Skip to content

chore: call cleanup on tmpfile and replace some io.ReadAlls with streams#4629

Merged
willmurphyscode merged 3 commits intomainfrom
decomp-fixes
Feb 17, 2026
Merged

chore: call cleanup on tmpfile and replace some io.ReadAlls with streams#4629
willmurphyscode merged 3 commits intomainfrom
decomp-fixes

Conversation

@willmurphyscode
Copy link
Contributor

@willmurphyscode willmurphyscode commented Feb 17, 2026

Description

  • ensure that the file source cleans up the temp dir, even if, for example, an error is encountered part way through unarchiving
  • move the deb archive handling of control.tar.gz and the snap cataloger handling of changelog.Debian.gz to be a streaming parser, reducing excess allocations.

Type of change

  • Bug fix (non-breaking change which fixes an issue)
  • Chore (improve the developer experience, fix a test flake, etc, without changing the visible behavior of Syft)
  • Performance (make Syft run faster or use less memory, without changing visible behavior much)

A case could be made for both. Previously, in the file source, if syft encountered an error unarchiving to tmp, it could leak the tempfiles. Fixing that was a bug fix. Also, in the deb and snap catalogers there were some needless io.ReadAll calls that have been replaced with stream parsing.

Checklist

  • I have added unit tests that cover changed behavior
  • I have tested my code in common scenarios and confirmed there are no regressions
  • I have added comments to my code, particularly in hard-to-understand sections

Issue references

@willmurphyscode
fix(deb and snaps): prevent excess reads
3ae5ec0 
Previously, Syft could allocate excess memory or tempfile space if there
were highly compressed objects in deb archives, or at paths where the
kernel changelog was expected by the snap cataloger. Use io.LimitReaders
for extracting parts of deb archives, and refactor the snap cataloger's
reading of the kernel changelog to use a streaming parsing, eliminating
the possibility of excess allocation.

Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
@willmurphyscode
fix: always cleanup temp file from file source
baed3ef 
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
@willmurphyscode
use streaming strategy for deb archives
00ce4a1 
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
kzantow
kzantow approved these changes Feb 17, 2026
View reviewed changes
Copy link
Contributor

@kzantow kzantow left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 👍

@willmurphyscode willmurphyscode marked this pull request as ready for review February 17, 2026 22:32
@willmurphyscode willmurphyscode merged commit 0a3f7bb into main Feb 17, 2026
10 checks passed
@willmurphyscode willmurphyscode deleted the decomp-fixes branch February 17, 2026 22:32
@BrewTestBot BrewTestBot mentioned this pull request Feb 18, 2026
Merged
@GoVulnBot GoVulnBot mentioned this pull request Mar 20, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kzantow kzantow kzantow approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@willmurphyscode @kzantow