKNOWN.

Related issues

Closes #1202.

Checklist

  • I have reviewed the contribution guide.
  • My PR title and commits follow the Conventional Commits convention.
  • My commits include the "Signed-off-by" line.
  • I have signed my commits following the instructions provided by GitHub. Note that we run GitHub's commit verification tool to check the commit signatures. A green verified label should appear next to all of your commits on GitHub.
  • I have updated the relevant documentation, if applicable.
  • I have tested my changes and verified they work as expected.

@art1f1c3R art1f1c3R requested a review from behnazh-w as a code owner October 9, 2025 03:50
@oracle-contributor-agreement oracle-contributor-agreement bot added the OCA Verified All contributors have signed the Oracle Contributor Agreement. label Oct 9, 2025
@art1f1c3R art1f1c3R force-pushed the art1f1c3R/tarfile-extract-bug branch from 8c9c454 to 0a7a8b9 Compare October 9, 2025 05:01
@behnazh-w behnazh-w self-requested a review October 9, 2025 05:03
@art1f1c3R
fix: handle all tarfile extract errors
ad1bbcc 
Signed-off-by: Carl Flottmann <carl.flottmann@oracle.com>
@art1f1c3R art1f1c3R force-pushed the art1f1c3R/tarfile-extract-bug branch from 0a7a8b9 to ad1bbcc Compare October 9, 2025 23:20
@behnazh-w behnazh-w self-requested a review October 9, 2025 23:45
@art1f1c3R art1f1c3R merged commit f897fb6 into main Oct 10, 2025
9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@behnazh-w behnazh-w behnazh-w approved these changes

Assignees

No one assigned

Labels

OCA Verified All contributors have signed the Oracle Contributor Agreement.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Bug] - [Analysis fails on PyPI package with special file]

2 participants

@art1f1c3R @behnazh-w