.pre-commit-config.yaml

@@ -80,7 +80,7 @@ repos:
         stages: [pre-push]
 
   - repo: https://github.com/gitguardian/ggshield
-    rev: v1.37.0
+    rev: v1.38.0
     hooks:
       - id: ggshield
         language_version: python3

CHANGELOG.md

@@ -1,5 +1,13 @@
 # Changelog
 
+<a id='changelog-1.38.1'></a>
+
+## 1.38.1 — 2025-04-02
+
+### Added
+
+- ggshield can now scan .jar files using `ggshield secret scan archive`.
+
 <a id='changelog-1.38.0'></a>
 
 ## 1.38.0 — 2025-03-27

actions/secret/action.yml

@@ -16,7 +16,7 @@ inputs:
 
 runs:
   using: 'docker'
-  image: 'docker://gitguardian/ggshield:v1.38.0'
+  image: 'docker://gitguardian/ggshield:v1.38.1'
   entrypoint: '/app/docker/actions-secret-entrypoint.sh'
   args:
     - ${{ inputs.args }}

ggshield/__init__.py

@@ -1 +1 @@
-__version__ = "1.38.0"
+__version__ = "1.38.1"

ggshield/cmd/secret/scan/archive.py

@@ -34,7 +34,7 @@ def archive_cmd(
     **kwargs: Any,
 ) -> int:  # pragma: no cover
     """
-    Scan an archive file. Supported archive formats are zip, tar, tar.gz, tar.bz2 and tar.xz.
+    Scan an archive file. Supported archive formats are zip, whl, jar, tar, tar.gz, tar.bz2 and tar.xz.
     """
     with tempfile.TemporaryDirectory(suffix="ggshield") as temp_dir:
         temp_path = Path(temp_dir)

ggshield/utils/archive.py

@@ -46,7 +46,7 @@ def safe_unpack(archive: Path, extract_dir: Path) -> None:
     check_archive_content(archive)
 
     # unpack_archive does not know .whl files are zip files
-    archive_format = "zip" if archive.suffix == ".whl" else None
+    archive_format = "zip" if archive.suffix in {".whl", ".jar"} else None
 
     shutil.unpack_archive(archive, extract_dir, format=archive_format)
 
@@ -55,7 +55,7 @@ def check_archive_content(archive: Path) -> None:
     """
     Check `archive` safety, raise `UnsafeArchive` if it is unsafe.
     """
-    if archive.suffix in {".zip", ".whl"}:
+    if archive.suffix in {".zip", ".whl", ".jar"}:
         _check_zip_content(archive)
     else:
         _check_tar_content(archive)

tests/unit/data/archives/generate-archives

@@ -20,12 +20,14 @@ set -euo pipefail
 cd "$(dirname "$0")"
 BAD_ZIP=$PWD/bad.zip
 BAD_TAR=$PWD/bad.tar
+BAD_JAR=$PWD/bad.jar
 
 GOOD_ZIP=$PWD/good.zip
 GOOD_WHL=$PWD/good.whl
 GOOD_TAR=$PWD/good.tar
+GOOD_JAR=$PWD/good.jar
 
-rm -f "$BAD_ZIP" "$BAD_TAR" "$GOOD_ZIP" "$GOOD_TAR" "$GOOD_WHL"
+rm -f "$BAD_ZIP" "$BAD_TAR" "$BAD_JAR" "$GOOD_ZIP" "$GOOD_TAR" "$GOOD_WHL" "$GOOD_JAR"
 
 rm -rf work
 mkdir -p work/archive-root
@@ -52,6 +54,11 @@ mkdir -p work/archive-root/subdir
     ZIP_CMD="7z a"
     7z a -spf -snl "$BAD_ZIP" ../bad-relative /tmp/bad-absolute . > /dev/null
     7z a "$GOOD_ZIP" fine subdir/fine-symlink > /dev/null
+
+    # A .jar is a .zip with a different extension
+
+    cp "$BAD_ZIP" "$BAD_JAR"
+    cp "$GOOD_ZIP" "$GOOD_JAR"
 
     # A .whl is a .zip with a different extension
     cp "$GOOD_ZIP" "$GOOD_WHL"
@@ -65,6 +72,8 @@ rm -rf work
 echo "Generated:
 $BAD_ZIP
 $BAD_TAR
+$BAD_JAR
 $GOOD_ZIP
 $GOOD_WHL
-$GOOD_TAR"
+$GOOD_TAR
+$GOOD_JAR"

tests/unit/utils/test_archive.py

@@ -16,12 +16,14 @@
 ARCHIVES_PATH = DATA_PATH / "archives"
 BAD_ZIP_PATH = ARCHIVES_PATH / "bad.zip"
 BAD_TAR_PATH = ARCHIVES_PATH / "bad.tar"
+BAD_JAR_PATH = ARCHIVES_PATH / "bad.jar"
 GOOD_ZIP_PATH = ARCHIVES_PATH / "good.zip"
 GOOD_WHL_PATH = ARCHIVES_PATH / "good.whl"
 GOOD_TAR_PATH = ARCHIVES_PATH / "good.tar"
+GOOD_JAR_PATH = ARCHIVES_PATH / "good.jar"
 
 """
-Both bad.zip and bad.tar have the same content:
+Both bad.zip, bad.tar, and bad.jar have the same content:
 
 ./
 ./fine
@@ -34,7 +36,7 @@
 """
 
 
-@pytest.mark.parametrize("archive", [BAD_ZIP_PATH, BAD_TAR_PATH])
+@pytest.mark.parametrize("archive", [BAD_ZIP_PATH, BAD_TAR_PATH, BAD_JAR_PATH])
 def test_check_archive_content_raises_exception(archive: Path):
     """
     GIVEN a bad archive
@@ -62,7 +64,9 @@ def test_check_archive_content_raises_exception(archive: Path):
     assert "bad-absolute-symlink" in message
 
 
-@pytest.mark.parametrize("archive", [GOOD_ZIP_PATH, GOOD_WHL_PATH, GOOD_TAR_PATH])
+@pytest.mark.parametrize(
+    "archive", [GOOD_ZIP_PATH, GOOD_WHL_PATH, GOOD_TAR_PATH, GOOD_JAR_PATH]
+)
 def test_check_safe_unpack(tmp_path: Path, archive: Path):
     """
     GIVEN a good archive