Avoid extracting joblib archives

pkg/action/scan.go

@@ -17,7 +17,7 @@
 	"sync"
 
 	"github.com/chainguard-dev/clog"
 	"github.com/chainguard-dev/malcontent/pkg/archive"
 	"github.com/chainguard-dev/malcontent/pkg/compile"
 	"github.com/chainguard-dev/malcontent/pkg/malcontent"
 	"github.com/chainguard-dev/malcontent/pkg/programkind"
@@ -494,6 +494,15 @@
 	var err error
 	var frs sync.Map
 
+	ft, err := programkind.File(archivePath)
+	if err != nil {
+		return nil, fmt.Errorf("failed to determine file type: %w", err)
+	}
+	if ft != nil && ft.MIME == "application/x-python-joblib" {
+		logger.Debugf("skipping unsupported archive: %s", archivePath)
+		return nil, nil
+	}
+
 	tmpRoot, err := archive.ExtractArchiveToTempDir(ctx, archivePath)
 	if err != nil {
 		return nil, fmt.Errorf("extract to temp: %w", err)
@@ -512,20 +521,22 @@
 		tmpRoot = fmt.Sprintf("/private%s", tmpRoot)
 	}
 
-	extractedPaths, err := findFilesRecursively(ctx, tmpRoot)
-	if err != nil {
-		return nil, fmt.Errorf("find: %w", err)
-	}
-
-	for _, extractedFilePath := range extractedPaths {
-		fr, err := processFile(ctx, c, rfs, extractedFilePath, archivePath, tmpRoot, logger)
+	if tmpRoot != "" {
+		extractedPaths, err := findFilesRecursively(ctx, tmpRoot)
 		if err != nil {
-			return nil, err
+			return nil, fmt.Errorf("find: %w", err)
 		}
-		if fr != nil {
-			// Store a clean reprepsentation of the archive's scanned file to match single file scanning behavior
-			clean := strings.TrimPrefix(extractedFilePath, tmpRoot)
-			frs.Store(clean, fr)
+
+		for _, extractedFilePath := range extractedPaths {
+			fr, err := processFile(ctx, c, rfs, extractedFilePath, archivePath, tmpRoot, logger)
+			if err != nil {
+				return nil, err
+			}
+			if fr != nil {
+				// Store a clean reprepsentation of the archive's scanned file to match single file scanning behavior
+				clean := strings.TrimPrefix(extractedFilePath, tmpRoot)
+				frs.Store(clean, fr)
+			}
 		}
 	}
 

pkg/archive/archive.go

@@ -1,4 +1,4 @@
 package archive
 
 import (
 	"context"
@@ -26,19 +26,22 @@
 	f string,
 	extracted *sync.Map,
 ) error {
-	isArchive := false
+	var isArchive bool
 	// zlib-compressed files are also archives
 	ft, err := programkind.File(f)
 	if err != nil {
 		return fmt.Errorf("failed to determine file type: %w", err)
 	}
+
 	switch {
 	case ft != nil && ft.MIME == "application/x-upx":
 		isArchive = true
 	case ft != nil && ft.MIME == "application/zlib":
 		isArchive = true
 	case programkind.ArchiveMap[programkind.GetExt(f)]:
 		isArchive = true
+  default:
+    isArchive = false
 	}
 
 	//nolint:nestif // ignore complexity of 8
@@ -55,7 +58,8 @@
 		if err != nil {
 			return fmt.Errorf("failed to determine file type: %w", err)
 		}
-		switch {
+
+		switch {      
 		case ft != nil && ft.MIME == "application/x-upx":
 			extract = ExtractUPX
 		case ft != nil && ft.MIME == "application/zlib":
@@ -110,17 +114,28 @@
 	if err != nil {
 		return "", fmt.Errorf("failed to determine file type: %w", err)
 	}
+
+  var isArchive bool
+	ft, err := programkind.File(f)
+	if err != nil {
+		return fmt.Errorf("failed to determine file type: %w", err)
+	}
 
 	switch {
-	case ft != nil && ft.MIME == "application/zlib":
-		extract = ExtractZlib
 	case ft != nil && ft.MIME == "application/x-upx":
-		extract = ExtractUPX
-	default:
-		extract = ExtractionMethod(programkind.GetExt(path))
+		isArchive = true
+    extract = ExtractUPX
+	case ft != nil && ft.MIME == "application/zlib":
+		isArchive = true
+    extract = ExtractZlib
+	case programkind.ArchiveMap[programkind.GetExt(f)]:
+		isArchive = true
+    extract = ExtractionMethod(programkind.GetExt(path))
+  default:
+    isArchive = false
 	}
 
-	if extract == nil {
+	if !isArchive || extract == nil {
 		return "", fmt.Errorf("unsupported archive type: %s", path)
 	}
 	err = extract(ctx, tmpDir, path)

pkg/programkind/programkind.go

@@ -13,6 +13,7 @@ import (
 	"os/exec"
 	"path/filepath"
 	"regexp"
+	"slices"
 	"strings"
 
 	"github.com/gabriel-vasile/mimetype"
@@ -68,6 +69,7 @@ var supportedKind = map[string]string{
 	"hh":      "text/x-h",
 	"html":    "",
 	"java":    "text/x-java",
+	"joblib":  "application/x-python-joblib",
 	"js":      "application/javascript",
 	"lnk":     "application/x-ms-shortcut",
 	"lua":     "text/x-lua",
@@ -204,7 +206,7 @@ func makeFileType(path string, ext string, mime string) *FileType {
 
 // File detects what kind of program this file might be.
 //
-//nolint:cyclop // ignore complexity of 38
+//nolint:cyclop // ignore complexity of 44
 func File(path string) (*FileType, error) {
 	// Follow symlinks and return cleanly if the target does not exist
 	_, err := filepath.EvalSymlinks(path)
@@ -288,6 +290,21 @@ func File(path string) (*FileType, error) {
 		return Path(".gzip"), nil
 	case hdr[0] == '\x78' && hdr[1] == '\x5E':
 		return Path(".Z"), nil
+	// Capture joblib files that cannot be decompressed externally
+	// https://joblib.readthedocs.io/en/stable/generated/joblib.dump.html
+	// Check the header, file extension, and MIME type to be as specific as possible
+	case hdr[0] == '\x5A' && hdr[1] == '\x46' && hdr[2] == '\x30' && hdr[3] == '\x78':
+		joblibExts := []string{
+			".z",
+			".gz",
+			".bz2",
+			".xz",
+			".lzma",
+		}
+
+		if slices.Contains(joblibExts, GetExt(path)) && mtype.String() == "application/octet-stream" {
+			return Path(".joblib"), nil
+		}
 	}
 	return nil, nil
 }