Closed cdupuis closed 2 years ago
Hi @cdupuis — I see what you're saying. I think this would be accomplished by the feature request #435.
I believe Syft is behaving as intended here, but I think there's room to improve the experience for SBOM consumers.
Today, Syft has the notion of "scope", which governs how it interprets a set of image layers. This is described briefly here.
Syft has a flag --scope <value>
, where the two possible values are squashed
and all-layers
. The default value is squashed
. Here are the behaviors for these values:
squashed
— the image layers are squashed, such that Syft's internal catalogers see only a single, flattened filesystem, similar to what would appear to processes running in a container. With this filesystem merge operation, the instance of a file that's found in the latest layer is the one that "wins" in the merge result. So in this case for busybox, which is found in /lib/apk/db/installed
, that layer would be sha256:00b9e9075c3a2a8e3dbfe1f4392d1ef11bf4613a2185cc018c632b5ad9196be3
.
all-layers
— all layers are scanned as independent file systems. If a package is discovered in multiple layers, it is reported multiple times.
When I run this:
syft node@sha256:6cf4fe67db0c1e052ab251daab39e43a381a74c3738fe8207e613e416d9c30f8 -o json --scope all-layers
I see Syft report busybox at layer sha256:8e322dc9c333c75d017a725c01e1083f2465cde131123522c7e69dde0fdf9912
, in addition to reporting the same package for the subsequent layers.
Do you agree that this would be resolved by #435? Curious for your thoughts. 😃
Thanks for your response @luhring (as always). Really appreciate it.
I see what you are saying. That makes sense. Although I still wonder why, even with the all-layers
scope a package shows up in layers that actually don't really contain it. In this case, only the first layer has the busybox
executables. The simple fact that a package is listed in the lib/apk/db/installed
doesn't indicate that the layer puts that package into the image, right?
I wonder if internal catalogers that detect packages based on lib/apk/db/installed
or var/lib/dpkg/status
should look at the file diff between two layers to determine if a package is contained in a layer? Has that been considered?
Although I still wonder why, even with the all-layers scope a package shows up in layers that actually don't really contain it. In this case, only the first layer has the busybox executables. The simple fact that a package is listed in the lib/apk/db/installed doesn't indicate that the layer puts that package into the image, right?
I think this is tricky. What's the best way to determine if a given package is installed?
In my experience, different people have different answers. But if there's an approach that seems better all-around, and it can be implemented correctly in Syft, we're definitely open to considering it.
Yeah, this is indeed tricky. I was wondering if you could compare the contents of the lib/apk/db/installed
or var/lib/dpkg/status
between two layers to determine if something actually got installed or updated when moving from one layer to the next?
In this particular case it would have correctly reported out the fact that busybox
amongst other packages was installed in the first layer and subsequently other packages were added but busybox
was never touched again.
to determine if something actually got installed or updated
How would we determine this part? I follow that we'd look at a diff between two layers, but it's not yet clicking for me what we'd actually be looking at within that diff, and how we could determine positively that what we see in the diff means a package was installed. 🤔
Let me see if I can come with an example to explain what I mean.
