8000 Dpkg are not detected when scanning a directory · Issue #3726 · anchore/syft · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content
Dpkg are not detected when scanning a directory #3726
New issue
New issue
Closed
#3820
Closed
Dpkg are not detected when scanning a directory#3726
#3820
Labels
bugSomething isn't workingecosystem:osrelating to an OS packaging ecosystem
@ilyabrykau-orca

Description

@ilyabrykau-orca
ilyabrykau-orca
opened on Mar 13, 2025

java_syft.json
diff_python.txt
diff_java.txt
n8n-diff.txt
node_syft.json
python_syft.json

What happened:
Syft is missing some dpkg files when scanning a directory, though these same files are found when scanning a .tar file or container directly. The issue stems from incorrect glob pattern generation in the directory resolver.

The code at https://github.com/anchore/syft/blob/v1.19.0/syft/pkg/cataloger/debian/parse_dpkg_db.go#L65 attempts to find dpkg info files using the pattern: path.Join(searchPath, name + ".*"), but the directory resolver is incorrectly generating /var/lib/dpkg/info/<pkg name>./* instead of /var/lib/dpkg/info/<pkg name>.*

What you expected to happen:

  • The glob pattern should be /var/lib/dpkg/info/<pkg name>.*
  • All dpkg info files should be found regardless of scanning method (directory, tar, or container)
  • The same files should be discovered whether scanning a directory or archive

Steps to reproduce the issue:

  1. Create test files in a directory structure
  2. Run the following test:
func TestFileResolver_FilesByGlob2(t *testing.T) {
    resolver, err := NewFromDirectory("./test-fixtures/", "")
    assert.NoError(t, err)

    // Direct path works
    refs, err := resolver.FilesByPath("req-resp/path/to/the/file.txt")
    assert.NoError(t, err)
    assert.Len(t, refs, 1)

    // Glob fails
    refs, err = resolver.FilesByGlob("req-resp/path/to/the/file.*")
    assert.NoError(t, err)
    assert.Len(t, refs, 1) // Test fails here
}

Syft config:
`# syft-config.yaml
# syft --config syft-config-botanica.yaml n8nio/n8n:1.67.1 > 2.json    

log:
  level: "info"

# Define the source scanning settings
source:
  type: "image"

# SBOM creation settings
sbom:
  format: "syft-json"  # Other options: spdx-json, cyclonedx-json, etc.
  options:
    generate-cpes: false  # Matches DataGenerationConfig{GenerateCPEs: false}
    include-files: false  # Matches Files: filecataloging.Config{Enabled: false}

# Package Cataloging configuration
package:
  catalogers:
    enabled:
      - "javascript"
      - "python"
      - "java"
      - "debian"
      - "redhat"
      - "alpine"
    disabled:
      - "graalvm-native-image-cataloger"

# Default Syft SBOM config values from Go function
config:
  compliance: default  # Matches cataloging.DefaultComplianceConfig()
  search: default  # Matches cataloging.DefaultSearchConfig()
  relationships: default  # Matches cataloging.DefaultRelationshipsConfig()
  data_generation:
    generate_cpes: false  # Matches cataloging.DataGenerationConfig{GenerateCPEs: false}
  packages:
    defaults: "image-tag"
    enabled:
      - "javascript"
      - "python"
      - "java"
      - "debian"
      - "redhat"
      - "alpine"
    disabled:
      - "graalvm-native-image-cataloger"
  files:
    enabled: false  # Matches filecataloging.Config{Enabled: false}
  parallelism: 1  # Matches Parallelism: 1
  tool:
    name: "syft"
    version: "auto"  # Matches syftVersion()

output: "syft-json" 
`

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't workingecosystem:osrelating to an OS packaging ecosystem

    Type

    No type

    Projects

    OSS

    Status

    Done

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions
      0