feat(image): return error early if total size of layers exceeds limit

docs/docs/target/container_image.md

@@ -520,7 +520,14 @@ $ trivy image --podman-host /run/user/1000/podman/podman.sock YOUR_IMAGE
 ```
 
 ### Prevent scanning oversized container images
-Use the `--max-image-size` flag to avoid scanning images that exceed a specified size. The size is specified in a human-readable format (e.g., `100MB`, `10GB`). If the compressed image size exceeds the specified threshold, an error is returned immediately. Otherwise, all layers are pulled, stored in a temporary folder, and their uncompressed size is verified before scanning. Temporary layers are always cleaned up, even after a successful scan.
+Use the `--max-image-size` flag to avoid scanning images that exceed a specified size. The size is specified in a human-readable format (e.g., `100MB`, `10GB`).
+
+An error is returned in the following cases:
+- if the compressed image size exceeds the limit,
+- if the total size of the layers exceeds the specified limit during their pulling,
+- if the uncompressed image size exceeds the limit after the layers are pulled.
+
+The layers are pulled into a temporary folder during their pulling and are always cleaned up, even after a successful scan.
 
 !!! warning "EXPERIMENTAL"
     This feature might change without preserving backwards compatibility.

pkg/fanal/artifact/image/image.go

@@ -246,6 +246,10 @@ func (a Artifact) checkImageSize(ctx context.Context, diffIDs []string) error {
 
 	imageSize, err := a.imageSize(ctx, diffIDs)
 	if err != nil {
+		var uerr *trivyTypes.UserError
+		if errors.As(err, &uerr) {
+			return uerr
+		}
 		return xerrors.Errorf("failed to calculate image size: %w", err)
 	}
 
@@ -281,6 +285,7 @@ func (a Artifact) compressedImageSize(diffIDs []string) (int64, error) {
 
 func (a Artifact) imageSize(ctx context.Context, diffIDs []string) (int64, error) {
 	var imageSize int64
+	var completedLayers int
 
 	p := parallel.NewPipeline(a.artifactOption.Parallel, false, diffIDs,
 		func(_ context.Context, diffID string) (int64, error) {
@@ -292,6 +297,19 @@ func (a Artifact) imageSize(ctx context.Context, diffIDs []string) (int64, error
 		},
 		func(layerSize int64) error {
 			imageSize += layerSize
+			completedLayers += 1
+			// If the layer size exceeds the limit during loading, return an error immediately.
+			// Otherwise, if the image is fully loaded, check the size later.
+			if imageSize > a.artifactOption.ImageOption.MaxImageSize &&
+				completedLayers != len(diffIDs) {
+				return &trivyTypes.UserError{
+					Message: fmt.Sprintf(
+						"the accumulated size of uncompressed layers %s exceeds maximum allowed size %s",
+						units.HumanSizeWithPrecision(float64(imageSize), 3),
+						units.HumanSize(float64(a.artifactOption.ImageOption.MaxImageSize)),
+					),
+				}
+			}
 			return nil
 		},
 	)

pkg/fanal/artifact/image/image_test.go

@@ -2255,11 +2255,19 @@ func TestArtifact_Inspect(t *testing.T) {
 		},
 		{
 			name:      "sad path, image size is larger than the maximum",
-			imagePath: "../../test/testdata/alpine-311.tar.gz",
+			imagePath: "../../test/testdata/image2.tar",
+			artifactOpt: artifact.Option{
+				ImageOption: types.ImageOptions{MaxImageSize: units.MB * 4.1},
+			},
+			wantErr: "uncompressed image size 4.2MB exceeds maximum allowed size 4.1MB",
+		},
+		{
+			name:      "sad path, the first layer is larger than the threshold",
+			imagePath: "../../test/testdata/image2.tar",
 			artifactOpt: artifact.Option{
-				ImageOption: types.ImageOptions{MaxImageSize: units.MB * 4},
+				ImageOption: types.ImageOptions{MaxImageSize: units.MB * 1},
 			},
-			wantErr: "uncompressed image size 5.86MB exceeds maximum allowed size 4MB",
+			wantErr: "the accumulated size of uncompressed layers 2.1MB exceeds maximum allowed size 1MB",
 		},
 	}
 	for _, tt := range tests {