fix nested archive handler error wraps to preserve errors.Is identity

The non-archive content paths in pkg/handlers/ar.go:109 and
pkg/handlers/rpm.go:120 wrapped the inner error returned from
handleNonArchiveContent with %v, dropping its identity from the
errors.Is chain. Because handleNonArchiveContent can return ctx.Err()
(context.Canceled or context.DeadlineExceeded) when its CancellableWrite
fails, isFatal at handlers.go:425 then misclassified those cancelled
or deadline-exceeded conditions as non-fatal warnings and continued
processing.

Switch both wraps to %w so the inner cause is preserved alongside
ErrProcessingWarning, matching the same-shape fix already applied to
the canonical wrap at default.go:137.

Add regression tests for both handlers that exercise the production
wrap path via an injected chunk reader that cancels the parent context
before its chunk is written, which forces handleNonArchiveContent to
return context.Canceled and processARFiles / processRPMFiles to wrap
it. The tests assert the outer ErrProcessingWarning wrap is preserved,
the inner cancellation cause is inspectable via errors.Is, and isFatal
classifies the result as fatal.

Author: johnelliott

pkg/handlers/ar.go

@@ -106,7 +106,7 @@ func (h *arHandler) processARFiles(ctx logContext.Context, reader *deb.Ar, dataO
 
 			if err := h.handleNonArchiveContent(fileCtx, rdr, dataOrErrChan); err != nil {
 				dataOrErrChan <- DataOrErr{
-					Err: fmt.Errorf("%w: error handling archive content in AR: %v", ErrProcessingWarning, err),
+					Err: fmt.Errorf("%w: error handling archive content in AR: %w", ErrProcessingWarning, err),
 				}
 				h.metrics.incErrors()
 				continue

pkg/handlers/ar_test.go

@@ -1,13 +1,18 @@
 package handlers
 
 import (
+	stdctx "context"
+	"errors"
+	"io"
 	"os"
 	"testing"
 	"time"
 
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 
 	"github.com/trufflesecurity/trufflehog/v3/pkg/context"
+	"github.com/trufflesecurity/trufflehog/v3/pkg/sources"
 )
 
 func TestHandleARFile(t *testing.T) {
@@ -34,3 +39,63 @@ func TestHandleARFile(t *testing.T) {
 
 	assert.Equal(t, wantChunkCount, count)
 }
+
+// TestARHandler_NonArchiveErrPreservesIdentity is a regression test for the
+// %v wrap at ar.go:109. Before the fix, wrapping handleNonArchiveContent's
+// return value with %v dropped the inner error's identity from the errors.Is
+// chain, causing isFatal in handleChunksWithError to misclassify cancellation
+// (and other fatal causes) as a non-fatal warning. The test injects a
+// cancelling chunk reader so handleNonArchiveContent's CancellableWrite
+// returns context.Canceled, which is then wrapped by processARFiles. It
+// asserts both that the outer ErrProcessingWarning wrap is preserved and
+// that the inner cancellation cause remains inspectable.
+func TestARHandler_NonArchiveErrPreservesIdentity(t *testing.T) {
+	file, err := os.Open("testdata/test.deb")
+	require.NoError(t, err)
+	defer file.Close()
+
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+
+	rdr, err := newFileReader(ctx, file)
+	require.NoError(t, err)
+	defer rdr.Close()
+
+	// Cancel the parent context the moment handleNonArchiveContent asks for
+	// chunks, then deliver a single non-error chunk. CancellableWrite of that
+	// chunk's data sees the cancelled context and returns context.Canceled,
+	// which handleNonArchiveContent returns and processARFiles wraps. This
+	// is the only path that exercises the ar.go:107-110 wrap.
+	cancellingChunkReader := sources.ChunkReader(func(_ context.Context, _ io.Reader) <-chan sources.ChunkResult {
+		ch := make(chan sources.ChunkResult, 1)
+		cancel()
+		ch <- sources.NewChunkResult([]byte("data"), 4)
+		close(ch)
+		return ch
+	})
+
+	handler := &arHandler{
+		defaultHandler: newDefaultHandler(arHandlerType, withChunkReader(cancellingChunkReader)),
+	}
+
+	var got []DataOrErr
+	for d := range handler.HandleFile(context.AddLogger(ctx), rdr) {
+		got = append(got, d)
+	}
+
+	var warnErr error
+	for _, d := range got {
+		if d.Err != nil && errors.Is(d.Err, ErrProcessingWarning) {
+			warnErr = d.Err
+			break
+		}
+	}
+	require.Error(t, warnErr, "expected wrapped warning from ar.go non-archive error path")
+
+	assert.True(t, errors.Is(warnErr, ErrProcessingWarning),
+		"outer ErrProcessingWarning wrap should be preserved")
+	assert.True(t, errors.Is(warnErr, stdctx.Canceled),
+		"inner cancellation cause should be inspectable via errors.Is")
+	assert.True(t, isFatal(warnErr),
+		"isFatal should classify the wrapped error based on the inner cause")
+}

