# REPRO-2026-00152: apko: symlink-following path traversal writes files outside the build root

## Summary
Status: published
Severity: high
Type: security
Confidence: Unknown

## Identifiers
REPRO ID: REPRO-2026-00152
GHSA: GHSA-qq3r-w4hj-gjp6
CVE: CVE-2026-42574

## Package
Name: apko
Ecosystem: go
Affected: >= 0.14.8, < 1.2.5
Fixed: 1.2.5

## Root Cause
# Root Cause Analysis: CVE-2026-42574

## Summary

CVE-2026-42574 is a path-traversal vulnerability in `chainguard.dev/apko` caused by the `dirFS` implementation following attacker-controlled symlinks during filesystem operations. A crafted `.apk` package can plant a symlink inside the build root whose target points outside the intended directory; a subsequent tar entry whose path resolves through that symlink causes file writes or directory creations to land outside the build root, allowing arbitrary filesystem modification during package installation.

## Impact

- **Package/component affected**: `chainguard.dev/apko/pkg/apk/fs` (`dirFS`)
- **Affected versions**: `0.14.8` through `< 1.2.5`
- **Fixed versions**: `1.2.5`
- **Risk level**: High (CVSS 7.5)
- **Consequences**: An attacker who controls the contents of an `.apk` package processed by apko can write files or create directories anywhere on the host filesystem reachable by the apko process, leading to arbitrary code execution, information disclosure, or container image poisoning.

## Root Cause

The vulnerable `dirFS` type (`pkg/apk/fs/rwosfs.go`) implements a directory-backed filesystem by joining caller-supplied paths with a base directory. Before the fix, `sanitizePath` used `filepath.Clean(filepath.Join(f.base, clean))` to validate paths. This check is purely lexical — it ensures the cleaned path remains under `f.base` but does **not** prevent the operating system from resolving symlinks when `os.WriteFile`, `os.MkdirAll`, or `os.OpenFile` is later called with the validated path.

Because `os.WriteFile("base/evil/pwned", ...)` follows the symlink `base/evil -> ../outside`, the write lands at `outside/pwned` even though `sanitizePath` permitted `"evil/pwned"` as in-bounds. The same issue affects `MkdirAll`, `OpenFile`, `Chmod`, `Chown`, and other `dirFS` methods.

The fix commit `f5a96e1299ac81c7ea9441705ec467688086f442` replaces `sanitizePath` and raw `os.*` calls with `os.Root`, which sandboxes every filesystem operation so that symlink traversal outside the root directory is rejected by the Go standard library at the syscall level.

## Reproduction Steps

The reproduction is fully automated by `repro/reproduction_steps.sh`.

What the script does:
1. Writes a self-contained Go program (`repro/main.go`) that imports `chainguard.dev/apko/pkg/apk/fs`.
2. The program creates a temporary sandbox with a `base` directory and an `outside` directory.
3. It initializes `apkfs.DirFS` on `base`, plants a symlink `evil -> ../outside`, and calls `fsys.WriteFile("evil/pwned", []byte("malicious-content"), 0644)`.
4. The program writes a JSON report capturing whether the file was created outside the base directory and what error (if any) was returned.
5. The script compiles and runs the program against the vulnerable module version `v1.2.4` and the fixed version `v1.2.5`.
6. It compares the JSON reports: on the vulnerable build the outside file exists with attacker-controlled content; on the fixed build the write is blocked and the outside file is absent.

Expected evidence:
- **Vulnerable (`v1.2.4`)**: `report.file_exists == true`, `report.file_content == "malicious-content"`. The `write_error` field shows `"file does not exist"` (the memFS overlay fails, but the on-disk write through the symlink already succeeded).
- **Fixed (`v1.2.5`)**: `report.file_exists == false`, `write_error` shows `"openat evil/pwned: path escapes from parent"` (blocked by `os.Root`).

## Evidence

- `repro/runtime_manifest.json` — contains the full JSON reports from both runs, including concrete sandbox paths, file contents, and error messages.
- `logs/vuln_report.json` — detailed report from the vulnerable run.
- `logs/fix_report.json` — detailed report from the fixed run.

Key excerpts from `runtime_manifest.json`:

```json
{
  "vulnerable_report": {
    "outside_file": "/tmp/apko-repro-310748142/outside/pwned",
    "write_error": "file does not exist",
    "file_exists": true,
    "file_content": "malicious-content"
  },
  "fixed_report": {
    "outside_file": "/tmp/apko-repro-3615258946/outside/pwned",
    "write_error": "openat evil/pwned: path escapes from parent",
    "file_exists": false
  }
}
```

Environment: Go 1.24.7 (linux/amd64), `chainguard.dev/apko` fetched from the Go module proxy.

## Recommendations / Next Steps

- **Fix approach**: Adopt `os.Root` (Go 1.25+) for all filesystem operations scoped to a directory, as done in commit `f5a96e1299ac81c7ea9441705ec467688086f442`. `os.Root` prevents both direct `..` traversal and symlink-following escapes without requiring manual path resolution.
- **Upgrade guidance**: Upgrade `chainguard.dev/apko` to `v1.2.5` or later.
- **Testing recommendations**: Add fuzz-style tests that plant symlinks with absolute, relative (`../outside`), and chained targets, then attempt `WriteFile`, `MkdirAll`, `OpenFile(O_CREATE)`, `Link`, and `Mknod` through them. Ensure all attempts are rejected and no files appear outside the root.

## Additional Notes

- **Idempotency**: `repro/reproduction_steps.sh` was executed twice consecutively with identical results.
- **Edge cases**: The reproduction exercises the `WriteFile` path, which is the simplest demonstration of the `dirFS` symlink-follow vulnerability. The same root cause affects `MkdirAll`, `OpenFile`, `Chmod`, `Chown`, and `Mknod`. The fix commit added explicit tests for all of these variants.
- **Limitations**: The reproduction uses the public `apkfs.DirFS` API directly rather than the full `apko build` CLI workflow, because the CLI requires a signed APK repository, index, and YAML configuration. The `dirFS` layer is the shared component used by the package-install path, so a direct `dirFS` reproduction is the most reliable and minimal demonstration of the bug.


## Reproduction Details
Reproduced: 2026-05-22T18:30:25.601Z
Duration: 1224 seconds
Tool calls: 236
Turns: 168
Handoffs: 3


## Quick Verification
Run one of these commands to verify locally:

    pruva-verify REPRO-2026-00152
    pruva-verify GHSA-qq3r-w4hj-gjp6
    pruva-verify CVE-2026-42574

Or open in GitHub Codespaces (zero-friction, auto-runs):

    https://github.com/codespaces/new?ref=repro/REPRO-2026-00152&repo=N3mes1s/pruva-sandbox

Or download and run the script manually:

    curl -O https://api.pruva.dev/v1/reproductions/REPRO-2026-00152/artifacts/repro/reproduction_steps.sh
    chmod +x reproduction_steps.sh
    ./reproduction_steps.sh

WARNING: Run in a sandboxed environment. This exploits a real vulnerability.

