Skip to content

Report each hardlink as its own file when scanning images#5029

Open
wagoodman wants to merge 2 commits into
mainfrom
hardlink-parity
Open

Report each hardlink as its own file when scanning images#5029
wagoodman wants to merge 2 commits into
mainfrom
hardlink-parity

Conversation

@wagoodman

@wagoodman wagoodman commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Image scans previously collapsed a set of hardlinks onto a single file, so only one path per inode showed up in results. Directory scans report every hardlink path, which made image vs dir SBOMs of the same filesystem diverge (and produce different SPDX packageVerificationCode values for packages that own hardlinked files).

Now both image resolvers (squash and all-layers) surface each hardlink at its own path as a regular file bound to the target's content, matching dir scans.

user-facing impact:

  • SBOMs for images containing hardlinks will list more file entries
  • SPDX packageVerificationCode values change for affected packages, now matching the equivalent dir: scan
  • adds file.NewVirtualLocationFromImage to the public API

Note

This does NOT address the FilesByMIMEType and other non-path based queries against the container based file resolvers. This means that though pathing/globbing will return multiple entries (for all og and hardlink types) others will only respond to regular files strictly.

Type of change

  • Bug fix (non-breaking change which fixes an issue)

Checklist

  • I have added unit tests that cover changed behavior
  • I have tested my code in common scenarios and confirmed there are no regressions
  • I have added comments to my code, particularly in hard-to-understand sections

Issue references

fixes #5019

wagoodman added 2 commits July 2, 2026 16:56
image scans previously collapsed a set of hardlinks onto a single file, so only
one path per inode showed up in results. dir scans report every hardlink path,
which made image vs dir SBOMs of the same filesystem diverge (and produce
different SPDX `packageVerificationCode` values for packages that own hardlinked
files).

now both image resolvers (squash and all-layers) surface each hardlink at its
own path as a regular file bound to the target's content, matching dir scans.

user-facing impact:
- SBOMs for images containing hardlinks will list more `file` entries
- SPDX `packageVerificationCode` values change for affected packages, now
  matching the equivalent `dir:` scan
- adds `file.NewVirtualLocationFromImage` to the public API

fixes #5019

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
@wagoodman wagoodman marked this pull request as ready for review July 6, 2026 14:44
@wagoodman wagoodman requested a review from a team July 6, 2026 14:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

When scanning an image, syft only reports one file per set of hardlinks, leading to wrong SPDX packageVerificationCode

1 participant