Revert "Remove file existence checks from validation - let container resolver handle it"

cx-dmitri-rivin · cx-dmitri-rivin · commit ed55460c004b · 2026-01-28T12:15:07.000+02:00
This reverts commit 35f747e.
diff --git a/internal/commands/scan.go b/internal/commands/scan.go
@@ -30,6 +30,7 @@ import (
 	exitCodes "github.com/checkmarx/ast-cli/internal/constants/exit-codes"
 	"github.com/checkmarx/ast-cli/internal/logger"
 	"github.com/checkmarx/ast-cli/internal/services"
+	"github.com/checkmarx/ast-cli/internal/services/osinstaller"
 	"github.com/google/uuid"
 	"github.com/pkg/errors"
 
@@ -3658,8 +3659,14 @@ func validateContainerImageFormat(containerImage string) error {
 	// Step 3: No colon found - check if it's a tar file or special prefix that doesn't require tags
 	lowerInput := strings.ToLower(sanitizedInput)
 	if strings.HasSuffix(lowerInput, ".tar") {
-		// It's a tar file - validation passed
-		// Note: We don't check file existence here for the same reasons as in validateFilePath
+		// It's a tar file - check if it exists locally
+		exists, err := osinstaller.FileExists(sanitizedInput)
+		if err != nil {
+			return errors.Errorf("--container-images flag error: %v", err)
+		}
+		if !exists {
+			return errors.Errorf("--container-images flag error: file '%s' does not exist", sanitizedInput)
+		}
 		return nil // Valid tar file
 	}
 
@@ -3737,10 +3744,13 @@ func validateFilePath(filePath string) error {
 		return errors.Errorf("--container-images flag error: file '%s' is not a valid tar file. Expected .tar extension", filePath)
 	}
 
-	// Note: We don't check file existence here because:
-	// 1. The file might be created later in the workflow
-	// 2. The container resolver will handle non-existent files with proper error messages
-	// 3. This allows for more flexible testing scenarios
+	exists, err := osinstaller.FileExists(filePath)
+	if err != nil {
+		return errors.Errorf("--container-images flag error: %v", err)
+	}
+	if !exists {
+		return errors.Errorf("--container-images flag error: file '%s' does not exist", filePath)
+	}
 
 	return nil
 }
@@ -3790,14 +3800,16 @@ func validatePrefixedContainerImage(containerImage, prefix string) error {
 // validateArchivePrefix validates archive-based prefixes (file:, docker-archive:, oci-archive:).
 // Container-security scan-type related function.
 func validateArchivePrefix(imageRef string) error {
-	// Note: We don't check file existence here for the same reasons as in validateFilePath
-	// The container resolver will handle non-existent files with proper error messages
-
-	// Check if user mistakenly used archive prefix with an image name:tag format
-	if strings.Contains(imageRef, ":") && !strings.HasSuffix(strings.ToLower(imageRef), ".tar") {
-		// This looks like they tried to use image:tag format with an archive prefix
-		// Provide a helpful hint
-		return errors.Errorf("--container-images flag error: archive prefix expects a file path, not image:tag format. Found: '%s'", imageRef)
+	exists, err := osinstaller.FileExists(imageRef)
+	if err != nil {
+		return errors.Errorf("--container-images flag error: %v", err)
+	}
+	if !exists {
+		// Check if user mistakenly used archive prefix with an image name:tag format
+		if strings.Contains(imageRef, ":") && !strings.HasSuffix(strings.ToLower(imageRef), ".tar") {
+			return errors.Errorf("--container-images flag error: file '%s' does not exist. Did you try to scan an image using image name and tag?", imageRef)
+		}
+		return errors.Errorf("--container-images flag error: file '%s' does not exist", imageRef)
 	}
 	return nil
 }
@@ -3810,9 +3822,22 @@ func validateOCIDirPrefix(imageRef string) error {
 	// 2. Files (like .tar files)
 	// 3. Can have optional :tag suffix
 
-	// Note: We don't check path existence here for the same reasons as in validateFilePath
-	// The container resolver will handle non-existent paths with proper error messages
+	pathToCheck := imageRef
+	if strings.Contains(imageRef, ":") {
+		// Handle case like "oci-dir:/path/to/dir:tag" or "oci-dir:name.tar:tag"
+		pathParts := strings.Split(imageRef, ":")
+		if len(pathParts) > 0 && pathParts[0] != "" {
+			pathToCheck = pathParts[0]
+		}
+	}
 
+	exists, err := osinstaller.FileExists(pathToCheck)
+	if err != nil {
+		return errors.Errorf("--container-images flag error: path %s does not exist: %v", pathToCheck, err)
+	}
+	if !exists {
+		return errors.Errorf("--container-images flag error: path %s does not exist", pathToCheck)
+	}
 	return nil
 }
 
diff --git a/internal/commands/scan_test.go b/internal/commands/scan_test.go
@@ -2569,10 +2569,9 @@ func TestValidateContainerImageFormat_Comprehensive(t *testing.T) {
 			setupFiles:     []string{"image-with-path.tar"},
 		},
 		{
-			name:           "Valid - tar file (existence checked by container resolver)",
+			name:           "Invalid - tar file does not exist",
 			containerImage: "nonexistent.tar",
-			expectedError:  "",
-			setupFiles:     []string{"nonexistent.tar"},
+			expectedError:  "--container-images flag error: file 'nonexistent.tar' does not exist",
 		},
 