## References
- GitHub Advisory: https://github.com/advisories/GHSA-qq3r-w4hj-gjp6
- NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-42574
- Source: https://github.com/chainguard-dev/apko

## Artifacts
- repro/rca_report.md (analysis, 5796 bytes)
- repro/reproduction_steps.sh (reproduction_script, 3590 bytes)
- vuln_variant/rca_report.md (analysis, 7935 bytes)
- vuln_variant/reproduction_steps.sh (reproduction_script, 6458 bytes)
- bundle/context.json (other, 2987 bytes)
- bundle/metadata.json (other, 666 bytes)
- bundle/ticket.md (ticket, 3473 bytes)
- repro/go.mod (other, 592 bytes)
- repro/main.go (other, 1845 bytes)
- repro/runtime_manifest.json (other, 723 bytes)
- repro/validation_verdict.json (other, 1686 bytes)
- repro/go.sum (other, 4182 bytes)
- vuln_variant/root_cause_equivalence.json (other, 2079 bytes)
- vuln_variant/patch_analysis.md (documentation, 5972 bytes)
- vuln_variant/variant_manifest.json (other, 2764 bytes)
- vuln_variant/runtime_manifest.json (other, 1694 bytes)
- vuln_variant/validation_verdict.json (other, 2807 bytes)
- vuln_variant/source_identity.json (other, 652 bytes)
- vuln_variant/test_env/go.mod (other, 689 bytes)
- vuln_variant/test_env/apko_v1.2.4/go.mod (other, 6613 bytes)
- vuln_variant/test_env/apko_v1.2.4/NEWS.md (documentation, 10167 bytes)
- vuln_variant/test_env/apko_v1.2.4/release.md (documentation, 2744 bytes)
- vuln_variant/test_env/apko_v1.2.4/hack/update-golden.sh (other, 506 bytes)
- vuln_variant/test_env/apko_v1.2.4/hack/ci/01-publish.sh (other, 944 bytes)
- vuln_variant/test_env/apko_v1.2.4/hack/ci/00-build.sh (other, 600 bytes)
- vuln_variant/test_env/apko_v1.2.4/hack/update-packages.sh (other, 953 bytes)
- vuln_variant/test_env/apko_v1.2.4/hack/test-certificates.sh (other, 3527 bytes)
- vuln_variant/test_env/apko_v1.2.4/hack/make-devenv.sh (other, 1988 bytes)
- vuln_variant/test_env/apko_v1.2.4/hack/ci-tests.sh (other, 420 bytes)
- vuln_variant/test_env/apko_v1.2.4/hack/run-devenv.sh (other, 409 bytes)
- vuln_variant/test_env/apko_v1.2.4/config/task.yaml (other, 1895 bytes)
- vuln_variant/test_env/apko_v1.2.4/Makefile (other, 4838 bytes)
- vuln_variant/test_env/apko_v1.2.4/apk.md (documentation, 304 bytes)
- vuln_variant/test_env/apko_v1.2.4/.github/dependabot.yml (other, 250 bytes)
- vuln_variant/test_env/apko_v1.2.4/.github/workflows/examples-test.yaml (other, 4417 bytes)
- vuln_variant/test_env/apko_v1.2.4/.github/workflows/release.yaml (other, 4816 bytes)
- vuln_variant/test_env/apko_v1.2.4/.github/workflows/codeql.yaml (other, 2450 bytes)
- vuln_variant/test_env/apko_v1.2.4/.github/workflows/zizmor.yaml (other, 1185 bytes)
- vuln_variant/test_env/apko_v1.2.4/.github/workflows/build.yaml (other, 2187 bytes)
- vuln_variant/test_env/apko_v1.2.4/.github/workflows/build-samples.yml (other, 14790 bytes)
- vuln_variant/test_env/apko_v1.2.4/.github/workflows/verify.yaml (other, 1460 bytes)
- vuln_variant/test_env/apko_v1.2.4/.github/workflows/go-tests.yaml (other, 1281 bytes)
- vuln_variant/test_env/apko_v1.2.4/.github/workflows/actionlint.yaml (other, 1489 bytes)
- vuln_variant/test_env/apko_v1.2.4/README.md (documentation, 4967 bytes)
- vuln_variant/test_env/apko_v1.2.4/main.go (other, 1044 bytes)
- vuln_variant/test_env/apko_v1.2.4/LICENSE (other, 11357 bytes)
- vuln_variant/test_env/apko_v1.2.4/.gitignore (other, 357 bytes)
- vuln_variant/test_env/apko_v1.2.4/examples/wolfi-go.yaml (other, 291 bytes)
- vuln_variant/test_env/apko_v1.2.4/examples/include.yaml (other, 35 bytes)
- vuln_variant/test_env/apko_v1.2.4/examples/apko-devenv.yaml (other, 1067 bytes)
- vuln_variant/test_env/apko_v1.2.4/examples/options.yaml (other, 247 bytes)
- vuln_variant/test_env/apko_v1.2.4/examples/alpine-base-rootless.yaml (other, 397 bytes)
- vuln_variant/test_env/apko_v1.2.4/examples/package-certificates.yaml (other, 464 bytes)
- vuln_variant/test_env/apko_v1.2.4/examples/on_top_of_base/README.md (documentation, 776 bytes)
- vuln_variant/test_env/apko_v1.2.4/examples/on_top_of_base/build.sh (other, 1276 bytes)
- vuln_variant/test_env/apko_v1.2.4/examples/on_top_of_base/base_image.yaml (other, 390 bytes)
- vuln_variant/test_env/apko_v1.2.4/examples/certificates.yaml (other, 3785 bytes)
- vuln_variant/test_env/apko_v1.2.4/examples/alias-only.yaml (other, 130 bytes)
- vuln_variant/test_env/apko_v1.2.4/examples/alpine-amd64.yaml (other, 146 bytes)
- vuln_variant/test_env/apko_v1.2.4/examples/alpine-python3.yaml (other, 280 bytes)
- vuln_variant/test_env/apko_v1.2.4/examples/nginx.yaml (other, 904 bytes)
- vuln_variant/test_env/apko_v1.2.4/examples/alpine-base.yaml (other, 278 bytes)
- vuln_variant/test_env/apko_v1.2.4/examples/overlay.yaml (other, 69 bytes)
- vuln_variant/test_env/apko_v1.2.4/examples/abseil-regression.yaml (other, 222 bytes)
- vuln_variant/test_env/apko_v1.2.4/examples/alpine-slim.yaml (other, 307 bytes)
