From d5ca1ad543a929e9046e183192ab91c2e843d281 Mon Sep 17 00:00:00 2001
From: Ross Kirk <ross.kirk@upwind.io>
Date: Thu, 23 Oct 2025 21:23:58 +0100
Subject: [PATCH] fix: ignore dpkg entries with "deinstall" status (#4231)

Signed-off-by: Ross Kirk <ross.kirk@upwind.io>
---
 syft/pkg/cataloger/debian/parse_dpkg_db.go    | 10 +++++
 .../cataloger/debian/parse_dpkg_db_test.go    | 31 +++++++++++++++
 .../var/lib/dpkg/status.d/deinstall           | 38 +++++++++++++++++++
 3 files changed, 79 insertions(+)
 create mode 100644 syft/pkg/cataloger/debian/test-fixtures/var/lib/dpkg/status.d/deinstall

diff --git a/syft/pkg/cataloger/debian/parse_dpkg_db.go b/syft/pkg/cataloger/debian/parse_dpkg_db.go
index 2f020d3f8..27dc0978d 100644
--- a/syft/pkg/cataloger/debian/parse_dpkg_db.go
+++ b/syft/pkg/cataloger/debian/parse_dpkg_db.go
@@ -24,6 +24,10 @@ import (
 	"github.com/anchore/syft/syft/pkg/cataloger/generic"
 )
 
+const (
+	deinstallStatus string = "deinstall"
+)
+
 var (
 	errEndOfPackages = fmt.Errorf("no more packages to read")
 	sourceRegexp     = regexp.MustCompile(`(?P<name>\S+)( \((?P<version>.*)\))?`)
@@ -112,6 +116,7 @@ type dpkgExtractedMetadata struct {
 	Provides      string `mapstructure:"Provides"`
 	Depends       string `mapstructure:"Depends"`
 	PreDepends    string `mapstructure:"PreDepends"` // note: original doc is Pre-Depends
+	Status        string `mapstructure:"Status"`
 }
 
 // parseDpkgStatusEntry returns an individual Dpkg entry, or returns errEndOfPackages if there are no more packages to parse from the reader.
@@ -134,6 +139,11 @@ func parseDpkgStatusEntry(reader *bufio.Reader) (*pkg.DpkgDBEntry, error) {
 		return nil, err
 	}
 
+	// Skip entries which have been removed but not purged, e.g. "rc" status in dpkg -l
+	if strings.Contains(raw.Status, deinstallStatus) {
+		return nil, nil
+	}
+
 	sourceName, sourceVersion := extractSourceVersion(raw.Source)
 	if sourceVersion != "" {
 		raw.SourceVersion = sourceVersion
diff --git a/syft/pkg/cataloger/debian/parse_dpkg_db_test.go b/syft/pkg/cataloger/debian/parse_dpkg_db_test.go
index 50ab3485b..c0659a0e0 100644
--- a/syft/pkg/cataloger/debian/parse_dpkg_db_test.go
+++ b/syft/pkg/cataloger/debian/parse_dpkg_db_test.go
@@ -237,6 +237,37 @@ func Test_parseDpkgStatus(t *testing.T) {
 				},
 			},
 		},
+		{
+			name:        "deinstall status packages are ignored",
+			fixturePath: "test-fixtures/var/lib/dpkg/status.d/deinstall",
+			expected: []pkg.DpkgDBEntry{
+				{
+					Package:       "linux-image-6.14.0-1012-aws",
+					Source:        "linux-signed-aws-6.14",
+					Version:       "6.14.0-1012.12~24.04.1",
+					Architecture:  "amd64",
+					InstalledSize: 15221,
+					Maintainer:    "Canonical Kernel Team <kernel-team@lists.ubuntu.com>",
+					Description: `Signed kernel image aws
+ A kernel image for aws.  This version of it is signed with
+ Canonical's signing key.`,
+					Provides: []string{"fuse-module",
+						"linux-image",
+						"spl-dkms",
+						"spl-modules",
+						"v4l2loopback-dkms",
+						"v4l2loopback-modules",
+						"zfs-dkms",
+						"zfs-modules"},
+					Depends: []string{
+						"kmod",
+						"linux-base (>= 4.5ubuntu1~16.04.1)",
+						"linux-modules-6.14.0-1012-aws",
+					},
+					Files: []pkg.DpkgFileRecord{},
+				},
+			},
+		},
 	}
 
 	for _, test := range tests {
diff --git a/syft/pkg/cataloger/debian/test-fixtures/var/lib/dpkg/status.d/deinstall b/syft/pkg/cataloger/debian/test-fixtures/var/lib/dpkg/status.d/deinstall
new file mode 100644
index 000000000..f899e53d4
--- /dev/null
+++ b/syft/pkg/cataloger/debian/test-fixtures/var/lib/dpkg/status.d/deinstall
@@ -0,0 +1,38 @@
+Package: linux-image-6.14.0-1012-aws
+Status: install ok installed
+Priority: optional
+Section: kernel
+Installed-Size: 15221
+Maintainer: Canonical Kernel Team <kernel-team@lists.ubuntu.com>
+Architecture: amd64
+Source: linux-signed-aws-6.14
+Version: 6.14.0-1012.12~24.04.1
+Provides: fuse-module, linux-image, spl-dkms, spl-modules, v4l2loopback-dkms, v4l2loopback-modules, zfs-dkms, zfs-modules
+Depends: kmod, linux-base (>= 4.5ubuntu1~16.04.1), linux-modules-6.14.0-1012-aws
+Recommends: grub-pc | grub-efi-amd64 | grub-efi-ia32 | grub | lilo, initramfs-tools | linux-initramfs-tool
+Suggests: bpftool, linux-perf, linux-aws-6.14-doc-6.14.0 | linux-aws-6.14-source-6.14.0, linux-aws-6.14-tools, linux-headers-6.14.0-1012-aws
+Conflicts: linux-image-unsigned-6.14.0-1012-aws
+Description: Signed kernel image aws
+ A kernel image for aws.  This version of it is signed with
+ Canonical's signing key.
+Built-Using: linux-aws-6.14 (= 6.14.0-1012.12~24.04.1)
+
+Package: linux-image-6.8.0-1029-aws
+Status: deinstall ok config-files
+Priority: optional
+Section: kernel
+Installed-Size: 14591
+Maintainer: Canonical Kernel Team <kernel-team@lists.ubuntu.com>
+Architecture: amd64
+Source: linux-signed-aws
+Version: 6.8.0-1029.31
+Config-Version: 6.8.0-1029.31
+Provides: fuse-module, linux-image, spl-dkms, spl-modules, v4l2loopback-dkms, v4l2loopback-modules, zfs-dkms, zfs-modules
+Depends: kmod, linux-base (>= 4.5ubuntu1~16.04.1), linux-modules-6.8.0-1029-aws
+Recommends: grub-pc | grub-efi-amd64 | grub-efi-ia32 | grub | lilo, initramfs-tools | linux-initramfs-tool
+Suggests: fdutils, linux-aws-doc-6.8.0 | linux-aws-source-6.8.0, linux-aws-tools, linux-headers-6.8.0-1029-aws
+Conflicts: linux-image-unsigned-6.8.0-1029-aws
+Description: Signed kernel image aws
+ A kernel image for aws.  This version of it is signed with
+ Canonical's signing key.
+Built-Using: linux-aws (= 6.8.0-1029.31)