Issue with scanning mounted k8s secrets with version 1.1.0

[marcnorthover]

When using version 1.0.3 there are no issues. When upgrading to version 1.1.0 it is failing with this error

level=error msg="Could not scan dir: plugin (Certificate File Plugin) failed to updated components of bom; read /vault/secrets/..data: is a directory"

These directories are k8s secret mounts. Sample:

apiVersion: apps/v1
kind: Deployment
...
spec:
  ...
  template:
    ...
    spec:
      ...
      containers:
      - name: ...
        ...
        volumeMounts:
        - name: ...
          mountPath: "/vault/secrets"
          readOnly: true
        ...
      volumes:
      - name: ...
        secret:
          secretName: ...
          items:
          - key: secret1
            path: secret1
          ...

which results in this structure inside the pod:

/vault/secrets/
├── ..data                    → symlink to ..2026_02_17_17_32_00.123456789
├── ..2026_02_17_17_32_00.123456789/   ← timestamped directory with actual data
│   ├── secret1
│   ├── secret2
│   ├── secret3
│   └── ... (actual secret files)
├── secret1              → symlink to ..data/secret1
├── secret2               → symlink to ..data/secret2
├── secret3              → symlink to ..data/secret3
└── ...

Ultimately, the error happens, the process exits and the output is 0 bytes.

[marcnorthover]

Extra info, I am running the cbomkit-theia process against the /vault/secrets directory:

# 1.0.3 works, 1.1.0 fails
cbomkit-theia dir /vault/secrets > /tmp/output.json

[san-zrl]

Hi @marcnorthover - I'll look into this. I guess the problem is related to symlinks to directories that are not handled correctly.

[san-zrl]

Hi @marcnorthover - I merged PR #169 that hopefully fixes this issue. I created a new release 1.1.1 that contains the upgrade to go 1.26, a few updated dependencies and the fix for this issue. I'll close this for now. We can re-open if necessary.