Let's use the following Dockerfile
to build an image:
FROM alpine:3.8
RUN apk add --update openssl && \
rm -rf /var/cache/apk/*
RUN apk add --update git && \
rm -rf /var/cache/apk/*
And now extracting lib/apk/db/installed
from layer 1 and 2 and running a diff on both files, gives the following result:
542a543,677
> C:Q1msk1gr7VqUXzKzaJFftp7BkZN40=
> P:libcrypto1.0
> V:1.0.2u-r0
> A:x86_64
> S:1081261
> I:2527232
> T:Crypto library from openssl
> U:https://openssl.org
> L:openssl
> o:openssl
> m:Timo Teras <timo.teras@iki.fi>
> t:1577097004
> c:33832d93c0d87e0c90f543ea973e7d12ea27a3ee
> D:so:libc.musl-x86_64.so.1 so:libz.so.1
> p:so:libcrypto.so.1.0.0=1.0.0
> F:lib
> R:libcrypto.so.1.0.0
> a:0:0:555
> Z:Q1ODLwNd+vPlxqXtyqOPosQSp6S0o=
> F:usr
> F:usr/lib
> R:libcrypto.so.1.0.0
> a:0:0:777
> Z:Q1jLDKGBtunzKi5FKmK/QTAqfh6uI=
> F:usr/lib/engines
> R:libubsec.so
> a:0:0:555
> Z:Q1iiivUsMTTJMWQpEj8HY3IZZEf70=
> R:libatalla.so
> a:0:0:555
> Z:Q1eqkecvfWqutP5LPkvnrTBXFv13w=
> R:libcapi.so
> a:0:0:555
> Z:Q1u2M2IQyJrxdidQcT0dUnLchcROo=
> R:libgost.so
> a:0:0:555
> Z:Q1npvb9lOH9SspSTJGQNuk4+HySig=
> R:libcswift.so
> a:0:0:555
> Z:Q1wY3zhv7ZZoUh0FJQUkS6HZb5kF8=
> R:libchil.so
> a:0:0:555
> Z:Q1APntUyjcYghRksq6wFod7oipZbc=
> R:libgmp.so
> a:0:0:555
> Z:Q1sZjid4xbEJ7KHcrm9yn2Mcc97ws=
> R:libnuron.so
> a:0:0:555
> Z:Q1fCmj18y8yXwY7CPYySZMygigA2I=
> R:lib4758cca.so
> a:0:0:555
> Z:Q1X71JsOn/y8S9YLn+r/a+q1wQRyE=
> R:libsureware.so
> a:0:0:555
> Z:Q1dq4UpiuK68Py/IfGLlFjahexBwM=
> R:libpadlock.so
> a:0:0:555
> Z:Q1o5NkgSdiwazx0O/BFsMqyF2b3J8=
> R:libaep.so
> a:0:0:555
> Z:Q1Jk1Jm6rQz7/7iZS3wKfrSOhvM6Q=
>
> C:Q1j6f5OinvEk2hXX4ixBZAaSUyCFI=
> P:libssl1.0
> V:1.0.2u-r0
> A:x86_64
> S:178745
> I:446464
> T:SSL shared libraries
> U:https://openssl.org
> L:openssl
> o:openssl
> m:Timo Teras <timo.teras@iki.fi>
> t:1577097004
> c:33832d93c0d87e0c90f543ea973e7d12ea27a3ee
> D:so:libc.musl-x86_64.so.1 so:libcrypto.so.1.0.0
> p:so:libssl.so.1.0.0=1.0.0
> F:lib
> R:libssl.so.1.0.0
> a:0:0:555
> Z:Q16DcHo5QMCgiUp0m3PMz1vNcNloc=
> F:usr
> F:usr/lib
> R:libssl.so.1.0.0
> a:0:0:777
> Z:Q1ke5dnHGVWcEyRpOe0/lKEqizHHQ=
>
> C:Q1lqpDb+AGEDJhTe424m3ypSjTetE=
> P:openssl
> V:1.0.2u-r0
> A:x86_64
> S:225381
> I:606208
> T:Toolkit for SSL v2/v3 and TLS v1
> U:https://openssl.org
> L:openssl
> o:openssl
> m:Timo Teras <timo.teras@iki.fi>
> t:1577097004
> c:33832d93c0d87e0c90f543ea973e7d12ea27a3ee
> D:so:libc.musl-x86_64.so.1 so:libcrypto.so.1.0.0 so:libssl.so.1.0.0
> p:cmd:openssl
> F:etc
> F:etc/ssl
> F:etc/ssl/misc
> R:CA.sh
> a:0:0:755
> Z:Q1VUnDWEc6DtI6M1Ngvvwp0bA0kuo=
> R:CA.pl
> a:0:0:755
> Z:Q1Te7DTzGXy7s1g4UxBpjWkQlttlY=
> R:c_issuer
> a:0:0:755
> Z:Q1DMeRt9xZV79DtM/LXmid6o2Dsa4=
> R:c_name
> a:0:0:755
> Z:Q1dq38GG/1BidPqAZgB52sqOUrsLw=
> R:c_hash
> a:0:0:755
> Z:Q13rsdWLk2vlPk3gD8ylFFOWSi58s=
> R:tsget
> a:0:0:755
> Z:Q1nmxuEYwvukO24lcnedWx5HlDxzU=
> R:c_info
> a:0:0:755
> Z:Q1GmZ/x6gIUw9ccftpFx7CRD/ykSU=
> F:etc/ssl/certs
> F:etc/ssl/private
> F:usr
> F:usr/bin
> R:openssl
> a:0:0:755
> Z:Q1yMYRzAPYCIFie0jFMltqNl/5R1w=
> F:usr/lib
>
This diff would indicate that openssl
, libssl1.0
and libcrypto1.0
were added in layer 2.