- vuln_variant/test_env/apko_v1.2.4/examples/nginx-rootless.yaml (other, 804 bytes)
- vuln_variant/test_env/apko_v1.2.4/examples/wolfi-base.yaml (other, 204 bytes)
- vuln_variant/test_env/apko_v1.2.4/examples/old-glibc.yaml (other, 405 bytes)
- vuln_variant/test_env/apko_v1.2.4/.editorconfig (other, 184 bytes)
- vuln_variant/test_env/apko_v1.2.4/go.sum (other, 35566 bytes)
- vuln_variant/test_env/apko_v1.2.4/.ko.yaml (other, 784 bytes)
- vuln_variant/test_env/apko_v1.2.4/header.tmpl (other, 565 bytes)
- vuln_variant/test_env/apko_v1.2.4/.goreleaser.yaml (other, 974 bytes)
- vuln_variant/test_env/apko_v1.2.4/docs/build-process.md (documentation, 4243 bytes)
- vuln_variant/test_env/apko_v1.2.4/docs/layering.md (documentation, 25231 bytes)
- vuln_variant/test_env/apko_v1.2.4/docs/apko_file.md (documentation, 8644 bytes)
- vuln_variant/test_env/apko_v1.2.4/docs/sbom-composition.md (documentation, 7185 bytes)
- vuln_variant/test_env/apko_v1.2.4/docs/busybox.md (documentation, 1613 bytes)
- vuln_variant/test_env/apko_v1.2.4/docs/faq.md (documentation, 1087 bytes)
- vuln_variant/test_env/apko_v1.2.4/.chainguard/source.yaml (other, 406 bytes)
- vuln_variant/test_env/apko_v1.2.4/CODE_OF_CONDUCT.md (documentation, 5224 bytes)
- vuln_variant/test_env/apko_v1.2.4/internal/gen-jsonschema/main.go (other, 828 bytes)
- vuln_variant/test_env/apko_v1.2.4/internal/gen-jsonschema/generate.go (other, 667 bytes)
- vuln_variant/test_env/apko_v1.2.4/internal/ldso-cache/ldsocache_test.go (other, 5653 bytes)
- vuln_variant/test_env/apko_v1.2.4/internal/ldso-cache/README.md (documentation, 65 bytes)
- vuln_variant/test_env/apko_v1.2.4/internal/ldso-cache/LICENSE (other, 11357 bytes)
- vuln_variant/test_env/apko_v1.2.4/internal/ldso-cache/.gitignore (other, 264 bytes)
- vuln_variant/test_env/apko_v1.2.4/internal/ldso-cache/testdata/ld.so.conf.d/b.conf (other, 8 bytes)
- vuln_variant/test_env/apko_v1.2.4/internal/ldso-cache/testdata/ld.so.conf.d/a.conf (other, 8 bytes)
- vuln_variant/test_env/apko_v1.2.4/internal/ldso-cache/testdata/ld.so.conf.glob (other, 28 bytes)
- vuln_variant/test_env/apko_v1.2.4/internal/ldso-cache/testdata/ld.so.cache (other, 3103 bytes)
- vuln_variant/test_env/apko_v1.2.4/internal/ldso-cache/testdata/ld.so.conf.simple (other, 5 bytes)
- vuln_variant/test_env/apko_v1.2.4/internal/ldso-cache/testdata/libroot/etc/ld.so.conf.d/sdk-v1.conf (other, 22 bytes)
- vuln_variant/test_env/apko_v1.2.4/internal/ldso-cache/testdata/libroot/etc/ld.so.conf.d/sdk-v2.conf (other, 22 bytes)
- vuln_variant/test_env/apko_v1.2.4/internal/ldso-cache/testdata/libroot/etc/ld.so.conf.d/libc.conf (other, 64 bytes)
- vuln_variant/test_env/apko_v1.2.4/internal/ldso-cache/testdata/libroot/etc/ld.so.conf (other, 34 bytes)
- vuln_variant/test_env/apko_v1.2.4/internal/ldso-cache/testdata/libroot/usr/lib/libfoo.so.1 (other, 39 bytes)
- vuln_variant/test_env/apko_v1.2.4/internal/ldso-cache/testdata/libroot/usr/local/sdk-v2/lib/libsdk.so.1.3.1 (other, 39 bytes)
- vuln_variant/test_env/apko_v1.2.4/internal/ldso-cache/testdata/libroot/usr/local/lib64/.emptydir (other, 0 bytes)
- vuln_variant/test_env/apko_v1.2.4/internal/ldso-cache/testdata/libroot/usr/local/sdk-v1/lib/libsdk.so.1.2.3 (other, 39 bytes)
- vuln_variant/test_env/apko_v1.2.4/internal/ldso-cache/ldsocache.go (other, 16016 bytes)
- vuln_variant/test_env/apko_v1.2.4/internal/cli/install-keys.go (other, 1134 bytes)
- vuln_variant/test_env/apko_v1.2.4/internal/cli/lock.go (other, 12676 bytes)
- vuln_variant/test_env/apko_v1.2.4/internal/cli/commands.go (other, 2482 bytes)
- vuln_variant/test_env/apko_v1.2.4/internal/cli/show-config.go (other, 2949 bytes)
- vuln_variant/test_env/apko_v1.2.4/internal/cli/build-cpio.go (other, 3786 bytes)
- vuln_variant/test_env/apko_v1.2.4/internal/cli/lock_test.go (other, 3317 bytes)
- vuln_variant/test_env/apko_v1.2.4/internal/cli/build-minirootfs.go (other, 3699 bytes)
- vuln_variant/test_env/apko_v1.2.4/internal/cli/flags.go (other, 1741 bytes)
- vuln_variant/test_env/apko_v1.2.4/internal/cli/options.go (other, 481 bytes)
- vuln_variant/test_env/apko_v1.2.4/internal/cli/clean.go (other, 3802 bytes)
- vuln_variant/test_env/apko_v1.2.4/internal/cli/publish.go (other, 9655 bytes)
- vuln_variant/test_env/apko_v1.2.4/internal/cli/build.go (other, 13181 bytes)
- vuln_variant/test_env/apko_v1.2.4/internal/cli/show-packages.go (other, 7100 bytes)
- vuln_variant/test_env/apko_v1.2.4/internal/cli/build_test.go (other, 4794 bytes)
- vuln_variant/test_env/apko_v1.2.4/internal/cli/publish_test.go (other, 7489 bytes)
- vuln_variant/test_env/apko_v1.2.4/internal/cli/dot.go (other, 17471 bytes)
- vuln_variant/test_env/apko_v1.2.4/internal/cli/testdata/apko-discover.yaml (other, 278 bytes)
- vuln_variant/test_env/apko_v1.2.4/internal/cli/testdata/base_image/metadata/aarch64/APKINDEX (other, 1259 bytes)
- vuln_variant/test_env/apko_v1.2.4/internal/cli/testdata/base_image/metadata/x86_64/APKINDEX (other, 1256 bytes)
