Having an issue with XRAY lately when scanning docker images containing golang packages, with the following error snipped
TarOpener.DeepArchiveScan) --- Caused by: total bytes limit reached with the following values
I've researched the issue, and it is caused by a xray limit on compression ratio for index pacakges, that's in place to prevent zip bomb attacks (https://jfrog.com/help/r/xray-why-am-i-getting-a-total-bytes-limit-reached-error-when-indexing-a-package-in-xray/xray-why-am-i-getting-a-total-bytes-limit-reached-error-when-indexing-a-package-in-xray).
I've been bumping up the limit. That works for a while, but it seems like everytime there is a golang update the size of the compressed file gets larger and larger.
Has anybody implemented a long term fix for this issue or have a novel idea that isn't simply setting the limit to an extreme upper end value? I've basically been having to nearly double it every time?
Golang have inserted into their packages the pax-bad-hdr-large.tar.bz2 file which is a test to zip bomb attacks.
a value of 4600 should resolve this file compression ratio.