-
Notifications
You must be signed in to change notification settings - Fork 572
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
dpkg collector should attempt parsing /var/lib/dpkg/info/*.list
files
#865
Comments
This is an interesting enhancement since it would help a lot with #931. If we can link the package information back up to the correct package manager then when we go to do the vulnerability scanning we won't mislabel said package as installed on its own vs coming from a strict Linux distributions source. We'll start investigating @errordeveloper so we can get more fidelity around these file relationships! |
After investigating this one we're going to close this as not planned.
Example:
In this case we don't want to associate all of the shared directory paths as owned by the In dpkg - multiple packages can own the same directories. This is not a paradigm we want to introduce as it will cause too much noise when we try to examine If there is more information we're missing happy to discuss and reopen but for now this is marked as not planned. |
@spiffcs thanks for looking into this! What if syft could just provide an optional collector for these files and store results in some additional field that a downstream tool can take into consideration only when needed? See my example with that licence file, I couldn't work out where it comes from using syft's output at the time. |
@errordeveloper could you expand a bit on what you are looking to accomplish? Is it just trying to determine which package "owns" a file? |
@kzantow yes, in that particular case I wished I had some kind of a hint, instead I ended up hard-coding some lists of files. |
@errordeveloper the problem with the |
Are you referring to directories, as @spiffcs pointed out, or files also?
No, I am afraid I don't. I don't believe any package managers do it perfectly well. I guess the only thing I can keep referring to is the |
What would you like to be added:
Currently syft parses only
.md5sums
and.conffiles
. There are also.list
files which appear to track more files.Here is an example:
Why is this needed:
This would help for more accurate file<->package tracking.
It would also enable someone to use data from syft to build equivalent of
dpkg -S
.Consider the following:
It's not possible to directly answer this question with data from syft right now.
The text was updated successfully, but these errors were encountered: