Container Security Scan tar - podman path exist instead image name fix (AST-123671)

[cx-dmitri-rivin]

By submitting this pull request, you agree to the terms within the Checkmarx Code of Conduct. Please review the contributing guidelines for guidance on creating high-quality pull requests.

Description

Hi @cx-anjali-deore,

Thank you for the thorough review! I've implemented both of your refactoring suggestions:

Changes Made:

1. ✅ Created isCompressedTarFile() helper function - This function now checks for compressed tar formats (.tar.gz, .tar.bz2, .tar.xz, .tgz) and is reused in both looksLikeFilePath() and validateFilePath() methods
2. ✅ Added containerImagesFlagError constant - Declared as a constant and replaced all 15 occurrences throughout the code

PR Summary:

Impact:

• Fixes a bug where Podman users scanning tar files would get incorrect error messages stating "image does not have a tag" instead of proper file path validation
• Improves user experience by providing accurate error messages when file paths are used instead of image names
• Affects container security scans using the --container-images flag with tar file inputs

Reason for the Change:

• The existing validation logic in validateContainerImageFormat() was treating file paths (especially those with colons in Windows absolute paths like C:\path\to\file.tar) as image references
• This caused the validator to incorrectly assume users forgot to add a tag, when they were actually providing valid file paths
• The fix adds proper file path detection logic (looksLikeFilePath()) and dedicated file path validation (validateFilePath()) to distinguish between image references and file paths

Feature Flag (FF):

• No feature flag introduced - this is a bug fix that improves existing validation logic without changing the API or introducing new features

Testing:

• ✅ Tested on Windows
• ✅ Tested on OSX
• ❌ Not tested on Linux

Type of Change

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Documentation update

Related Issues

Link any related issues or tickets.

Checklist

• I have performed a self-review of my code
• I have added tests that prove my fix is effective or that my feature works
• I have added necessary documentation (if appropriate)
• Any dependent changes have been merged and published in downstream modules
• I have updated the CLI help for new/changed functionality in this PR (if applicable)
• All active GitHub checks for tests, formatting, and security are passing
• The correct base branch is being used

Screenshots (if applicable)

Add screenshots to help explain your changes.

Additional Notes

Add any other relevant information.

[github-actions]

Checkmarx One – Scan Summary & Details – a108d0d1-c40d-4eef-a0bd-91da5b9cf5d0

Great job! No new security vulnerabilities introduced in this pull request

[cx-anjali-deore]

@cx-dmitri-rivin , Please provide summary of the change in the PR , this will help us to review

• Impact
• Reason of the change
• FF introduced if any

[cx-umesh-waghode]

Is this actually tested on windows and linux?
Is there any documentation change needed?
Any possibility of windows network file path For ex \stoarge\images\image.tar?

Answered the questions