Ignore dpkg entries that have "deinstall" status indicating package has been removed but not purged

Signed-off-by: Ross Kirk <ross.kirk@upwind.io>
2025-11-17 16:33:21 +01:00 · 2025-09-22 11:56:31 +01:00 · 2025-09-22 11:56:31 +01:00 · 9b60b3e33d
commit 9b60b3e33d
parent d820c3436b
3 changed files with 79 additions and 0 deletions
--- a/syft/pkg/cataloger/debian/parse_dpkg_db.go
+++ b/syft/pkg/cataloger/debian/parse_dpkg_db.go
@ -24,6 +24,10 @@ import (
 	"github.com/anchore/syft/syft/pkg/cataloger/generic"
 )

+const (
+	deinstallStatus string = "deinstall"
+)
+
 var (
 	errEndOfPackages = fmt.Errorf("no more packages to read")
 	sourceRegexp     = regexp.MustCompile(`(?P<name>\S+)( \((?P<version>.*)\))?`)
@ -112,6 +116,7 @@ type dpkgExtractedMetadata struct {
 	Provides      string `mapstructure:"Provides"`
 	Depends       string `mapstructure:"Depends"`
 	PreDepends    string `mapstructure:"PreDepends"` // note: original doc is Pre-Depends
+	Status        string `mapstructure:"Status"`
 }

 // parseDpkgStatusEntry returns an individual Dpkg entry, or returns errEndOfPackages if there are no more packages to parse from the reader.
@ -134,6 +139,11 @@ func parseDpkgStatusEntry(reader *bufio.Reader) (*pkg.DpkgDBEntry, error) {
 		return nil, err
 	}

+	// Skip entries which have been removed but not purged, e.g. "rc" status in dpkg -l
+	if strings.Contains(raw.Status, deinstallStatus) {
+		return nil, nil
+	}
+
 	sourceName, sourceVersion := extractSourceVersion(raw.Source)
 	if sourceVersion != "" {
 		raw.SourceVersion = sourceVersion
--- a/syft/pkg/cataloger/debian/parse_dpkg_db_test.go
+++ b/syft/pkg/cataloger/debian/parse_dpkg_db_test.go
@ -237,6 +237,37 @@ func Test_parseDpkgStatus(t *testing.T) {
 				},
 			},
 		},
+		{
+			name:        "deinstall status packages are ignored",
+			fixturePath: "test-fixtures/var/lib/dpkg/status.d/deinstall",
+			expected: []pkg.DpkgDBEntry{
+				{
+					Package:       "linux-image-6.14.0-1012-aws",
+					Source:        "linux-signed-aws-6.14",
+					Version:       "6.14.0-1012.12~24.04.1",
+					Architecture:  "amd64",
+					InstalledSize: 15221,
+					Maintainer:    "Canonical Kernel Team <kernel-team@lists.ubuntu.com>",
+					Description: `Signed kernel image aws
+ A kernel image for aws.  This version of it is signed with
+ Canonical's signing key.`,
+					Provides: []string{"fuse-module",
+						"linux-image",
+						"spl-dkms",
+						"spl-modules",
+						"v4l2loopback-dkms",
+						"v4l2loopback-modules",
+						"zfs-dkms",
+						"zfs-modules"},
+					Depends: []string{
+						"kmod",
+						"linux-base (>= 4.5ubuntu1~16.04.1)",
+						"linux-modules-6.14.0-1012-aws",
+					},
+					Files: []pkg.DpkgFileRecord{},
+				},
+			},
+		},
 	}

 	for _, test := range tests {
--- a/syft/pkg/cataloger/debian/test-fixtures/var/lib/dpkg/status.d/deinstall
+++ b/syft/pkg/cataloger/debian/test-fixtures/var/lib/dpkg/status.d/deinstall
@ -0,0 +1,38 @@
+Package: linux-image-6.14.0-1012-aws
+Status: install ok installed
+Priority: optional
+Section: kernel
+Installed-Size: 15221
+Maintainer: Canonical Kernel Team <kernel-team@lists.ubuntu.com>
+Architecture: amd64
+Source: linux-signed-aws-6.14
+Version: 6.14.0-1012.12~24.04.1
+Provides: fuse-module, linux-image, spl-dkms, spl-modules, v4l2loopback-dkms, v4l2loopback-modules, zfs-dkms, zfs-modules
+Depends: kmod, linux-base (>= 4.5ubuntu1~16.04.1), linux-modules-6.14.0-1012-aws
+Recommends: grub-pc | grub-efi-amd64 | grub-efi-ia32 | grub | lilo, initramfs-tools | linux-initramfs-tool
+Suggests: bpftool, linux-perf, linux-aws-6.14-doc-6.14.0 | linux-aws-6.14-source-6.14.0, linux-aws-6.14-tools, linux-headers-6.14.0-1012-aws
+Conflicts: linux-image-unsigned-6.14.0-1012-aws
+Description: Signed kernel image aws
+ A kernel image for aws.  This version of it is signed with
+ Canonical's signing key.
+Built-Using: linux-aws-6.14 (= 6.14.0-1012.12~24.04.1)
+
+Package: linux-image-6.8.0-1029-aws
+Status: deinstall ok config-files
+Priority: optional
+Section: kernel
+Installed-Size: 14591
+Maintainer: Canonical Kernel Team <kernel-team@lists.ubuntu.com>
+Architecture: amd64
+Source: linux-signed-aws
+Version: 6.8.0-1029.31
+Config-Version: 6.8.0-1029.31
+Provides: fuse-module, linux-image, spl-dkms, spl-modules, v4l2loopback-dkms, v4l2loopback-modules, zfs-dkms, zfs-modules
+Depends: kmod, linux-base (>= 4.5ubuntu1~16.04.1), linux-modules-6.8.0-1029-aws
+Recommends: grub-pc | grub-efi-amd64 | grub-efi-ia32 | grub | lilo, initramfs-tools | linux-initramfs-tool
+Suggests: fdutils, linux-aws-doc-6.8.0 | linux-aws-source-6.8.0, linux-aws-tools, linux-headers-6.8.0-1029-aws
+Conflicts: linux-image-unsigned-6.8.0-1029-aws
+Description: Signed kernel image aws
+ A kernel image for aws.  This version of it is signed with
+ Canonical's signing key.
+Built-Using: linux-aws (= 6.8.0-1029.31)