fix: improve diff determinism for UPX files and file moves in general#1265
Merged
egibs merged 2 commits intochainguard-dev:mainfrom Dec 12, 2025
Merged
fix: improve diff determinism for UPX files and file moves in general#1265egibs merged 2 commits intochainguard-dev:mainfrom
egibs merged 2 commits intochainguard-dev:mainfrom
Conversation
Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>
Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>
stevebeattie
approved these changes
Dec 12, 2025
Member
stevebeattie
left a comment
stevebeattie
left a comment
There was a problem hiding this comment.
One question, but not a blocker for this PR. Thanks!
Comment on lines
+118
to
+121
| // selectPrimaryFile selects a single file from a map of file reports in a deterministic way. | ||
| // e.g., when a UPX-packed file is scanned, it produces the decompressed file | ||
| // and preserves the original file (with a .~ suffix). | ||
| func selectPrimaryFile(files map[string]*malcontent.FileReport) *malcontent.FileReport { |
Member
There was a problem hiding this comment.
I know we currently only use this for diff results, but is there a situation where we'd want to use this function for non-diff reports?
Member
Author
There was a problem hiding this comment.
Good question. I can't think of an exact example right now but there could be a situation where we'd want to favor one variant of a file over another if they share the same name.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Relates to: #1230
There was still a remaining edge case for diffing non-UPX files with a UPX file. Since we preserve the original file when decompressing a UPX file, the chosen file would sometimes be the decompressed file or the original file which would produce inconsistent results.
This PR prefers the decompressed version (i.e., the file without the
.~suffix) which matches our existing archive diffing behavior. We do want to handle UPX files better in the future but this will resolve the immediate issues.