fix: skip permission-denied paths instead of crashing on directory walk (#3258)

[tjhub1983]

Summary

Fixes #3258.

When scanning a directory with excluded paths, syft would crash if it encountered permission-denied directories (e.g., /boot/grub2 owned by root) during the ancestor path walk, even when those paths were excluded.

Before: unable to index ancestor path="/boot/grub2": permission denied → syft exits with error
After: Permission-denied paths are skipped and logged, scan continues

The fix adds r.isFileAccessErr(targetPath, err) check at line 218 of directory_indexer.go. When os.Lstat fails with a file access error, the ancestor walk continues instead of returning an error. This matches the behavior of filepath.Walk which skips permission errors.

Changes

• syft/internal/fileresolver/directory_indexer.go: Skip file access errors in indexBranch ancestor walk instead of returning an error

Test

$ sudo -u nobody syft / --exclude ./boot --exclude ./web
# Previously: crash on permission denied
# Now: logs warning and continues

Related

This was discussed in syft#3258 with the suggestion that excluded paths should not be accessed at all. While the ideal long-term fix would prevent access to excluded paths entirely, this change provides immediate relief by making permission errors non-fatal.

[tjhub1983]

Hi @anchore/syft-maintainers!

This PR fixes #3258 — a crash when scanning directories with excluded paths that contain permission-denied directories (e.g., /boot/grub2).

The CI workflow runs are showing action_required status, which likely means the custom runs-on.com runner needs maintainer approval for fork PRs.

Could you please approve the CI runs for this PR? Happy to make any adjustments needed.

Thank you!

[kzantow]

Is there some way to add a test for this that isn't too convoluted to set up?

[tjhub1983]

@kzantow Thanks for the review!

Regarding the test: a reliable permission-denied test typically requires OS-level permission manipulation which can be flaky across platforms (especially Windows). The existing unit tests cover the core logic paths (walkWithExclusion, walkDir), but testing the permission-denied scenario at the integration level requires either:

1. Using os.Chmod to make a directory unreadable (platform-dependent, may not work reliably on Windows)
2. A mock filesystem approach

I'm happy to add a test using approach #1 if you think it's worth the added complexity, or handle it as a follow-up issue. Let me know how you'd like to proceed.

[kzantow]

This needs to have a test. The test can create a filesystem with this scenario.

[tjhub1983]

Hi @anchore/syft-maintainers!

All CI checks have passed:

• Unit tests ✅
• Integration tests ✅
• CLI tests (Linux) ✅
• Acceptance tests (Linux/Mac) ✅
• Static analysis ✅
• Build snapshot artifacts ✅

Is there anything else needed to move this forward? This PR fixes the crash when scanning directories with excluded paths that contain permission-denied directories (e.g., /boot/grub2 on Linux).

[tjhub1983]

Hi maintainers! All CI checks have passed. Is there anything blocking this from being merged? Happy to address any feedback!

[tjhub1983]

Just checking in again - is there anything else needed to move this forward? All CI checks are green and kzantow reviewed previously. Happy to make any adjustments! @anchore/syft-maintainers

[tjhub1983]

Just checking - is there anything needed from my side to move this forward?

[tjhub1983]

ping @kzantow - PR #4880 has CI passing and your comments. Could you please review/approve so we can get this merged? Thanks!

[tjhub1983]

?? Hi maintainers! Just checking in on this PR. Is there anything else needed from my side to move forward? Thanks!

[tjhub1983]

?? Hi maintainers! Just checking in on this PR. Is there anything else needed? Thanks for your time!