chore: consolidate archive extraction (CN-941)

[ividalATSnyk]

• Ready for review
• Follows CONTRIBUTING rules
• Reviewed by Snyk internal team

What does this PR do?

• wrap docker and kaniko archive extraction under a generic archive extractor to reduce duplication

Where should the reviewer start?

You can take a look at the generic extractor here.

How should this be manually tested?

You can test by running a scan via cli for a Kaniko or Docker Archive.

What are the relevant tickets?

• CN-941

Questions?

There may be a better method for testing manually, open to ideas!

[snyk-pr-review-bot]

PR Reviewer Guide 🔍

🧪 PR contains tests

🔒 No security concerns identified

⚡ Recommended focus areas for review Missing Compression Handling 🟠 [major] The original extractArchive implementations in docker-archive/layer.ts and kaniko-archive/layer.ts used gunzip-maybe, which handles optional gzip. The new consolidated createExtractArchive explicitly pipes createReadStream through gunzip() (line 120), which will fail or throw errors if the outer tar archive is not gzipped. While Docker and Kaniko tarballs are often compressed, uncompressed tar archives are valid and were previously supported by the 'maybe' variant. createReadStream(archiveFilesystemPath) .on("error", (error) => reject(error)) .pipe(gunzip()) .pipe(tarExtractor); Interface Mismatch 🟠 [major] The consolidation of ExtractedLayersAndManifest (line 59) uses TarArchiveManifest | OciArchiveManifest. However, TarArchiveManifest uses a capitalized Config property (line 47), while OciArchiveManifest uses a lowercase config object with a digest (seen in cross-file context). The ArchiveExtractor in lib/extractor/index.ts calls getImageIdFromManifest(archiveContent.manifest), which will fail for OCI archives if it expects the TarArchiveManifest structure, or vice-versa, as the factory logic in generic-archive-extractor.ts only handles the TarArchiveManifest shape. export interface ExtractedLayersAndManifest { layers: ExtractedLayers[]; manifest: TarArchiveManifest | OciArchiveManifest; imageConfig: ImageConfig; }

📚 Repository Context Analyzed This review considered 31 relevant code sections from 13 files (average relevance: 0.91) lib/extractor/oci-archive/layer.ts (2 segments, lines 1-207) lib/analyzer/image-inspector.ts (lines 1-299) lib/scan.ts (2 segments, lines 1-247) lib/extractor/oci-archive/index.ts (lines 1-16) lib/dockerfile/index.ts (lines 1-61) lib/inputs/file-pattern/static.ts (lines 1-67) lib/index.ts (lines 1-49) ... and 6 more file(s)