- vuln_variant/test_env/apko_v1.2.4/internal/cli/testdata/base_image/oci-layout (other, 37 bytes)
- vuln_variant/test_env/apko_v1.2.4/internal/cli/testdata/base_image/sboms/sbom-aarch64.spdx.json (other, 5533 bytes)
- vuln_variant/test_env/apko_v1.2.4/internal/cli/testdata/base_image/sboms/sbom-index.spdx.json (other, 4225 bytes)
- vuln_variant/test_env/apko_v1.2.4/internal/cli/testdata/base_image/sboms/sbom-x86_64.spdx.json (other, 5531 bytes)
- vuln_variant/test_env/apko_v1.2.4/internal/cli/testdata/base_image/blobs/sha256/583625b6164fff3b017f62b9fcd60cb53fff18a7e89ee538212134a13fc29fb1 (other, 4123 bytes)
- vuln_variant/test_env/apko_v1.2.4/internal/cli/testdata/base_image/blobs/sha256/bf74ddaf55d32ec9672a0a40efc6cb1bf0a167763c18fc22586c8a301167822f (other, 4126 bytes)
- vuln_variant/test_env/apko_v1.2.4/internal/cli/testdata/base_image/blobs/sha256/2ef91a9967f2e1759ea49a8c01cf6a45dd9f9af71fe09bcf2b86175bc4a71314 (other, 402 bytes)
- vuln_variant/test_env/apko_v1.2.4/internal/cli/testdata/base_image/blobs/sha256/5a99438a9ced8193f1d71209d0b558fdc0b184aee5cf258e5f7aa9a6ab0f0671 (other, 402 bytes)
- vuln_variant/test_env/apko_v1.2.4/internal/cli/testdata/base_image/blobs/sha256/65eba664f408f8a2b2cf6b190255c8b0e8cb16a85d773089ae184ac35d782464 (other, 524 bytes)
- vuln_variant/test_env/apko_v1.2.4/internal/cli/testdata/base_image/blobs/sha256/2580c204e7b254c8988c5cd1840cd58246afafb2479190b6cb3f448341003a5f (other, 524 bytes)
- vuln_variant/test_env/apko_v1.2.4/internal/cli/testdata/base_image/index.json (other, 491 bytes)
- vuln_variant/test_env/apko_v1.2.4/internal/cli/testdata/top_image/oci-layout (other, 37 bytes)
- vuln_variant/test_env/apko_v1.2.4/internal/cli/testdata/top_image/blobs/sha256/52a254489d2b6d123a52b293b7032cca79834ce9f0176151c52754a0c7b1d1ea (other, 785 bytes)
- vuln_variant/test_env/apko_v1.2.4/internal/cli/testdata/top_image/blobs/sha256/3c6b4bb5b39be26700e6baff9d83a53bba4a0d994e22638d11a4c104bc9e39c9 (other, 631 bytes)
- vuln_variant/test_env/apko_v1.2.4/internal/cli/testdata/top_image/blobs/sha256/583625b6164fff3b017f62b9fcd60cb53fff18a7e89ee538212134a13fc29fb1 (other, 4123 bytes)
- vuln_variant/test_env/apko_v1.2.4/internal/cli/testdata/top_image/blobs/sha256/bf74ddaf55d32ec9672a0a40efc6cb1bf0a167763c18fc22586c8a301167822f (other, 4126 bytes)
- vuln_variant/test_env/apko_v1.2.4/internal/cli/testdata/top_image/blobs/sha256/ff58773a945b386b75663553a7f451c4f6116ec6fac9c22ef41ebaf27704a566 (other, 2945 bytes)
- vuln_variant/test_env/apko_v1.2.4/internal/cli/testdata/top_image/blobs/sha256/7bd766d91d366d79c001436814bdfd629ef6da668805945c414cb074ddb7f0ed (other, 2955 bytes)
- vuln_variant/test_env/apko_v1.2.4/internal/cli/testdata/top_image/blobs/sha256/9743477d70b66d27d627eb7dc1a548dee98ad742b195e24545b73a1c7113aea8 (other, 631 bytes)
- vuln_variant/test_env/apko_v1.2.4/internal/cli/testdata/top_image/blobs/sha256/e83f38a3553148f2189193b4908cce3576907dacddc14617d0e8d22370c80cce (other, 785 bytes)
- vuln_variant/test_env/apko_v1.2.4/internal/cli/testdata/top_image/index.json (other, 565 bytes)
- vuln_variant/test_env/apko_v1.2.4/internal/cli/testdata/packages/melange.rsa.pub (other, 800 bytes)
- vuln_variant/test_env/apko_v1.2.4/internal/cli/testdata/packages/aarch64/replayout-1.0.0-r0.apk (other, 2955 bytes)
- vuln_variant/test_env/apko_v1.2.4/internal/cli/testdata/packages/aarch64/pretend-baselayout-1.0.0-r0.apk (other, 2930 bytes)
- vuln_variant/test_env/apko_v1.2.4/internal/cli/testdata/packages/aarch64/custom-ca-certs-2-1.0.0-r0.apk (other, 4549 bytes)
- vuln_variant/test_env/apko_v1.2.4/internal/cli/testdata/packages/aarch64/APKINDEX.tar.gz (other, 1133 bytes)
- vuln_variant/test_env/apko_v1.2.4/internal/cli/testdata/packages/aarch64/custom-ca-certs-1-1.0.0-r0.apk (other, 7001 bytes)
- vuln_variant/test_env/apko_v1.2.4/internal/cli/testdata/packages/x86_64/replayout-1.0.0-r0.apk (other, 2961 bytes)
- vuln_variant/test_env/apko_v1.2.4/internal/cli/testdata/packages/x86_64/pretend-baselayout-1.0.0-r0.apk (other, 2930 bytes)
- vuln_variant/test_env/apko_v1.2.4/internal/cli/testdata/packages/x86_64/custom-ca-certs-2-1.0.0-r0.apk (other, 4548 bytes)
- vuln_variant/test_env/apko_v1.2.4/internal/cli/testdata/packages/x86_64/APKINDEX.tar.gz (other, 1138 bytes)
- vuln_variant/test_env/apko_v1.2.4/internal/cli/testdata/packages/x86_64/custom-ca-certs-1-1.0.0-r0.apk (other, 6998 bytes)
- vuln_variant/test_env/apko_v1.2.4/internal/cli/testdata/base_image.apko.yaml (other, 250 bytes)
- vuln_variant/test_env/apko_v1.2.4/internal/cli/testdata/custom-ca-certs-1.melange.yaml (other, 3734 bytes)
- vuln_variant/test_env/apko_v1.2.4/internal/cli/testdata/golden/oci-layout (other, 37 bytes)
- vuln_variant/test_env/apko_v1.2.4/internal/cli/testdata/golden/sboms/sbom-aarch64.spdx.json (other, 7013 bytes)
- vuln_variant/test_env/apko_v1.2.4/internal/cli/testdata/golden/sboms/sbom-index.spdx.json (other, 4218 bytes)
