Fix unzipping JARs that symlink to other layers #1555
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
spatten
approved these changes
Jun 19, 2025
Contributor
spatten
left a comment
There was a problem hiding this comment.
This looks good to me!
Can you make sure you have git lfs installed? It should be as easy as
brew install git-lfs
I had to fix an error in the nested_jars.tar file where it wasn't set up in LFS correctly. This might be me, as I've run into this a few times, but some Googling seems to say it happens if someone commits a large file and does not have LFS setup.
I had to do this:
git add --renormalize .
git commit -m 'fix LFS files'
git push
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Overview
This ticket solves an issue where a symlink between a container images's layers is blocking our JARs in Containers analysis from completing, which results in the overall CLI container analysis failing.
Delivers https://fossa.atlassian.net/browse/ANE-2474
Acceptance criteria
Testing plan
I downloaded the impacted JAR from the ticket
I ran the old version on it and saw the same failure the user is seeing
I ran the updated version in this PR and saw that only 1 JAR failed to be unzipped, but that the others succeeded.
I added a test to the
nested_jars.tartest that has a symlinked tar. The previous version of the CLI wasn't able to successfully analyze this and failed on the current test suite.You will see a
warnlog line if you runfossa analyze --debugwhen analyzing this tar file with the new CLI.Risks
This method warns and skips any JAR it comes across that fails extraction. This could result in unintended consequences with JARs that we truly have issues unarchiving. I believe this trade off is worth it. The customer issue in 2474 is solved by this fix and is the first time we have been pushed to deal with JAR extraction issues. Additionally, the error is not swallowed, it is still warned and we can see what happens.
References
ANE-2474: Implement a fix for unzipping symlinked jars
Checklist
docs/.docs/README.msand gave consideration to how discoverable or not my documentation is.Changelog.md. If this PR did not mark a release, I added my changes into an## Unreleasedsection at the top..fossa.ymlorfossa-deps.{json.yml}, I updateddocs/references/files/*.schema.jsonAND I have updated example files used byfossa initcommand. You may also need to update these if you have added/removed new dependency type (e.g.pip) or analysis target type (e.g.poetry).docs/references/subcommands/<subcommand>.md.