Merge pull request #1077 from GitGuardian/salomevoltz/scrt-5449-make-ggshield-able-to-scan-jar-files

feat(cmd_archive): Add support for .jar files

Author: salome-voltz

changelog.d/20250401_155000_salome.voltz_scrt_5449_make_ggshield_able_to_scan_jar_files.md

@@ -0,0 +1,41 @@
+<!--
+A new scriv changelog fragment.
+
+Uncomment the section that is right (remove the HTML comment wrapper).
+-->
+
+<!--
+### Removed
+
+- A bullet item for the Removed category.
+
+-->
+
+### Added
+
+- ggshield can now scan .jar files using `ggshield secret scan archive`
+
+<!--
+### Changed
+
+- A bullet item for the Changed category.
+
+-->
+<!--
+### Deprecated
+
+- A bullet item for the Deprecated category.
+
+-->
+<!--
+### Fixed
+
+- A bullet item for the Fixed category.
+
+-->
+<!--
+### Security
+
+- A bullet item for the Security category.
+
+-->

ggshield/cmd/secret/scan/archive.py

@@ -34,7 +34,7 @@ def archive_cmd(
     **kwargs: Any,
 ) -> int:  # pragma: no cover
     """
-    Scan an archive file. Supported archive formats are zip, tar, tar.gz, tar.bz2 and tar.xz.
+    Scan an archive file. Supported archive formats are zip, whl, jar, tar, tar.gz, tar.bz2 and tar.xz.
     """
     with tempfile.TemporaryDirectory(suffix="ggshield") as temp_dir:
         temp_path = Path(temp_dir)

ggshield/utils/archive.py

@@ -46,7 +46,7 @@ def safe_unpack(archive: Path, extract_dir: Path) -> None:
     check_archive_content(archive)
 
     # unpack_archive does not know .whl files are zip files
-    archive_format = "zip" if archive.suffix == ".whl" else None
+    archive_format = "zip" if archive.suffix in {".whl", ".jar"} else None
 
     shutil.unpack_archive(archive, extract_dir, format=archive_format)
 
@@ -55,7 +55,7 @@ def check_archive_content(archive: Path) -> None:
     """
     Check `archive` safety, raise `UnsafeArchive` if it is unsafe.
     """
-    if archive.suffix in {".zip", ".whl"}:
+    if archive.suffix in {".zip", ".whl", ".jar"}:
         _check_zip_content(archive)
     else:
         _check_tar_content(archive)

tests/unit/data/archives/bad.jar

@@ -20,12 +20,14 @@ set -euo pipefail
 cd "$(dirname "$0")"
 BAD_ZIP=$PWD/bad.zip
 BAD_TAR=$PWD/bad.tar
+BAD_JAR=$PWD/bad.jar
 
 GOOD_ZIP=$PWD/good.zip
 GOOD_WHL=$PWD/good.whl
 GOOD_TAR=$PWD/good.tar
+GOOD_JAR=$PWD/good.jar
 
-rm -f "$BAD_ZIP" "$BAD_TAR" "$GOOD_ZIP" "$GOOD_TAR" "$GOOD_WHL"
+rm -f "$BAD_ZIP" "$BAD_TAR" "$BAD_JAR" "$GOOD_ZIP" "$GOOD_TAR" "$GOOD_WHL" "$GOOD_JAR"
 
 rm -rf work
 mkdir -p work/archive-root
@@ -52,6 +54,11 @@ mkdir -p work/archive-root/subdir
     ZIP_CMD="7z a"
     7z a -spf -snl "$BAD_ZIP" ../bad-relative /tmp/bad-absolute . > /dev/null
     7z a "$GOOD_ZIP" fine subdir/fine-symlink > /dev/null
+    
+    # A .jar is a .zip with a different extension
+
+    cp "$BAD_ZIP" "$BAD_JAR"
+    cp "$GOOD_ZIP" "$GOOD_JAR"
 
     # A .whl is a .zip with a different extension
     cp "$GOOD_ZIP" "$GOOD_WHL"
@@ -65,6 +72,8 @@ rm -rf work
 echo "Generated:
 $BAD_ZIP
 $BAD_TAR
+$BAD_JAR
 $GOOD_ZIP
 $GOOD_WHL
-$GOOD_TAR"
+$GOOD_TAR
+$GOOD_JAR"