From 7ef34358cb41704c57100d2212d93d35ff196cd6 Mon Sep 17 00:00:00 2001
From: itinance <hhuebel@itinance.com>
Date: Thu, 26 Mar 2026 11:15:33 +0100
Subject: [PATCH] fix: Replace broad exception handling with specific exception
 types

Replace all bare `except Exception: pass` blocks with the specific
exceptions each decoding operation can actually raise. This prevents
masking unexpected errors that could indicate scanner evasion.
---
 supply_chain_scanner/test_supply_chain.py | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/supply_chain_scanner/test_supply_chain.py b/supply_chain_scanner/test_supply_chain.py
index dd21100..9d08815 100644
--- a/supply_chain_scanner/test_supply_chain.py
+++ b/supply_chain_scanner/test_supply_chain.py
@@ -19,6 +19,7 @@
 """
 
 import base64
+import binascii
 import codecs
 import importlib.metadata
 import re
@@ -133,7 +134,7 @@ def _try_decode_payload(encoded: str) -> list[str]:
         decoded = base64.b64decode(encoded).decode("utf-8", errors="replace")
         if any(kw in decoded.lower() for kw in suspicious_keywords):
             results.append(f"base64: {decoded[:120]}")
-    except Exception:
+    except (binascii.Error, ValueError, UnicodeDecodeError):
         pass
 
     # Hex
@@ -141,7 +142,7 @@ def _try_decode_payload(encoded: str) -> list[str]:
         decoded = bytes.fromhex(encoded).decode("utf-8", errors="replace")
         if any(kw in decoded.lower() for kw in suspicious_keywords):
             results.append(f"hex: {decoded[:120]}")
-    except Exception:
+    except (ValueError, UnicodeDecodeError):
         pass
 
     # Zlib + base64 (compressed payload)
@@ -150,7 +151,7 @@ def _try_decode_payload(encoded: str) -> list[str]:
         decoded = zlib.decompress(raw).decode("utf-8", errors="replace")
         if any(kw in decoded.lower() for kw in suspicious_keywords):
             results.append(f"zlib+base64: {decoded[:120]}")
-    except Exception:
+    except (binascii.Error, zlib.error, ValueError, UnicodeDecodeError):
         pass
 
     # ROT13
@@ -158,7 +159,7 @@ def _try_decode_payload(encoded: str) -> list[str]:
         decoded = codecs.decode(encoded, "rot_13")
         if any(kw in decoded.lower() for kw in suspicious_keywords):
             results.append(f"rot13: {decoded[:120]}")
-    except Exception:
+    except (ValueError, LookupError):
         pass
 
     return results
@@ -350,7 +351,7 @@ def test_no_suspicious_pth_files(self):
                         for kw in ["exec", "eval", "import", "subprocess", "socket", "http", "requests", "urllib"]
                     ):
                         issues.append(f"base64 payload decodes to executable code: {decoded[:100]}...")
-                except Exception:
+                except (binascii.Error, ValueError, UnicodeDecodeError):
                     pass
 
             # Check for executable import lines (skip known-safe system .pth files)
@@ -445,7 +446,7 @@ def test_no_encoded_exfiltration_payloads(self):
                         exfil_hits = [t for t in SENSITIVE_EXFIL_TARGETS if t in decoded]
                         if exfil_hits:
                             suspicious_packages.append(f"{pkg_name}: payload references {exfil_hits}")
-                    except Exception:
+                    except (binascii.Error, ValueError, UnicodeDecodeError):
                         pass
 
         assert not suspicious_packages, "CRITICAL: Packages with encoded exfiltration payloads:\n" + "\n".join(