aquasecurity
fix(debian): move `*.list` dpkg analyzer to separate analyzer
Description
dpkg contains all installed packages in var/lib/dpkg/status file. But installed files for each package are stored invar/lib/dpkg/info/<pkg_name>.list files.
Therefore, when we work with packages at different levels, we can overwrite system files.
e.g.:
FROM Ubuntu
RUN apt install curl -y
— line 1: We parse default installed packages with their system files.
— line 2: install new package. var/lib/dpkg/status will be updated at this layer (curl will be added). Therefore, we find all packages of first layer + curl. But second layer only includes var/lib/dpkg/info/curl.list file, so system files for first layer packages will be overwritten with empty value and we will not include this in report.
This PR moves analyze of *.list files (saving system files for each package) to separate analyzer.
System files will be merged with packages when layers are applied.
before:
➜ trivy -q image -f json --list-all-pkgs nginx | jq '.Results[].Packages[] | select(.ID=="[email protected]") | .InstalledFiles'
null
after:
➜ trivy git:(fix-dpkg/separate-analyzer-for-lists) ./trivy -q image -f json --list-all-pkgs nginx | jq '.Results[].Packages[] | select(.ID=="[email protected]") | .InstalledFiles'
[
"/etc/adduser.conf",
"/etc/deluser.conf",
"/usr/sbin/addgroup",
"/usr/sbin/adduser",
"/usr/sbin/delgroup",
"/usr/sbin/deluser",
"/usr/share/doc/adduser/NEWS.Debian.gz",
...
"/var/cache/adduser"
]
Related issues
- Close #5857
Checklist
- [x] I've read the guidelines for contributing to this repository.
- [x] I've followed the conventions in the PR title.
- [x] I've added tests that prove my fix is effective or that my feature works.
- [ ] I've updated the documentation with the relevant information (if needed).
- [ ] I've added usage information (if the PR introduces new options)
- [ ] I've included a "before" and "after" example to the description (if the PR is a user interface change).
