Creating a temporary container for the image...
Traceback (most recent call last):
File "/usr/bin/oscap-docker", line 75, in <module>
ODS = OscapDockerScan(args.scan_target, args.is_image, args.oscap_binary)
File "/usr/lib/python3/dist-packages/oscap_docker_python/oscap_docker_util.py", line 78, in __init__
self._extract_container()
~~~~~~~~~~~~~~~~~~~~~~~^^
File "/usr/lib/python3/dist-packages/oscap_docker_python/oscap_docker_util.py", line 129, in _extract_container
tf.extractall(path=self.mountpoint)
~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3.14/tarfile.py", line 2430, in extractall
tarinfo, unfiltered = self._get_extract_tarinfo(
~~~~~~~~~~~~~~~~~~~~~~~~~^
member, filter_function, path)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3.14/tarfile.py", line 2519, in _get_extract_tarinfo
self._handle_fatal_error(e)
~~~~~~~~~~~~~~~~~~~~~~~~^^^
File "/usr/lib/python3.14/tarfile.py", line 2517, in _get_extract_tarinfo
filtered = filter_function(unfiltered, path)
File "/usr/lib/python3.14/tarfile.py", line 859, in data_filter
new_attrs = _get_filtered_attrs(member, dest_path, True)
File "/usr/lib/python3.14/tarfile.py", line 832, in _get_filtered_attrs
raise AbsoluteLinkError(member)
tarfile.AbsoluteLinkError: 'etc/alternatives/awk' is a link to an absolute path
!!! WARNING !!! This software has crashed, so you should check that no temporary container is still running
# Installation of oscap-utils and docker.io
sudo apt install openscap-utils docker.io -y
# Run the scan
oscap-docker image ubuntu:22.04 xccdf eval --profile cis_level2_server <REDACTED>/ssg-ubuntu2204-cis-ds.xml
DeprecationWarning: Python 3.14 will, by default, filter extracted tar archives and reject files or modify their metadata. Use the filter argument to control this behavior.
tf.extractall(path=extract_dir)
Description
When running
oscap-dockerto scan container images, it fails at the extraction of the image with the following log:Reproduce
3.14(shipped inside Ubuntu)oscap-dockerinstalled viaaptCause of this issue
Since Python 3.14, the default
filterhas been changed todatainstead of the previous defaultfully_trusted. This is causing a regression. Python has warned about this in the previous versions:Affected downstream package(s)