Commit 66cda90
authored
fix(extractor): implement two-pass OCI extraction and fix path normalization
This commit resolves a long-standing issue where OCI archives (and the "hybrid" format produced by Docker Desktop's containerd store) would fail to scan
silently.
Root Cause:
The previous implementation attempted to pipe a single blob stream to both a
JSON parser and a tar extractor simultaneously. This resulted in stream
corruption, causing both parsers to fail and the plugin to swallow errors,
ultimately returning zero results to the CLI.
Changes:
- Implemented a two-pass extraction strategy:
1. Pass 1: Scans the archive to extract only JSON metadata (manifests, configs).
2. Pass 2: Re-opens the archive to extract only the layers needed for the
target platform.
- Robust Path Parsing: Added .filter(Boolean) to path splitting logic to
gracefully handle archives using absolute paths (starting with /).
- Code Cleanup: Removed the unused platformInfo return variable as identified
during review.
Impact:
- Successfully restores scanning functionality for images like ubuntu:latest and
mongo:8.0.17 on systems using the containerd image store.
- Improves error visibility by removing blanket catch-alls that hid failures.
Tickets: CN-731, CN-659, CN-657, CN-169, CN-5541 parent 215e156 commit 66cda90
File tree
3 files changed
+899
-91
lines changed- lib/extractor
- oci-archive
- test/lib/extractor/oci-archive
3 files changed
+899
-91
lines changed| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
| 1 | + | |
1 | 2 | | |
2 | 3 | | |
3 | 4 | | |
| |||
20 | 21 | | |
21 | 22 | | |
22 | 23 | | |
| 24 | + | |
| 25 | + | |
23 | 26 | | |
24 | 27 | | |
25 | 28 | | |
| |||
157 | 160 | | |
158 | 161 | | |
159 | 162 | | |
160 | | - | |
| 163 | + | |
161 | 164 | | |
162 | 165 | | |
163 | 166 | | |
| 167 | + | |
| 168 | + | |
| 169 | + | |
| 170 | + | |
164 | 171 | | |
165 | 172 | | |
166 | 173 | | |
| |||
0 commit comments