Now doing the same with the 2 and 3 shows a similar result and indicates that git
and its dependencies got installed:
677a678,1728
> C:Q1PThpYjYSaExuaI3FKwWmG/jupq0=
> P:ca-certificates
> V:20191127-r2
> A:x86_64
> S:174932
> I:733184
> T:Common CA certificates PEM files from Mozilla
> U:https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/
> L:MPL-2.0 GPL-2.0-or-later
> o:ca-certificates
> m:Natanael Copa <ncopa@alpinelinux.org>
> t:1591195980
> c:f91a48ba3659cc21c3b5467576f4b35da642164b
> D:/bin/sh so:libc.musl-x86_64.so.1 so:libcrypto.so.43
> p:cmd:c_rehash cmd:update-ca-certificates
> r:libcrypto1.0 openssl
> F:etc
> R:ca-certificates.conf
> Z:Q1bWg/EVw1q6GtWhym7eF5k72sZF4=
> F:etc/ca-certificates
> F:etc/ca-certificates/update.d
> R:certhash
> a:0:0:755
> Z:Q1pxPSWX01pfOF6GEDK4MWWAXF/GI=
> F:etc/apk
> F:etc/apk/protected_paths.d
> R:ca-certificates.list
> Z:Q15Z0Sr1o7f7TchDHWcWYgW7zi8JU=
> F:etc/ssl
> F:etc/ssl/certs
> F:usr
> F:usr/sbin
> R:update-ca-certificates
> a:0:0:755
> Z:Q189BstbJPKJTamk1e2ZLKZQUUFO0=
> F:usr/bin
> R:c_rehash
> a:0:0:755
> Z:Q1680+HtWIcQStByj6WQxLMF6+PSc=
> F:usr/local
> F:usr/local/share
> F:usr/local/share/ca-certificates
> F:usr/share
> F:usr/share/ca-certificates
> F:usr/share/ca-certificates/mozilla
> R:Certigna_Root_CA.crt
> Z:Q1VdBji67nphRLjjwCjCTuEScgLDw=
> R:Taiwan_GRCA.crt
> Z:Q1JY+r3c8G1ZOygwPrFezjs52t318=
> R:LuxTrust_Global_Root_2.crt
> Z:Q1VGlaQPYfCtkuauec9h6UYgmSvJE=
> R:OISTE_WISeKey_Global_Root_GC_CA.crt
> Z:Q1s9z9hD3/Vmr07wpIPmV5/7USzDc=
> R:Starfield_Class_2_CA.crt
> Z:Q1x4mQIjkIDcfi6C+oVqX2yiDsyX4=
> R:Izenpe.com.crt
> Z:Q1GeaIXHKBc2WVUUgM5R3dJoDGgFs=
> R:GTS_Root_R3.crt
> Z:Q1cw4ZH/NhO2AAGClZwxr2pLGRgVE=
> R:SecureTrust_CA.crt
> Z:Q1YnaZhQ0ZyJ9uDLdJTXfLDGwrgc4=
> R:Hellenic_Academic_and_Research_Institutions_RootCA_2011.crt
> Z:Q1bi0FmdlvvYon38mjVfT446CbNd4=
> R:Go_Daddy_Root_Certificate_Authority_-_G2.crt
> Z:Q1dg+7Ns+1WmfHHKw9zw02jqn5juc=