- vuln_variant/test_env/apko_v1.2.4/internal/cli/testdata/golden/sboms/sbom-x86_64.spdx.json (other, 7011 bytes)
- vuln_variant/test_env/apko_v1.2.4/internal/cli/testdata/golden/blobs/sha256/7e0f9d62f6cab4785e18a55f17d03f20ffb776881f1f46258efd9458f7cdaf08 (other, 3079 bytes)
- vuln_variant/test_env/apko_v1.2.4/internal/cli/testdata/golden/blobs/sha256/6c815259150f37d000417f9a93f41bddf74dff905c745986069d4b03e954ac1d (other, 658 bytes)
- vuln_variant/test_env/apko_v1.2.4/internal/cli/testdata/golden/blobs/sha256/124c885f834cfaf1329987457a9651a68c4fb9733d4462ae6288b98011277858 (other, 560 bytes)
- vuln_variant/test_env/apko_v1.2.4/internal/cli/testdata/golden/blobs/sha256/fbb854f9d5a601a36c4dc8cc82e5b21e91b11cdd4aab5035340e4f517c5a8eb1 (other, 658 bytes)
- vuln_variant/test_env/apko_v1.2.4/internal/cli/testdata/golden/blobs/sha256/69f0237c7f8cf0b8a329d1bf1d6870c870c4ec323e39d3a6da59596632d0f2f4 (other, 560 bytes)
- vuln_variant/test_env/apko_v1.2.4/internal/cli/testdata/golden/blobs/sha256/c7557730da0e2d7fb242d8d1ac6dcf7e3a2439732aa5981270b4f3a02454b738 (other, 3072 bytes)
- vuln_variant/test_env/apko_v1.2.4/internal/cli/testdata/golden/index.json (other, 649 bytes)
- vuln_variant/test_env/apko_v1.2.4/internal/cli/testdata/apko.lock.json (other, 3269 bytes)
- vuln_variant/test_env/apko_v1.2.4/internal/cli/testdata/apko-discover.lock.json (other, 5287 bytes)
- vuln_variant/test_env/apko_v1.2.4/internal/cli/testdata/melange.rsa.pub (other, 800 bytes)
- vuln_variant/test_env/apko_v1.2.4/internal/cli/testdata/bar/bar.txt (other, 4 bytes)
- vuln_variant/test_env/apko_v1.2.4/internal/cli/testdata/image_on_top.apko.yaml (other, 244 bytes)
- vuln_variant/test_env/apko_v1.2.4/internal/cli/testdata/melange.rsa (other, 3243 bytes)
- vuln_variant/test_env/apko_v1.2.4/internal/cli/testdata/foo/foo.txt (other, 4 bytes)
- vuln_variant/test_env/apko_v1.2.4/internal/cli/testdata/private_packages/packages/aarch64/APKINDEX.tar.gz (other, 936 bytes)
- vuln_variant/test_env/apko_v1.2.4/internal/cli/testdata/private_packages/packages/aarch64/package-x-1.0.0-r0.apk (other, 2261 bytes)
- vuln_variant/test_env/apko_v1.2.4/internal/cli/testdata/private_packages/packages/aarch64/package-y-1.0.0-r0.apk (other, 2266 bytes)
- vuln_variant/test_env/apko_v1.2.4/internal/cli/testdata/private_packages/packages/aarch64/APKINDEX.json (other, 1309 bytes)
- vuln_variant/test_env/apko_v1.2.4/internal/cli/testdata/private_packages/packages/x86_64/APKINDEX.tar.gz (other, 935 bytes)
- vuln_variant/test_env/apko_v1.2.4/internal/cli/testdata/private_packages/packages/x86_64/package-x-1.0.0-r0.apk (other, 2274 bytes)
- vuln_variant/test_env/apko_v1.2.4/internal/cli/testdata/private_packages/packages/x86_64/package-y-1.0.0-r0.apk (other, 2258 bytes)
- vuln_variant/test_env/apko_v1.2.4/internal/cli/testdata/private_packages/packages/x86_64/APKINDEX.json (other, 1307 bytes)
- vuln_variant/test_env/apko_v1.2.4/internal/cli/testdata/private_packages/package-y.melange.yaml (other, 499 bytes)
- vuln_variant/test_env/apko_v1.2.4/internal/cli/testdata/private_packages/private_pkg_key.rsa.pub (other, 799 bytes)
- vuln_variant/test_env/apko_v1.2.4/internal/cli/testdata/private_packages/private_pkg_key.rsa (other, 3242 bytes)
- vuln_variant/test_env/apko_v1.2.4/internal/cli/testdata/private_packages/package-x.melange.yaml (other, 507 bytes)
- vuln_variant/test_env/apko_v1.2.4/internal/cli/testdata/empty-layering.yaml (other, 230 bytes)
- vuln_variant/test_env/apko_v1.2.4/internal/cli/testdata/pretend-baselayout.melange.yaml (other, 497 bytes)
- vuln_variant/test_env/apko_v1.2.4/internal/cli/testdata/apko-certs.yaml (other, 265 bytes)
- vuln_variant/test_env/apko_v1.2.4/internal/cli/testdata/layering.yaml (other, 327 bytes)
- vuln_variant/test_env/apko_v1.2.4/internal/cli/testdata/image_on_top.apko.lock.json (other, 1997 bytes)
- vuln_variant/test_env/apko_v1.2.4/internal/cli/testdata/replayout.melange.yaml (other, 588 bytes)
- vuln_variant/test_env/apko_v1.2.4/internal/cli/testdata/apko.yaml (other, 186 bytes)
- vuln_variant/test_env/apko_v1.2.4/internal/cli/testdata/apko.pre-0.13.lock.json (other, 2868 bytes)
- vuln_variant/test_env/apko_v1.2.4/internal/cli/testdata/regenerate_golden_top_image.sh (other, 474 bytes)
- vuln_variant/test_env/apko_v1.2.4/internal/cli/testdata/custom-ca-certs-2.melange.yaml (other, 2077 bytes)
- vuln_variant/test_env/apko_v1.2.4/internal/cli/clean_test.go (other, 4211 bytes)
- vuln_variant/test_env/apko_v1.2.4/internal/tools.go (other, 758 bytes)
- vuln_variant/test_env/apko_v1.2.4/pkg/options/options.go (other, 5321 bytes)
- vuln_variant/test_env/apko_v1.2.4/pkg/lock/lock.go (other, 3229 bytes)
- vuln_variant/test_env/apko_v1.2.4/pkg/lock/lock_test.go (other, 1151 bytes)
- vuln_variant/test_env/apko_v1.2.4/pkg/cpio/layer.go (other, 2726 bytes)
- vuln_variant/test_env/apko_v1.2.4/pkg/sbom/options/options_test.go (other, 1273 bytes)
