From 1aa8a10f6b0fc1b377b7d746cabc4fc25f8b4714 Mon Sep 17 00:00:00 2001
From: Alex Goodman <alex.goodman@anchore.com>
Date: Fri, 26 Feb 2021 12:30:24 -0500
Subject: [PATCH] ignore ownership for shared copyright resources

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
---
 syft/pkg/catalog.go                         |  6 ------
 syft/pkg/ownership_by_files_relationship.go | 10 ++++++++++
 2 files changed, 10 insertions(+), 6 deletions(-)

diff --git a/syft/pkg/catalog.go b/syft/pkg/catalog.go
index 6325ae1cf..40af8c851 100644
--- a/syft/pkg/catalog.go
+++ b/syft/pkg/catalog.go
@@ -7,12 +7,6 @@ import (
 	"github.com/anchore/syft/internal/log"
 )
 
-var globsForbiddenFromBeingOwned = []string{
-	ApkDbGlob,
-	DpkgDbGlob,
-	RpmDbGlob,
-}
-
 // Catalog represents a collection of Packages.
 type Catalog struct {
 	byID      map[ID]*Package
diff --git a/syft/pkg/ownership_by_files_relationship.go b/syft/pkg/ownership_by_files_relationship.go
index 23213604d..0151ee2b4 100644
--- a/syft/pkg/ownership_by_files_relationship.go
+++ b/syft/pkg/ownership_by_files_relationship.go
@@ -6,6 +6,16 @@ import (
 	"github.com/scylladb/go-set/strset"
 )
 
+var globsForbiddenFromBeingOwned = []string{
+	// any OS DBs should automatically be ignored to prevent cyclic issues (e.g. the "rpm" RPM owns the path to the
+	// RPM DB, so if not ignored that package would own all other packages on the system).
+	ApkDbGlob,
+	DpkgDbGlob,
+	RpmDbGlob,
+	// DEB packages share common copyright info between, this does not mean that sharing these paths implies ownership.
+	"/usr/share/doc/**/copyright",
+}
+
 type ownershipByFilesMetadata struct {
 	Files []string `json:"files"`
 }