> R:QuoVadis_Root_CA_2_G3.crt
> Z:Q1Xz/eGc+P/GA4VXW5iXVkS3t/8DE=
> R:Security_Communication_Root_CA.crt
> Z:Q1hHXaxl+s+AkgSwN4hsJyFzYPhyo=
> R:Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068.crt
> Z:Q152hIZP/jRh+jHTYn0f5bhMMk3xk=
> R:CA_Disig_Root_R2.crt
> Z:Q1caI4aKvuMtU9JXPcc7guC3fXb7g=
> R:Amazon_Root_CA_1.crt
> Z:Q18NLSUe9e6EuOBdgBIFahSV/PNLM=
> R:Verisign_Class_1_Public_Primary_Certification_Authority_-_G3.crt
> Z:Q11k0g4DoAXieyeb4onAM2NE4G3tI=
> R:Amazon_Root_CA_3.crt
> Z:Q1LnFTqB+5ig+7UIs7k4KeTp7aXSM=
> R:ISRG_Root_X1.crt
> Z:Q1Telif+ms5KzOJ+qhoIN809tVcEs=
> R:Comodo_AAA_Services_root.crt
> Z:Q1sKnpNU0d6bSImINWsCsa//WGMG0=
> R:CFCA_EV_ROOT.crt
> Z:Q1loKCArxcjbb09WtNgaJVPBCM4jo=
> R:DigiCert_Trusted_Root_G4.crt
> Z:Q14Y5YxyFxxjGFPyHd7u8PPt3/ETw=
> R:OISTE_WISeKey_Global_Root_GA_CA.crt
> Z:Q1CTFJalKdfCdTeDrjliAiZ8pIvwk=
> R:SZAFIR_ROOT_CA2.crt
> Z:Q1A9PJoBIp7M4pCCh7xT9fiyz6NuI=
> R:AddTrust_Low-Value_Services_Root.crt
> Z:Q1hmp2vWN5BgEOa2BG7c1F8HIXiXg=
> R:T-TeleSec_GlobalRoot_Class_2.crt
> Z:Q1fxseQorG0szm6j7hBs3dbVaG7u4=
> R:SSL.com_Root_Certification_Authority_RSA.crt
> Z:Q1e/+WIUpPklH+avUkzl6bKkIWFE4=
> R:GlobalSign_Root_CA_-_R3.crt
> Z:Q1GwlPBX3l+kTXlYJo2T7V9NbF29w=
> R:Global_Chambersign_Root_-_2008.crt
> Z:Q1zib8NgSVQ+4UfPeo7orQQ/CzOKI=
> R:AffirmTrust_Commercial.crt
> Z:Q1MWKWEe/aNVzcYng71h6RqguiCqY=
> R:Symantec_Class_2_Public_Primary_Certification_Authority_-_G4.crt
> Z:Q10Hp0kVBVQBfAm9wBo871UKX6QjA=
> R:SwissSign_Gold_CA_-_G2.crt
> Z:Q1W7RaFtsQpJCJYOUSdokxP/9EIgg=
> R:GlobalSign_Root_CA.crt
> Z:Q16IMApFoHJhWCQ6TvfyCVvjE+WU0=
> R:AC_RAIZ_FNMT-RCM.crt
> Z:Q1zrQ8jr6mXkYXKfBxrS9O9iqDG6E=
> R:DigiCert_Assured_ID_Root_G3.crt
> Z:Q1B2g6wk4HH2F5S47x13+pCWuNapA=
> R:Symantec_Class_1_Public_Primary_Certification_Authority_-_G6.crt
> Z:Q1kCPnRN0wRwpolLsDOgD8gAENeuQ=
> R:Atos_TrustedRoot_2011.crt
> Z:Q1PnvxSafNMice8YMooix2a9sZLHY=
> R:GeoTrust_Primary_Certification_Authority.crt