 		// ==================== Compressed Tar Tests ====================
@@ -2612,22 +2611,19 @@ func TestValidateContainerImageFormat_Comprehensive(t *testing.T) {
 			setupFiles:     []string{"mysql_5.7_backup.tar"},
 		},
 		{
-			name:           "Valid - Unix relative path (existence checked by container resolver)",
+			name:           "Invalid - Unix relative path does not exist",
 			containerImage: "subdir/image.tar",
-			expectedError:  "",
-			setupFiles:     []string{"subdir/image.tar"},
+			expectedError:  "--container-images flag error: file 'subdir/image.tar' does not exist",
 		},
 		{
-			name:           "Valid - Unix nested path (existence checked by container resolver)",
+			name:           "Invalid - Unix nested path does not exist",
 			containerImage: "path/to/archive/my-image.tar",
-			expectedError:  "",
-			setupFiles:     []string{"path/to/archive/my-image.tar"},
+			expectedError:  "--container-images flag error: file 'path/to/archive/my-image.tar' does not exist",
 		},
 		{
-			name:           "Valid - file path with version-like name (existence checked by container resolver)",
+			name:           "Invalid - file path with version-like name does not exist",
 			containerImage: "Downloads/alpine_3.21.0_podman.tar",
-			expectedError:  "",
-			setupFiles:     []string{"Downloads/alpine_3.21.0_podman.tar"},
+			expectedError:  "--container-images flag error: file 'Downloads/alpine_3.21.0_podman.tar' does not exist",
 		},
 
 		// ==================== Helpful Hints Tests ====================
@@ -2656,20 +2652,19 @@ func TestValidateContainerImageFormat_Comprehensive(t *testing.T) {
 			setupFiles:     []string{"prefixed-image.tar"},
 		},
 		{
-			name:           "Valid file prefix (existence checked by container resolver)",
+			name:           "Invalid file prefix - missing file",
 			containerImage: "file:nonexistent.tar",
-			expectedError:  "",
-			setupFiles:     []string{"nonexistent.tar"},
+			expectedError:  "--container-images flag error: file 'nonexistent.tar' does not exist",
 		},
 		{
 			name:           "Hint - file prefix with image name",
 			containerImage: "file:nginx:latest",
-			expectedError:  "--container-images flag error: archive prefix expects a file path, not image:tag format. Found: 'nginx:latest'",
+			expectedError:  "--container-images flag error: file 'nginx:latest' does not exist. Did you try to scan an image using image name and tag?",
 		},
 		{
 			name:           "Hint - file prefix with image (no tag)",
 			containerImage: "file:alpine:3.18",
-			expectedError:  "--container-images flag error: archive prefix expects a file path, not image:tag format. Found: 'alpine:3.18'",
+			expectedError:  "--container-images flag error: file 'alpine:3.18' does not exist. Did you try to scan an image using image name and tag?",
 		},
 
 		// ==================== Docker Archive Tests ====================
@@ -2680,15 +2675,14 @@ func TestValidateContainerImageFormat_Comprehensive(t *testing.T) {
 			setupFiles:     []string{"image.tar"},
 		},
 		{
-			name:           "Valid docker-archive (existence checked by container resolver)",
+			name:           "Invalid docker-archive - missing file",
 			containerImage: "docker-archive:nonexistent.tar",
-			expectedError:  "",
-			setupFiles:     []string{"nonexistent.tar"},
+			expectedError:  "--container-images flag error: file 'nonexistent.tar' does not exist",
 		},
 		{
 			name:           "Hint - docker-archive with image name",
 			containerImage: "docker-archive:nginx:latest",
-			expectedError:  "--container-images flag error: archive prefix expects a file path, not image:tag format. Found: 'nginx:latest'",
+			expectedError:  "--container-images flag error: file 'nginx:latest' does not exist. Did you try to scan an image using image name and tag?",
 		},
 
 		// ==================== OCI Archive Tests ====================
@@ -2699,15 +2693,14 @@ func TestValidateContainerImageFormat_Comprehensive(t *testing.T) {
 			setupFiles:     []string{"image.tar"},
 		},
 		{
-			name:           "Valid oci-archive (existence checked by container resolver)",
+			name:           "Invalid oci-archive - missing file",
 			containerImage: "oci-archive:nonexistent.tar",
-			expectedError:  "",
-			setupFiles:     []string{"nonexistent.tar"},
+			expectedError:  "--container-images flag error: file 'nonexistent.tar' does not exist",
 		},
 		{
 			name:           "Hint - oci-archive with image name",
 			containerImage: "oci-archive:ubuntu:22.04",
-			expectedError:  "--container-images flag error: archive prefix expects a file path, not image:tag format. Found: 'ubuntu:22.04'",
+			expectedError:  "--container-images flag error: file 'ubuntu:22.04' does not exist. Did you try to scan an image using image name and tag?",
 		},
 
 		// ==================== Docker Daemon Tests ====================
@@ -2793,10 +2786,9 @@ func TestValidateContainerImageFormat_Comprehensive(t *testing.T) {
 			setupDirs:      []string{"oci-image-dir"},
 		},
 		{
-			name:           "Valid oci-dir (existence checked by container resolver)",
+			name:           "Invalid oci-dir - directory does not exist",
 			containerImage: "oci-dir:nonexistent-dir",
-			expectedError:  "",
-			setupDirs:      []string{"nonexistent-dir"},
+			expectedError:  "--container-images flag error: path nonexistent-dir does not exist",
 		},
 		{
 			name:           "Valid oci-dir with tar file",
