Skip to content

Add Extractor for Open Virtualization Appliance (.ova) Files #1214#1243

Closed
0xXA wants to merge 1 commit intogoogle:mainfrom
0xXA:ova-plugin
Closed

Add Extractor for Open Virtualization Appliance (.ova) Files #1214#1243
0xXA wants to merge 1 commit intogoogle:mainfrom
0xXA:ova-plugin

Conversation

@0xXA
Copy link
Copy Markdown
Contributor

@0xXA 0xXA commented Aug 31, 2025
edited
Loading

This PR resolves #1214.
Related testbed: google/security-testbeds#164

0xXA added a commit to 0xXA/security-testbeds that referenced this pull request Aug 31, 2025
@0xXA
Add OVA Test Image for OSV-Scalibr
129f0f1 
Related Issue: google/osv-scalibr#1214

Related PR: google/osv-scalibr#1243

Signed-off-by: Yuvraj Saxena <ysaxenax@gmail.com>
@0xXA 0xXA mentioned this pull request Aug 31, 2025
Open
@0xXA 0xXA force-pushed the ova-plugin branch 13 times, most recently from fe68a83 to bbb3b42 Compare October 5, 2025 12:50
@0xXA 0xXA force-pushed the ova-plugin branch 4 times, most recently from bbb9d1b to 57191fd Compare October 13, 2025 11:13
erikvarga
erikvarga reviewed Oct 13, 2025
View reviewed changes
github-advanced-security[bot]
github-advanced-security bot found potential problems Oct 13, 2025
View reviewed changes
@0xXA 0xXA force-pushed the ova-plugin branch 4 times, most recently from 3b3a184 to 58a2220 Compare October 13, 2025 12:53
@0xXA
Copy link
Copy Markdown
Contributor Author

0xXA commented Oct 13, 2025

I have addressed all the issues!

erikvarga
erikvarga reviewed Oct 13, 2025
View reviewed changes
@0xXA 0xXA force-pushed the ova-plugin branch 2 times, most recently from feb72cd to 78caebb Compare October 13, 2025 14:15
@0xXA
Copy link
Copy Markdown
Contributor Author

0xXA commented Oct 13, 2025

I have fixed everything!

@0xXA
Copy link
Copy Markdown
Contributor Author

0xXA commented Oct 13, 2025

This Code scanner got no chill.
I think I should add a check for "..".

@erikvarga
Copy link
Copy Markdown
Collaborator

erikvarga commented Oct 13, 2025

There seems to be a problem with the TestExtractMaliciousOVA test internally as well - it outputs "Extract succeeded, want error for parent path entry"
I see the tests in GA succeeded though.
I'll have to investigate this further.

@0xXA
Add Extractor for Open Virtualization Appliance (.ova) Files google#1214
84591cf 


This PR resolves google#1214.

Signed-off-by: Yuvraj Saxena <ysaxenax@gmail.com>
@0xXA
Copy link
Copy Markdown
Contributor Author

0xXA commented Oct 13, 2025

There seems to be a problem with the TestExtractMaliciousOVA test internally as well - it outputs "Extract succeeded, want error for parent path entry" I see the tests in GA succeeded though. I'll have to investigate this further.

Weird. Can you provide logs !? I'd appreciate it.

@erikvarga
Copy link
Copy Markdown
Collaborator

erikvarga commented Oct 15, 2025

There seems to be a problem with the TestExtractMaliciousOVA test internally as well - it outputs "Extract succeeded, want error for parent path entry" I see the tests in GA succeeded though. I'll have to investigate this further.

Weird. Can you provide logs !? I'd appreciate it.

Not much to see from the test logs I'm afraid:

=== RUN   TestFileRequired
=== RUN   TestFileRequired/testdata/valid.ova
=== RUN   TestFileRequired/testdata/VALID.OVA
=== RUN   TestFileRequired/testdata/invalid.ova
=== RUN   TestFileRequired/testdata/document.txt
=== RUN   TestFileRequired/testdata/noextension
--- PASS: TestFileRequired (0.00s)
    --- PASS: TestFileRequired/testdata/valid.ova (0.00s)
    --- PASS: TestFileRequired/testdata/VALID.OVA (0.00s)
    --- PASS: TestFileRequired/testdata/invalid.ova (0.00s)
    --- PASS: TestFileRequired/testdata/document.txt (0.00s)
    --- PASS: TestFileRequired/testdata/noextension (0.00s)
=== RUN   TestExtractValidOVA
=== RUN   TestExtractValidOVA/OVAImage_0
    third_party/scalibr/extractor/filesystem/embeddedfs/ova/ova_test.go:88: ReadDir(/) returned 1 entries
    third_party/scalibr/extractor/filesystem/embeddedfs/ova/ova_test.go:115: Read 5 bytes from valid.ovf
--- PASS: TestExtractValidOVA (0.00s)
    --- PASS: TestExtractValidOVA/OVAImage_0 (0.00s)
=== RUN   TestExtractMaliciousOVA
    third_party/scalibr/extractor/filesystem/embeddedfs/ova/ova_test.go:172: Extract succeeded, want error for parent path entry
--- FAIL: TestExtractMaliciousOVA (0.00s)
=== RUN   TestExtractInvalidOVA
--- PASS: TestExtractInvalidOVA (0.00s)
=== RUN   TestExtractNonExistentOVA
--- PASS: TestExtractNonExistentOVA (0.00s)
FAIL

It's likely an issue in our internal setup so I'll investigate and hopefully fix it today.

@erikvarga
Copy link
Copy Markdown
Collaborator

erikvarga commented Oct 15, 2025

It was indeed an internal setup related issue that we've now fixed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@erikvarga erikvarga erikvarga approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

PRP: Extractor for Open Virtualization Appliance (.ova) Files

3 participants

@0xXA @erikvarga @github-advanced-security