> Z:Q1vYDbTdnayFLLcmp5ZypayM0Vipo=
> R:certSIGN_ROOT_CA.crt
> Z:Q1NyaLsxBz4ftdfjIhwgPScDOIbnI=
> R:GDCA_TrustAUTH_R5_ROOT.crt
> Z:Q1J27wGT+f8qXuQ3rKpAacjUxBhR4=
> R:thawte_Primary_Root_CA.crt
> Z:Q1UNB2LvgVRjHW+5z9fzOP5I8nqpA=
> R:Hongkong_Post_Root_CA_1.crt
> Z:Q1kD9hfEiU7vcIF6vuRufvKyna8t4=
> R:Cybertrust_Global_Root.crt
> Z:Q1F/LhdIx7Hf4Q5ctq+UYn10e7OZQ=
> R:Starfield_Services_Root_Certificate_Authority_-_G2.crt
> Z:Q1KQkbdqCOUgSGV551isbEoJ6g/g4=
> R:QuoVadis_Root_CA_2.crt
> Z:Q1HI16QKVk+1nqGAgCBC2Lgqiu2jg=
> R:GeoTrust_Global_CA.crt
> Z:Q1A+C3nAWpKpU+F/oiPnmVlCR4AWg=
> R:Hongkong_Post_Root_CA_3.crt
> Z:Q11ceM459tfKe1iQF+u1em2iH6j8o=
> R:SecureSign_RootCA11.crt
> Z:Q1KBJxBxytqPGGdGdkQoEgY+p3NgE=
> R:Go_Daddy_Class_2_CA.crt
> Z:Q1mPHMPZ8Jc2ketK6aHq+sf9YwHfs=
> R:IdenTrust_Commercial_Root_CA_1.crt
> Z:Q1T6cBv1VrjS+3j6j0dkOiElI/Gnc=
> R:TWCA_Root_Certification_Authority.crt
> Z:Q1YMM+hVeJEGv3WjyXaW/dLViJBGc=
> R:Staat_der_Nederlanden_EV_Root_CA.crt
> Z:Q1JmwEU697kLbFSLPcQR0wkB+JN+0=
> R:OISTE_WISeKey_Global_Root_GB_CA.crt
> Z:Q1/OLA3AWcGtOsk9QWtrquu16Xt18=
> R:DigiCert_Assured_ID_Root_G2.crt
> Z:Q1lmLQRiWxg2Vf2wME9kSGWiiir3w=
> R:Starfield_Root_Certificate_Authority_-_G2.crt
> Z:Q1ZZS+OnDfqpy7m0htvG4CcWR/tho=
> R:SSL.com_EV_Root_Certification_Authority_ECC.crt
> Z:Q1w9AVqjkkw0B32+f1eNbOOJuRnXE=
> R:EE_Certification_Centre_Root_CA.crt
> Z:Q1uRHLGr4AOPeZul0eCu9npI1RjG8=
> R:Buypass_Class_2_Root_CA.crt
> Z:Q1Cj5B506aQTcDZSXwwv1tjt/cfDk=
> R:emSign_Root_CA_-_G1.crt
> Z:Q1b4bdtYXS9RawKPohlY8Jq+RjuMw=
> R:Certum_Root_CA.crt
> Z:Q1n5ENSiPh/TnI0lplSAGAxYPPSP8=
> R:TeliaSonera_Root_CA_v1.crt
> Z:Q1oiGaf9Cne+dCKgIEm40ngFwCULo=
> R:AffirmTrust_Networking.crt
> Z:Q1h6mFdWOWfVnMvlHkqPwrov2h6Rk=
> R:AffirmTrust_Premium_ECC.crt
> Z:Q1QHiDLI6H4VUqYdLyfjiRfxQ8iRk=
> R:ACCVRAIZ1.crt
> Z:Q1Yg+imHdMYbwUfkdmdTJSJnpNnJ0=
> R:DigiCert_Assured_ID_Root_CA.crt
> Z:Q11jaiOW4ptOkeABBqGDk4ptdG9xY=