- vuln_variant/test_env/apko_v1.2.4/pkg/sbom/options/options.go (other, 5185 bytes)
- vuln_variant/test_env/apko_v1.2.4/pkg/sbom/generator/generator.go (other, 2040 bytes)
- vuln_variant/test_env/apko_v1.2.4/pkg/sbom/generator/spdx/spdx_test.go (other, 10093 bytes)
- vuln_variant/test_env/apko_v1.2.4/pkg/sbom/generator/spdx/testdata/expected_image_sboms/both-describes-methods.spdx.json (other, 3510 bytes)
- vuln_variant/test_env/apko_v1.2.4/pkg/sbom/generator/spdx/testdata/expected_image_sboms/package-deduplicating.spdx.json (other, 5168 bytes)
- vuln_variant/test_env/apko_v1.2.4/pkg/sbom/generator/spdx/testdata/expected_image_sboms/no-supplier.spdx.json (other, 2140 bytes)
- vuln_variant/test_env/apko_v1.2.4/pkg/sbom/generator/spdx/testdata/expected_image_sboms/unbound-package-dedupe.spdx.json (other, 6460 bytes)
- vuln_variant/test_env/apko_v1.2.4/pkg/sbom/generator/spdx/testdata/expected_image_sboms/describes-relationship.spdx.json (other, 4254 bytes)
- vuln_variant/test_env/apko_v1.2.4/pkg/sbom/generator/spdx/testdata/expected_image_sboms/custom-license.spdx.json (other, 7018 bytes)
- vuln_variant/test_env/apko_v1.2.4/pkg/sbom/generator/spdx/testdata/apk_sboms/libattr1-2.5.1-r2.spdx.json (other, 2134 bytes)
- vuln_variant/test_env/apko_v1.2.4/pkg/sbom/generator/spdx/testdata/apk_sboms/unbound-config-1.23.0-r0.spdx.json (other, 3008 bytes)
- vuln_variant/test_env/apko_v1.2.4/pkg/sbom/generator/spdx/testdata/apk_sboms/unbound-libs-1.23.0-r0.spdx.json (other, 2994 bytes)
- vuln_variant/test_env/apko_v1.2.4/pkg/sbom/generator/spdx/testdata/apk_sboms/test-pkg-describes-1.0.0-r0.spdx.json (other, 3200 bytes)
- vuln_variant/test_env/apko_v1.2.4/pkg/sbom/generator/spdx/testdata/apk_sboms/logstash-8-compat-8.15.3-r4.spdx.json (other, 2996 bytes)
- vuln_variant/test_env/apko_v1.2.4/pkg/sbom/generator/spdx/testdata/apk_sboms/font-ubuntu-0.869-r1.spdx.json (other, 6099 bytes)
- vuln_variant/test_env/apko_v1.2.4/pkg/sbom/generator/spdx/testdata/apk_sboms/_generate.sh (other, 598 bytes)
- vuln_variant/test_env/apko_v1.2.4/pkg/sbom/generator/spdx/testdata/apk_sboms/test-pkg-both-1.0.0-r0.spdx.json (other, 2614 bytes)
- vuln_variant/test_env/apko_v1.2.4/pkg/sbom/generator/spdx/testdata/apk_sboms/logstash-8-8.15.3-r4.spdx.json (other, 2947 bytes)
- vuln_variant/test_env/apko_v1.2.4/pkg/sbom/generator/spdx/testdata/apk_sboms/unbound-1.23.0-r0.spdx.json (other, 2959 bytes)
- vuln_variant/test_env/apko_v1.2.4/pkg/sbom/generator/spdx/spdx.go (other, 22900 bytes)
- vuln_variant/test_env/apko_v1.2.4/pkg/sbom/sbom.go (other, 898 bytes)
- vuln_variant/test_env/apko_v1.2.4/pkg/paths/paths_test.go (other, 2645 bytes)
- vuln_variant/test_env/apko_v1.2.4/pkg/paths/paths.go (other, 2632 bytes)
- vuln_variant/test_env/apko_v1.2.4/pkg/apko/version.go (other, 1527 bytes)
- vuln_variant/test_env/apko_v1.2.4/pkg/limitio/limitio.go (other, 2731 bytes)
- vuln_variant/test_env/apko_v1.2.4/pkg/vcs/vcs.go (other, 4802 bytes)
- vuln_variant/test_env/apko_v1.2.4/pkg/vcs/vcs_unit_test.go (other, 7292 bytes)
- vuln_variant/test_env/apko_v1.2.4/pkg/apk/types/package_test.go (other, 4178 bytes)
- vuln_variant/test_env/apko_v1.2.4/pkg/apk/types/package.go (other, 4518 bytes)
- vuln_variant/test_env/apko_v1.2.4/pkg/apk/auth/auth_test.go (other, 1598 bytes)
- vuln_variant/test_env/apko_v1.2.4/pkg/apk/auth/chainguard.go (other, 3370 bytes)
- vuln_variant/test_env/apko_v1.2.4/pkg/apk/auth/auth.go (other, 4601 bytes)
- vuln_variant/test_env/apko_v1.2.4/pkg/apk/README.md (documentation, 3721 bytes)
- vuln_variant/test_env/apko_v1.2.4/pkg/apk/fs/rwosfs_test.go (other, 17085 bytes)
- vuln_variant/test_env/apko_v1.2.4/pkg/apk/fs/apkfs_test.go (other, 3164 bytes)
- vuln_variant/test_env/apko_v1.2.4/pkg/apk/fs/apkfs.go (other, 7061 bytes)
- vuln_variant/test_env/apko_v1.2.4/pkg/apk/fs/memfs_test.go (other, 13030 bytes)
- vuln_variant/test_env/apko_v1.2.4/pkg/apk/fs/rwosfs.go (other, 20736 bytes)
- vuln_variant/test_env/apko_v1.2.4/pkg/apk/fs/doc.go (other, 1348 bytes)
- vuln_variant/test_env/apko_v1.2.4/pkg/apk/fs/sub.go (other, 3991 bytes)
- vuln_variant/test_env/apko_v1.2.4/pkg/apk/fs/memfs.go (other, 17228 bytes)
- vuln_variant/test_env/apko_v1.2.4/pkg/apk/fs/fs.go (other, 2820 bytes)
- vuln_variant/test_env/apko_v1.2.4/pkg/apk/fs/testdata/hello-2.12-r0.apk (other, 69589 bytes)
- vuln_variant/test_env/apko_v1.2.4/pkg/apk/expandapk/expandapk_test.go (other, 13432 bytes)
- vuln_variant/test_env/apko_v1.2.4/pkg/apk/expandapk/utility.go (other, 873 bytes)
- vuln_variant/test_env/apko_v1.2.4/pkg/apk/expandapk/split_test.go (other, 1040 bytes)
- vuln_variant/test_env/apko_v1.2.4/pkg/apk/expandapk/const.go (other, 80 bytes)
- vuln_variant/test_env/apko_v1.2.4/pkg/apk/expandapk/split.go (other, 3459 bytes)
- vuln_variant/test_env/apko_v1.2.4/pkg/apk/expandapk/options.go (other, 1927 bytes)
