Skip to content

oscap-docker unable to run with Python 3.14 #2373

Description

@zhijie-yang

Description

When running oscap-docker to scan container images, it fails at the extraction of the image with the following log:

Creating a temporary container for the image...
Traceback (most recent call last):
  File "/usr/bin/oscap-docker", line 75, in <module>
    ODS = OscapDockerScan(args.scan_target, args.is_image, args.oscap_binary)
  File "/usr/lib/python3/dist-packages/oscap_docker_python/oscap_docker_util.py", line 78, in __init__
    self._extract_container()
    ~~~~~~~~~~~~~~~~~~~~~~~^^
  File "/usr/lib/python3/dist-packages/oscap_docker_python/oscap_docker_util.py", line 129, in _extract_container
    tf.extractall(path=self.mountpoint)
    ~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.14/tarfile.py", line 2430, in extractall
    tarinfo, unfiltered = self._get_extract_tarinfo(
                          ~~~~~~~~~~~~~~~~~~~~~~~~~^
        member, filter_function, path)
        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.14/tarfile.py", line 2519, in _get_extract_tarinfo
    self._handle_fatal_error(e)
    ~~~~~~~~~~~~~~~~~~~~~~~~^^^
  File "/usr/lib/python3.14/tarfile.py", line 2517, in _get_extract_tarinfo
    filtered = filter_function(unfiltered, path)
  File "/usr/lib/python3.14/tarfile.py", line 859, in data_filter
    new_attrs = _get_filtered_attrs(member, dest_path, True)
  File "/usr/lib/python3.14/tarfile.py", line 832, in _get_filtered_attrs
    raise AbsoluteLinkError(member)
tarfile.AbsoluteLinkError: 'etc/alternatives/awk' is a link to an absolute path
!!! WARNING !!! This software has crashed, so you should check that no temporary container is still running

Reproduce

  • System: Ubuntu 26.04
  • Python version: 3.14 (shipped inside Ubuntu)
  • oscap-docker installed via apt
# Installation of oscap-utils and docker.io
sudo apt install openscap-utils docker.io -y

# Run the scan
oscap-docker image ubuntu:22.04 xccdf eval --profile cis_level2_server <REDACTED>/ssg-ubuntu2204-cis-ds.xml

Cause of this issue

Since Python 3.14, the default filter has been changed to data instead of the previous default fully_trusted. This is causing a regression. Python has warned about this in the previous versions:

DeprecationWarning: Python 3.14 will, by default, filter extracted tar archives and reject files or modify their metadata. Use the filter argument to control this behavior.
  tf.extractall(path=extract_dir)

Affected downstream package(s)

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions