Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

missing provided files for dpkg packages #3486

Open
ArmanPasha opened this issue Nov 28, 2024 · 0 comments
Open

missing provided files for dpkg packages #3486

ArmanPasha opened this issue Nov 28, 2024 · 0 comments
Labels
bug Something isn't working

Comments

@ArmanPasha
Copy link

What happened:
Syft missed a file provided by libcurl4 package in a Debian-based image. Below is the list of files provided by the libcurl4 package:

> cat /var/lib/dpkg/info/libcurl4\:amd64.list
/.
/usr
/usr/lib
/usr/lib/x86_64-linux-gnu
/usr/lib/x86_64-linux-gnu/libcurl.so.4.8.0
/usr/share
/usr/share/doc
/usr/share/doc/libcurl4
/usr/share/doc/libcurl4/changelog.Debian.gz
/usr/share/doc/libcurl4/changelog.gz
/usr/share/doc/libcurl4/copyright
/usr/lib/x86_64-linux-gnu/libcurl.so.4

Below is the Syft output showing the provided files by libcurl4:

"files": [
            {
                "path": "/usr/lib/x86_64-linux-gnu/libcurl.so.4.8.0",
                "digest": {
                    "algorithm": "md5",
                    "value": "f77ab96de521fd73904cd6fd5d8e7d93"
                },
                "isConfigFile": false
            },
            {
                "path": "/usr/share/doc/libcurl4/changelog.Debian.gz",
                "digest": {
                    "algorithm": "md5",
                    "value": "9cc1117e3db648eca660c608b7d08cc3"
                },
                "isConfigFile": false
            },
            {
                "path": "/usr/share/doc/libcurl4/changelog.gz",
                "digest": {
                    "algorithm": "md5",
                    "value": "0a7d15f1f7beb98774b69a1e88bc2119"
                },
                "isConfigFile": false
            },
            {
                "path": "/usr/share/doc/libcurl4/copyright",
                "digest": {
                    "algorithm": "md5",
                    "value": "f9f6598312858fead4eed4d151197550"
                },
                "isConfigFile": false
            }
]

The issue is that /usr/lib/x86_64-linux-gnu/libcurl.so.4 file is missing from the Syft output. I haven't looked at the code but I guess the issue is in the logic that combines file paths to remove incomplete paths like /usr, /usr/lib, /usr/lib/x86_64-linux-gnu. The logic somehow treats /usr/lib/x86_64-linux-gnu/libcurl.so.4 as a prefix of /usr/lib/x86_64-linux-gnu/libcurl.so.4.8.0 hence removing the former from the provided files.

What you expected to happen:
Include /usr/lib/x86_64-linux-gnu/libcurl.so.4 in the provided files output.

Steps to reproduce the issue:
Use this Dockerfile:

FROM debian:stable-slim

RUN apt update
RUN apt install -y libcurl4

CMD ["cat", "/var/lib/dpkg/info/libcurl4:amd64.list"]

Anything else we need to know?:

Environment:

  • Output of syft version: 1.17.0
  • OS (e.g: cat /etc/os-release or similar): container image is Debian GNU/Linux 12 (bookworm), host (where Syft runs) is Ubuntu 22.04.3 LTS
@ArmanPasha ArmanPasha added the bug Something isn't working label Nov 28, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
OSS
Status: No status
Milestone
No milestone
Development

No branches or pull requests
1 participant
@ArmanPasha