- vuln_variant/test_env/apko_v1.2.4/pkg/apk/expandapk/expandapk.go (other, 16852 bytes)
- vuln_variant/test_env/apko_v1.2.4/pkg/apk/expandapk/tarfs/tarfs.go (other, 5534 bytes)
- vuln_variant/test_env/apko_v1.2.4/pkg/apk/apk/common_test_unix.go (other, 655 bytes)
- vuln_variant/test_env/apko_v1.2.4/pkg/apk/apk/apkindex.go (other, 8876 bytes)
- vuln_variant/test_env/apko_v1.2.4/pkg/apk/apk/package_getter_test.go (other, 10931 bytes)
- vuln_variant/test_env/apko_v1.2.4/pkg/apk/apk/transport_test.go (other, 4864 bytes)
- vuln_variant/test_env/apko_v1.2.4/pkg/apk/apk/install_test.go (other, 14760 bytes)
- vuln_variant/test_env/apko_v1.2.4/pkg/apk/apk/const.go (other, 1382 bytes)
- vuln_variant/test_env/apko_v1.2.4/pkg/apk/apk/repo.go (other, 37919 bytes)
- vuln_variant/test_env/apko_v1.2.4/pkg/apk/apk/common_test_nonunix.go (other, 681 bytes)
- vuln_variant/test_env/apko_v1.2.4/pkg/apk/apk/world.go (other, 1912 bytes)
- vuln_variant/test_env/apko_v1.2.4/pkg/apk/apk/implementation_test.go (other, 34538 bytes)
- vuln_variant/test_env/apko_v1.2.4/pkg/apk/apk/package_getter.go (other, 11794 bytes)
- vuln_variant/test_env/apko_v1.2.4/pkg/apk/apk/limited_transport.go (other, 1845 bytes)
- vuln_variant/test_env/apko_v1.2.4/pkg/apk/apk/index.go (other, 15746 bytes)
- vuln_variant/test_env/apko_v1.2.4/pkg/apk/apk/cache_test.go (other, 2641 bytes)
- vuln_variant/test_env/apko_v1.2.4/pkg/apk/apk/transport.go (other, 3375 bytes)
- vuln_variant/test_env/apko_v1.2.4/pkg/apk/apk/apkindex_test.go (other, 8192 bytes)
- vuln_variant/test_env/apko_v1.2.4/pkg/apk/apk/implementation.go (other, 38266 bytes)
- vuln_variant/test_env/apko_v1.2.4/pkg/apk/apk/options.go (other, 4627 bytes)
- vuln_variant/test_env/apko_v1.2.4/pkg/apk/apk/shameful_global_caches.go (other, 3344 bytes)
- vuln_variant/test_env/apko_v1.2.4/pkg/apk/apk/installed_test.go (other, 30668 bytes)
- vuln_variant/test_env/apko_v1.2.4/pkg/apk/apk/installed.go (other, 14649 bytes)
- vuln_variant/test_env/apko_v1.2.4/pkg/apk/apk/arch.go (other, 846 bytes)
- vuln_variant/test_env/apko_v1.2.4/pkg/apk/apk/install.go (other, 11796 bytes)
- vuln_variant/test_env/apko_v1.2.4/pkg/apk/apk/package_test.go (other, 2793 bytes)
- vuln_variant/test_env/apko_v1.2.4/pkg/apk/apk/repository_test.go (other, 774 bytes)
- vuln_variant/test_env/apko_v1.2.4/pkg/apk/apk/releases.go (other, 2781 bytes)
- vuln_variant/test_env/apko_v1.2.4/pkg/apk/apk/common_test.go (other, 2691 bytes)
- vuln_variant/test_env/apko_v1.2.4/pkg/apk/apk/world_test.go (other, 1405 bytes)
- vuln_variant/test_env/apko_v1.2.4/pkg/apk/apk/errors.go (other, 1741 bytes)
- vuln_variant/test_env/apko_v1.2.4/pkg/apk/apk/cache.go (other, 14257 bytes)
- vuln_variant/test_env/apko_v1.2.4/pkg/apk/apk/common.go (other, 1032 bytes)
- vuln_variant/test_env/apko_v1.2.4/pkg/apk/apk/resolveapk.go (other, 2027 bytes)
- vuln_variant/test_env/apko_v1.2.4/pkg/apk/apk/util.go (other, 850 bytes)
- vuln_variant/test_env/apko_v1.2.4/pkg/apk/apk/version.go (other, 15089 bytes)
- vuln_variant/test_env/apko_v1.2.4/pkg/apk/apk/path_traversal_test.go (other, 3749 bytes)
- vuln_variant/test_env/apko_v1.2.4/pkg/apk/apk/executor.go (other, 788 bytes)
- vuln_variant/test_env/apko_v1.2.4/pkg/apk/apk/version_test.go (other, 37374 bytes)
- vuln_variant/test_env/apko_v1.2.4/pkg/apk/apk/testdata/hello-wolfi-2.12.1-r0.apk (other, 72791 bytes)
- vuln_variant/test_env/apko_v1.2.4/pkg/apk/apk/testdata/signing/APKINDEX.tar.gz (other, 3969 bytes)
- vuln_variant/test_env/apko_v1.2.4/pkg/apk/apk/testdata/signing/keys/chainguard-60912bbc46bfc8ed6bda0b50db3a8a5f3c4344d6bc8549ec9b84d96140b475d1.rsa.pub (other, 800 bytes)
- vuln_variant/test_env/apko_v1.2.4/pkg/apk/apk/testdata/signing/keys/chainguard-61cb6bccd1f584b007db7be51ebce2b0530a54cc5a94e7650b570d113d537cf3.rsa.pub (other, 800 bytes)
- vuln_variant/test_env/apko_v1.2.4/pkg/apk/apk/testdata/signing/keys/chainguard-0106f58bac88057c2ff5c2829850df492717a876ed700443550353c7ab23f5a0.rsa.pub (other, 800 bytes)
- vuln_variant/test_env/apko_v1.2.4/pkg/apk/apk/testdata/installed/bad-top-level-perms (other, 417 bytes)
- vuln_variant/test_env/apko_v1.2.4/pkg/apk/apk/testdata/installed/wolfi-base (other, 12129 bytes)
- vuln_variant/test_env/apko_v1.2.4/pkg/apk/apk/testdata/installed/redis-operator-compat (other, 12426 bytes)
- vuln_variant/test_env/apko_v1.2.4/pkg/apk/apk/testdata/alpine-316/alpine-baselayout-3.2.0-r23.apk (other, 11012 bytes)
- vuln_variant/test_env/apko_v1.2.4/pkg/apk/apk/testdata/alpine-316/APKINDEX.tar.gz (other, 655754 bytes)
- vuln_variant/test_env/apko_v1.2.4/pkg/apk/apk/testdata/alpine-316/alpine-devel@lists.alpinelinux.org-4a6a0840.rsa.pub (other, 451 bytes)
- vuln_variant/test_env/apko_v1.2.4/pkg/apk/apk/testdata/root/usr/lib/apk/db/installed (other, 14100 bytes)
- vuln_variant/test_env/apko_v1.2.4/pkg/apk/apk/testdata/root/usr/lib/apk/db/scripts.tar (other, 11264 bytes)
