diff --git a/dpkg/scanner.go b/dpkg/scanner.go index ee441329b..584d71f49 100644 --- a/dpkg/scanner.go +++ b/dpkg/scanner.go @@ -124,7 +124,8 @@ Find: var db io.Reader var h *tar.Header for h, err = tr.Next(); err == nil; h, err = tr.Next() { - if h.Name == fn { + // The location from above is cleaned, so make sure to do that. + if c := filepath.Clean(h.Name); c == fn { db = tr break } diff --git a/dpkg/scanner_test.go b/dpkg/scanner_test.go index 99db83c96..064f0aecd 100644 --- a/dpkg/scanner_test.go +++ b/dpkg/scanner_test.go @@ -825,6 +825,39 @@ func TestScanner(t *testing.T) { } } +func TestAbsolutePaths(t *testing.T) { + ctx := zlog.Test(context.Background(), t) + hash, err := claircore.ParseDigest("sha256:3c9020349340788076971d5ea638b71e35233fd8e149e269d8eebfa17960c03f") + if err != nil { + t.Fatal(err) + } + l := &claircore.Layer{ + Hash: hash, + } + + tctx, done := context.WithTimeout(ctx, 30*time.Second) + defer done() + n, err := fetch.Layer(tctx, t, http.DefaultClient, "gcr.io", "vmwarecloudadvocacy/acmeshop-user", hash) + if err != nil { + t.Error(err) + } + defer n.Close() + + if err := l.SetLocal(n.Name()); err != nil { + t.Error(err) + } + + s := &Scanner{} + got, err := s.Scan(ctx, l) + if err != nil { + t.Fatal(err) + } + t.Logf("found %d packages", len(got)) + if len(got) == 0 { + t.Fail() + } +} + func TestExtraMetadata(t *testing.T) { const layerfile = `testdata/extrametadata.layer` l := claircore.Layer{ diff --git a/test/fetch/layer.go b/test/fetch/layer.go index 97cd8b9b9..d52612e56 100644 --- a/test/fetch/layer.go +++ b/test/fetch/layer.go @@ -27,6 +27,7 @@ const ( var registry = map[string]*client{ "docker.io": &client{Root: "https://registry-1.docker.io/"}, "quay.io": &client{Root: "https://quay.io/"}, + "gcr.io": &client{Root: "https://gcr.io/"}, } func Layer(ctx context.Context, t *testing.T, c *http.Client, from, repo string, blob claircore.Digest) (*os.File, error) {