Skip to content

fix: handle all tarfile extract errors#1206

Merged
art1f1c3R merged 1 commit into
mainfrom
art1f1c3R/tarfile-extract-bug
Oct 10, 2025
Merged

fix: handle all tarfile extract errors#1206
art1f1c3R merged 1 commit into
mainfrom
art1f1c3R/tarfile-extract-bug

Conversation

@art1f1c3R

@art1f1c3R art1f1c3R commented Oct 9, 2025
edited
Loading

Copy link
Copy Markdown

Summary

Addressing #1202, which occurred due to a tarfile.SpecialFileError, this case happened as the provided package had uploaded what linux classes as a character file (like a device file). Instead of handling specifically tarfile.ReadError, the download_package_sourcecode function how handles all tarfile errors using tarfile.TarError, the base error class.

Description of changes

In addition to those changes mentioned above, also included in this PR is modifying DetectMaliciousMetadataCheck.analyze_source to return SKIP instead of raising a HeuristicAnalyzerValueError from a SourceCodeError. This means that the result of the metadata analysis is still preserved and the analysis result does not result in UNKNOWN.

Related issues

Closes #1202.

Checklist

  • I have reviewed the contribution guide.
  • My PR title and commits follow the Conventional Commits convention.
  • My commits include the "Signed-off-by" line.
  • I have signed my commits following the instructions provided by GitHub. Note that we run GitHub's commit verification tool to check the commit signatures. A green verified label should appear next to all of your commits on GitHub.
  • I have updated the relevant documentation, if applicable.
  • I have tested my changes and verified they work as expected.

@art1f1c3R art1f1c3R requested a review from behnazh-w as a code owner October 9, 2025 03:50
@oracle-contributor-agreement oracle-contributor-agreement Bot added the OCA Verified All contributors have signed the Oracle Contributor Agreement. label Oct 9, 2025
@art1f1c3R art1f1c3R force-pushed the art1f1c3R/tarfile-extract-bug branch from 8c9c454 to 0a7a8b9 Compare October 9, 2025 05:01
@behnazh-w behnazh-w self-requested a review October 9, 2025 05:03
fix: handle all tarfile extract errors
ad1bbcc 
Signed-off-by: Carl Flottmann <carl.flottmann@oracle.com>
@art1f1c3R art1f1c3R force-pushed the art1f1c3R/tarfile-extract-bug branch from 0a7a8b9 to ad1bbcc Compare October 9, 2025 23:20
@behnazh-w behnazh-w self-requested a review October 9, 2025 23:45
@art1f1c3R art1f1c3R merged commit f897fb6 into main Oct 10, 2025
9 checks passed
@art1f1c3R art1f1c3R deleted the art1f1c3R/tarfile-extract-bug branch February 23, 2026 02:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@behnazh-w behnazh-w behnazh-w approved these changes

Assignees

No one assigned

Labels

OCA Verified All contributors have signed the Oracle Contributor Agreement.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Bug] - [Analysis fails on PyPI package with special file]

2 participants

@art1f1c3R @behnazh-w