From 89e4f266963f20ebf7eb961e4f6a4ecca2de115c Mon Sep 17 00:00:00 2001
From: Alex Guidi <aguidi@redhat.com>
Date: Thu, 2 Oct 2025 19:27:33 +0200
Subject: [PATCH 1/2] OCPBUGS-55489: removes unintended exec permissions

Some files created by oc-mirror had unintended exec permissions and also
during the archive the exec permission was being added on some files,
changing in this way the original permissions of the files.

Signed-off-by: Alex Guidi <aguidi@redhat.com>
---
 v2/internal/pkg/archive/unarchive.go            | 2 +-
 v2/internal/pkg/delete/delete_images.go         | 4 ++--
 v2/internal/pkg/imagebuilder/catalog_builder.go | 5 +++--
 3 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/v2/internal/pkg/archive/unarchive.go b/v2/internal/pkg/archive/unarchive.go
index f4f74e52df..edf142fba0 100644
--- a/v2/internal/pkg/archive/unarchive.go
+++ b/v2/internal/pkg/archive/unarchive.go
@@ -178,7 +178,7 @@ func createFileWithProgress(parentDir string, header *tar.Header, reader *tar.Re
 	}
 	proxyReader := bar.ProxyReader(reader)
 	defer proxyReader.Close()
-	return writeFile(descriptor, proxyReader, header.FileInfo().Mode()|0755)
+	return writeFile(descriptor, proxyReader, header.FileInfo().Mode())
 }
 
 func writeFile(filePath string, reader io.Reader, perm os.FileMode) error {
diff --git a/v2/internal/pkg/delete/delete_images.go b/v2/internal/pkg/delete/delete_images.go
index f3dd93ce84..0eb87c54a7 100644
--- a/v2/internal/pkg/delete/delete_images.go
+++ b/v2/internal/pkg/delete/delete_images.go
@@ -75,7 +75,7 @@ func (o DeleteImages) WriteDeleteMetaData(ctx context.Context, images []v2alpha1
 	if err != nil {
 		o.Log.Error(deleteImagesErrMsg, err)
 	}
-	err = os.WriteFile(filename, ymlData, 0755)
+	err = os.WriteFile(filename, ymlData, 0644)
 	if err != nil {
 		o.Log.Error(deleteImagesErrMsg, err)
 	}
@@ -98,7 +98,7 @@ func (o DeleteImages) WriteDeleteMetaData(ctx context.Context, images []v2alpha1
 	if err != nil {
 		o.Log.Error("%v ", err)
 	}
-	err = os.WriteFile(discYamlFile, discYamlData, 0755)
+	err = os.WriteFile(discYamlFile, discYamlData, 0644)
 	if err != nil {
 		o.Log.Error(deleteImagesErrMsg, err)
 	}
diff --git a/v2/internal/pkg/imagebuilder/catalog_builder.go b/v2/internal/pkg/imagebuilder/catalog_builder.go
index 5459e7cb78..3895a61717 100644
--- a/v2/internal/pkg/imagebuilder/catalog_builder.go
+++ b/v2/internal/pkg/imagebuilder/catalog_builder.go
@@ -15,11 +15,12 @@ import (
 	v1 "github.com/google/go-containerregistry/pkg/v1"
 	"github.com/google/go-containerregistry/pkg/v1/layout"
 	"github.com/google/go-containerregistry/pkg/v1/tarball"
+	"github.com/otiai10/copy"
+
 	"github.com/openshift/oc-mirror/v2/internal/pkg/api/v2alpha1"
 	"github.com/openshift/oc-mirror/v2/internal/pkg/image"
 	"github.com/openshift/oc-mirror/v2/internal/pkg/log"
 	"github.com/openshift/oc-mirror/v2/internal/pkg/mirror"
-	"github.com/otiai10/copy"
 )
 
 const (
@@ -125,7 +126,7 @@ func (c GCRCatalogBuilder) RebuildCatalog(ctx context.Context, catalogCopyRef v2
 	if err != nil {
 		return fmt.Errorf("error building catalog %s : %v", catalogCopyRef.Origin, err)
 	}
-	err = os.WriteFile(filepath.Join(filteredDir, "digest"), []byte(digest), 0755)
+	err = os.WriteFile(filepath.Join(filteredDir, "digest"), []byte(digest), 0644)
 	if err != nil {
 		return err
 	}

From 5d4493a418377dac8f51dc516acb48e12c365e2f Mon Sep 17 00:00:00 2001
From: Alex Guidi <aguidi@redhat.com>
Date: Fri, 3 Oct 2025 21:49:01 +0200
Subject: [PATCH 2/2] ignoring gosec for files which requires read perm

Signed-off-by: Alex Guidi <aguidi@redhat.com>
---
 v2/internal/pkg/delete/delete_images.go         | 4 ++--
 v2/internal/pkg/imagebuilder/catalog_builder.go | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/v2/internal/pkg/delete/delete_images.go b/v2/internal/pkg/delete/delete_images.go
index 0eb87c54a7..7f5af4e448 100644
--- a/v2/internal/pkg/delete/delete_images.go
+++ b/v2/internal/pkg/delete/delete_images.go
@@ -75,7 +75,7 @@ func (o DeleteImages) WriteDeleteMetaData(ctx context.Context, images []v2alpha1
 	if err != nil {
 		o.Log.Error(deleteImagesErrMsg, err)
 	}
-	err = os.WriteFile(filename, ymlData, 0644)
+	err = os.WriteFile(filename, ymlData, 0644) //nolint:gosec
 	if err != nil {
 		o.Log.Error(deleteImagesErrMsg, err)
 	}
@@ -98,7 +98,7 @@ func (o DeleteImages) WriteDeleteMetaData(ctx context.Context, images []v2alpha1
 	if err != nil {
 		o.Log.Error("%v ", err)
 	}
-	err = os.WriteFile(discYamlFile, discYamlData, 0644)
+	err = os.WriteFile(discYamlFile, discYamlData, 0644) //nolint:gosec
 	if err != nil {
 		o.Log.Error(deleteImagesErrMsg, err)
 	}
diff --git a/v2/internal/pkg/imagebuilder/catalog_builder.go b/v2/internal/pkg/imagebuilder/catalog_builder.go
index 3895a61717..d699decd45 100644
--- a/v2/internal/pkg/imagebuilder/catalog_builder.go
+++ b/v2/internal/pkg/imagebuilder/catalog_builder.go
@@ -126,7 +126,7 @@ func (c GCRCatalogBuilder) RebuildCatalog(ctx context.Context, catalogCopyRef v2
 	if err != nil {
 		return fmt.Errorf("error building catalog %s : %v", catalogCopyRef.Origin, err)
 	}
-	err = os.WriteFile(filepath.Join(filteredDir, "digest"), []byte(digest), 0644)
+	err = os.WriteFile(filepath.Join(filteredDir, "digest"), []byte(digest), 0644) //nolint:gosec
 	if err != nil {
 		return err
 	}