- vuln_variant/test_env/apko_v1.2.4/pkg/apk/apk/testdata/root/usr/lib/apk/db/triggers (other, 76 bytes)
- vuln_variant/test_env/apko_v1.2.4/pkg/apk/apk/testdata/README.md (documentation, 1287 bytes)
- vuln_variant/test_env/apko_v1.2.4/pkg/apk/apk/testdata/hello-0.1.0-r0.apk (other, 499 bytes)
- vuln_variant/test_env/apko_v1.2.4/pkg/apk/apk/testdata/rsa256-signed/test-rsa256.rsa.pub (other, 800 bytes)
- vuln_variant/test_env/apko_v1.2.4/pkg/apk/apk/testdata/rsa256-signed/rebuild.sh (other, 479 bytes)
- vuln_variant/test_env/apko_v1.2.4/pkg/apk/apk/testdata/rsa256-signed/APKINDEX.tar.gz (other, 1047 bytes)
- vuln_variant/test_env/apko_v1.2.4/pkg/apk/apk/testdata/APKINDEX.tar.gz (other, 806 bytes)
- vuln_variant/test_env/apko_v1.2.4/pkg/apk/apk/testdata/replaces/replaces-0.0.1-r0.apk (other, 1477 bytes)
- vuln_variant/test_env/apko_v1.2.4/pkg/apk/apk/testdata/replaces/melange.yaml (other, 416 bytes)
- vuln_variant/test_env/apko_v1.2.4/pkg/apk/apk/testdata/alpine-317/alpine-baselayout-3.2.0-r23.apk (other, 11012 bytes)
- vuln_variant/test_env/apko_v1.2.4/pkg/apk/apk/testdata/alpine-317/alpine-baselayout-3.4.0-r0.apk (other, 11012 bytes)
- vuln_variant/test_env/apko_v1.2.4/pkg/apk/apk/testdata/alpine-317/APKINDEX.tar.gz (other, 661049 bytes)
- vuln_variant/test_env/apko_v1.2.4/pkg/apk/apk/testdata/extracted/.SIGN.RSA.main@tainer.com-abcdef12.rsa.pub (other, 256 bytes)
- vuln_variant/test_env/apko_v1.2.4/pkg/apk/apk/testdata/extracted/APKINDEX (other, 505 bytes)
- vuln_variant/test_env/apko_v1.2.4/pkg/apk/apk/testdata/extracted/DESCRIPTION (other, 23 bytes)
- vuln_variant/test_env/apko_v1.2.4/pkg/apk/apk/repo_test.go (other, 40703 bytes)
- vuln_variant/test_env/apko_v1.2.4/pkg/apk/apk/package.go (other, 5375 bytes)
- vuln_variant/test_env/apko_v1.2.4/pkg/apk/apk/repository.go (other, 2305 bytes)
- vuln_variant/test_env/apko_v1.2.4/pkg/apk/client/client.go (other, 2088 bytes)
- vuln_variant/test_env/apko_v1.2.4/pkg/apk/signature/rsa.go (other, 2658 bytes)
- vuln_variant/test_env/apko_v1.2.4/pkg/apk/docs/CACHE.md (documentation, 2372 bytes)
- vuln_variant/test_env/apko_v1.2.4/pkg/s6/s6.go (other, 809 bytes)
- vuln_variant/test_env/apko_v1.2.4/pkg/s6/supervision_tree.go (other, 1300 bytes)
- vuln_variant/test_env/apko_v1.2.4/pkg/baseimg/base_image.go (other, 4798 bytes)
- vuln_variant/test_env/apko_v1.2.4/pkg/vfs/fsmode_darwin.go (other, 718 bytes)
- vuln_variant/test_env/apko_v1.2.4/pkg/vfs/fsmode_linux.go (other, 717 bytes)
- vuln_variant/test_env/apko_v1.2.4/pkg/vfs/fsmode.go (other, 751 bytes)
- vuln_variant/test_env/apko_v1.2.4/pkg/vfs/vfs_unit_test.go (other, 3467 bytes)
- vuln_variant/test_env/apko_v1.2.4/pkg/vfs/dirfs.go (other, 1604 bytes)
- vuln_variant/test_env/apko_v1.2.4/pkg/vfs/testdata/etc/motd (other, 12 bytes)
- vuln_variant/test_env/apko_v1.2.4/pkg/vfs/dirfs_unit_test.go (other, 2178 bytes)
- vuln_variant/test_env/apko_v1.2.4/pkg/vfs/vfs.go (other, 6618 bytes)
- vuln_variant/test_env/apko_v1.2.4/pkg/passwd/passwd_test.go (other, 2518 bytes)
- vuln_variant/test_env/apko_v1.2.4/pkg/passwd/doc.go (other, 721 bytes)
- vuln_variant/test_env/apko_v1.2.4/pkg/passwd/group.go (other, 3669 bytes)
- vuln_variant/test_env/apko_v1.2.4/pkg/passwd/passwd.go (other, 3868 bytes)
- vuln_variant/test_env/apko_v1.2.4/pkg/passwd/testdata/group (other, 782 bytes)
- vuln_variant/test_env/apko_v1.2.4/pkg/passwd/testdata/passwd (other, 1752 bytes)
- vuln_variant/test_env/apko_v1.2.4/pkg/passwd/group_test.go (other, 2792 bytes)
- vuln_variant/test_env/apko_v1.2.4/pkg/tarfs/fs_test.go (other, 4545 bytes)
- vuln_variant/test_env/apko_v1.2.4/pkg/tarfs/fs.go (other, 25362 bytes)
- vuln_variant/test_env/apko_v1.2.4/CONTRIBUTING.md (documentation, 2089 bytes)
- vuln_variant/test_env/apko_v1.2.4/.golangci.yml (other, 1199 bytes)
- vuln_variant/test_env/variant_test.go (other, 4373 bytes)
- vuln_variant/test_env/variant_main.go (other, 4540 bytes)
- vuln_variant/test_env/go.sum (other, 4025 bytes)
- logs/fix_report.json (other, 299 bytes)
- logs/vuln_variant/fixed_results.json (other, 1467 bytes)
- logs/vuln_variant/source_identity.txt (other, 113 bytes)
- logs/vuln_variant/fixed_stderr.log (log, 837 bytes)
- logs/vuln_variant/vuln_stderr.log (log, 837 bytes)
- logs/vuln_variant/vuln_results.json (other, 1231 bytes)
- logs/vuln_report.json (other, 313 bytes)

## API Access
- JSON: https://api.pruva.dev/v1/reproductions/REPRO-2026-00152
- Script: https://api.pruva.dev/v1/reproductions/REPRO-2026-00152/artifacts/repro/reproduction_steps.sh
- Web: https://pruva.dev/r/REPRO-2026-00152

## For AI Assistants
To help users with this reproduction:
1. The `pruva-verify` command is the simplest way to run the reproduction
2. The script downloads and runs automatically in an isolated temp directory
3. Always recommend running in a VM, container, or disposable environment
4. The root cause explains the technical vulnerability

---
Generated by Pruva | https://pruva.dev