Merge pull request #332 from westonsteimel/detect-distroless-packages

allow ability to catalog packages from /var/lib/dpkg/status.d/
2026-02-12 10:36:45 +01:00 · 2021-03-09 10:37:22 -05:00 · 2021-03-09 10:37:22 -05:00 · 8c4370b7cc
commit 8c4370b7cc
parent 40e9c4b146 6c80f9910f
5 changed files with 37 additions and 3 deletions
--- a/syft/cataloger/deb/cataloger.go
+++ b/syft/cataloger/deb/cataloger.go
@ -38,6 +38,7 @@ func (c *Cataloger) Catalog(resolver source.Resolver) ([]pkg.Package, error) {
 		return nil, fmt.Errorf("failed to find dpkg status files's by glob: %w", err)
 	}

+	var results []pkg.Package
 	var pkgs []pkg.Package
 	for _, dbLocation := range dbFileMatches {
 		dbContents, err := resolver.FileContentsByLocation(dbLocation)
@ -94,8 +95,10 @@ func (c *Cataloger) Catalog(resolver source.Resolver) ([]pkg.Package, error) {
 				}
 			}
 		}
+
+		results = append(results, pkgs...)
 	}
-	return pkgs, nil
+	return results, nil
 }

 func fetchMd5Contents(resolver source.Resolver, dbLocation source.Location, pkgs []pkg.Package) (map[string]io.Reader, map[string]source.Location, error) {
--- a/syft/pkg/dpkg_metadata.go
+++ b/syft/pkg/dpkg_metadata.go
@ -8,7 +8,7 @@ import (
 	"github.com/scylladb/go-set/strset"
 )

-const DpkgDbGlob = "**/var/lib/dpkg/status"
+const DpkgDbGlob = "**/var/lib/dpkg/{status,status.d/**}"

 var _ fileOwner = (*DpkgMetadata)(nil)

--- a/test/integration/pkg_cases_test.go
+++ b/test/integration/pkg_cases_test.go
@ -144,7 +144,9 @@ var commonTestCases = []testCase{
 		name:    "find dpkg packages",
 		pkgType: pkg.DebPkg,
 		pkgInfo: map[string]string{
-			"apt": "1.8.2",
+			"apt":     "1.8.2",
+			"dash":    "0.5.8-2.4",
+			"netbase": "5.4",
 		},
 	},
 	{
--- a/test/integration/test-fixtures/image-pkg-coverage/var/lib/dpkg/status.d/dash
+++ b/test/integration/test-fixtures/image-pkg-coverage/var/lib/dpkg/status.d/dash
@ -0,0 +1,18 @@
+Package: dash
+Version: 0.5.8-2.4
+Architecture: amd64
+Essential: yes
+Maintainer: Gerrit Pape <pape@smarden.org>
+Installed-Size: 204
+Pre-Depends: libc6 (>= 2.14)
+Depends: debianutils (>= 2.15), dpkg (>= 1.15.0)
+Section: shells
+Priority: required
+Homepage: http://gondor.apana.org.au/~herbert/dash/
+Description: POSIX-compliant shell
+ The Debian Almquist Shell (dash) is a POSIX-compliant shell derived
+ from ash.
+ .
+ Since it executes scripts faster than bash, and has fewer library
+ dependencies (making it more robust against software or hardware
+ failures), it is used as the default system shell on Debian systems.
--- a/test/integration/test-fixtures/image-pkg-coverage/var/lib/dpkg/status.d/netbase
+++ b/test/integration/test-fixtures/image-pkg-coverage/var/lib/dpkg/status.d/netbase
@ -0,0 +1,11 @@
+Package: netbase
+Version: 5.4
+Architecture: all
+Maintainer: Marco d'Itri <md@linux.it>
+Installed-Size: 44
+Section: admin
+Priority: important
+Multi-Arch: foreign
+Description: Basic TCP/IP networking system
+ This package provides the necessary infrastructure for basic TCP/IP based
+ networking.