pkg/handlers/rpm.go

@@ -117,7 +117,7 @@ func (h *rpmHandler) processRPMFiles(
 
 			if err := h.handleNonArchiveContent(fileCtx, rdr, dataOrErrChan); err != nil {
 				dataOrErrChan <- DataOrErr{
-					Err: fmt.Errorf("%w: error processing RPM archive: %v", ErrProcessingWarning, err),
+					Err: fmt.Errorf("%w: error processing RPM archive: %w", ErrProcessingWarning, err),
 				}
 				h.metrics.incErrors()
 			}

pkg/handlers/rpm_test.go

@@ -1,13 +1,18 @@
 package handlers
 
 import (
+	stdctx "context"
+	"errors"
+	"io"
 	"os"
 	"testing"
 	"time"
 
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 
 	"github.com/trufflesecurity/trufflehog/v3/pkg/context"
+	"github.com/trufflesecurity/trufflehog/v3/pkg/sources"
 )
 
 func TestHandleRPMFile(t *testing.T) {
@@ -34,3 +39,55 @@ func TestHandleRPMFile(t *testing.T) {
 
 	assert.Equal(t, wantChunkCount, count)
 }
+
+// TestRPMHandler_NonArchiveErrPreservesIdentity is a regression test for the
+// %v wrap at rpm.go:120. Same shape as TestARHandler_NonArchiveErrPreservesIdentity:
+// inject a cancelling chunk reader so handleNonArchiveContent's CancellableWrite
+// returns context.Canceled, which processRPMFiles wraps with ErrProcessingWarning.
+// Asserts the outer warning wrap and inner cancellation cause are both
+// observable via errors.Is so isFatal can classify correctly.
+func TestRPMHandler_NonArchiveErrPreservesIdentity(t *testing.T) {
+	file, err := os.Open("testdata/test.rpm")
+	require.NoError(t, err)
+	defer file.Close()
+
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+
+	rdr, err := newFileReader(ctx, file)
+	require.NoError(t, err)
+	defer rdr.Close()
+
+	cancellingChunkReader := sources.ChunkReader(func(_ context.Context, _ io.Reader) <-chan sources.ChunkResult {
+		ch := make(chan sources.ChunkResult, 1)
+		cancel()
+		ch <- sources.NewChunkResult([]byte("data"), 4)
+		close(ch)
+		return ch
+	})
+
+	handler := &rpmHandler{
+		defaultHandler: newDefaultHandler(rpmHandlerType, withChunkReader(cancellingChunkReader)),
+	}
+
+	var got []DataOrErr
+	for d := range handler.HandleFile(context.AddLogger(ctx), rdr) {
+		got = append(got, d)
+	}
+
+	var warnErr error
+	for _, d := range got {
+		if d.Err != nil && errors.Is(d.Err, ErrProcessingWarning) {
+			warnErr = d.Err
+			break
+		}
+	}
+	require.Error(t, warnErr, "expected wrapped warning from rpm.go non-archive error path")
+
+	assert.True(t, errors.Is(warnErr, ErrProcessingWarning),
+		"outer ErrProcessingWarning wrap should be preserved")
+	assert.True(t, errors.Is(warnErr, stdctx.Canceled),
+		"inner cancellation cause should be inspectable via errors.Is")
+	assert.True(t, isFatal(warnErr),
+		"isFatal should classify the wrapped error based on the inner cause")
+}