Will Murphy

Hi @juan131! Thanks for your patience here. Running #3341 right now on bitnami/postgresql looks like this: ``` sh go run ./cmd/syft -q bitnami/postgresql | grep -e NAME -e postgres NAME...

Hi @juan131, That solution sounds reasonable to me - we already have mechanism for de-duplicating binary packages in favor of OS packages when there's file overlap, and we should use...

Hi @mephinet thanks for the issue. We will keep this open to track the request that @wagoodman made [above](https://github.com/anchore/syft/issues/3063#issuecomment-2247941709)

We discussed this at a [recent livestream](https://anchorecommunity.discourse.group/t/september-18th-open-source-gardening-live-stream/561?u=willmurphy) and decided that this is a straightforward bug in the dpkg cataloger: Syft should skip `deinstalled` entries in `/var/lib/dpkg/status` and similar files.

Hi @kzantow and @aniketdn I think I've found minimal repro steps that use only public images and data: ``` Dockerfile FROM fedora:42 RUN yum install -y libbsd ``` obtaining SBOM:...

I've been thinking about this a bit and discussing it with some folks off line, and I don't think we can get one-word enum names to carry all the info....

> Maybe leave `complete` instead of `complete-direct-only`? I disagree. It's not much more typing, and it makes the distinction that other types might mix direct and indirect dependencies more obvious....

@wagoodman and I talked offline, and we think these values will work: * `unknown` * `incomplete` * `incomplete-with-indirect` (might be added later; we don't know of a cataloger that needs...

discussed with @kzantow offline - there are still a few things that might be changed before the merge relating to multiple outputs. I'm moving this back to "in progress" and...

Hi @metametadata, thanks for the steps to reproduce! I see this is still happening, so I'll add this to our backlog.