> R:QuoVadis_Root_CA_3.crt
> Z:Q1yF3UetR2TiqvM+KLZ2+1A4wFaKg=
> R:SwissSign_Silver_CA_-_G2.crt
> Z:Q1yfZUppgAQEFV06v7PvIzgs2pLa0=
> R:TUBITAK_Kamu_SM_SSL_Kok_Sertifikasi_-_Surum_1.crt
> Z:Q1IF7PbkDY+dxwC5Ms5qOiaDaZRlI=
> R:GeoTrust_Primary_Certification_Authority_-_G3.crt
> Z:Q1B0wBQW9PsFBqAAEmZkAmMSwGNmQ=
> R:QuoVadis_Root_CA_1_G3.crt
> Z:Q1d0Rc+cAAiFiNDnwzBmJTicMP9L4=
> R:Entrust_Root_Certification_Authority_-_G2.crt
> Z:Q1YDDay2u0w6zVi1KDE6a0F83bzbg=
> R:Staat_der_Nederlanden_Root_CA_-_G3.crt
> Z:Q1yU4jwLLkuY8HsvPOYS09eITzVd8=
> R:COMODO_ECC_Certification_Authority.crt
> Z:Q16Zlove6WSuq9LwJcyr4dEIWy+Iw=
> R:COMODO_RSA_Certification_Authority.crt
> Z:Q19AaUb0qbN51K+YR0UcoB3EDPuWg=
> R:QuoVadis_Root_CA.crt
> Z:Q1meTudHGg/QmEMGekm8fy5lpYz2I=
> R:D-TRUST_Root_Class_3_CA_2_EV_2009.crt
> Z:Q1mzrwTFcbong1Q8WrUZOqJ5OY+nY=
> R:DigiCert_Global_Root_G2.crt
> Z:Q1vNYPBwCO7TvR0WqXT/8Lk85oEQs=
> R:Entrust_Root_Certification_Authority.crt
> Z:Q1hMJwKUa2iVrAniX8TszWhRKaLic=
> R:EC-ACC.crt
> Z:Q19zNyDboW8eGeSJ6YeggR5OuojxM=
> R:UCA_Extended_Validation_Root.crt
> Z:Q1c2xtj6NuNIe0Y7XBSN1qCos5qZw=
> R:XRamp_Global_CA_Root.crt
> Z:Q1i3Ay7Lre5sw0bSuFushbUD7rcA0=
> R:Trustis_FPS_Root_CA.crt
> Z:Q1Av11SZPSgw5yvqA6nmA9RvovIz0=
> R:GeoTrust_Primary_Certification_Authority_-_G2.crt
> Z:Q1Jdu0/LQSs41IgsBujmo2bHmQcg4=
> R:emSign_ECC_Root_CA_-_G3.crt
> Z:Q1P1uKoUGnyo2ucdhrcHR5Bxf/vnY=
> R:thawte_Primary_Root_CA_-_G3.crt
> Z:Q1OBZ4LvJifyj5ckbtBnZA+8gS3e4=
> R:Verisign_Class_2_Public_Primary_Certification_Authority_-_G3.crt
> Z:Q1ezXs+8GTPJzzPTU0NwF0cEKwMms=
> R:NetLock_Arany_=Class_Gold=_Főtanúsítvány.crt
> Z:Q1PBwBdef4LfpqpvbMMqrtFaxQ9C0=
> R:Amazon_Root_CA_2.crt
> Z:Q1Mjt7ShDA2NoZij6MBZyb7CT0ky0=
> R:Camerfirma_Global_Chambersign_Root.crt
> Z:Q1C7KdDorgV040tTuAwVRjNm4oXbI=
> R:TrustCor_RootCert_CA-2.crt
> Z:Q1b75fdaAKuvpLlRqotHptQk7zBA4=
> R:Amazon_Root_CA_4.crt
> Z:Q12ayOl3M2DRbZUiV0diaHPoGqn9Y=
> R:Symantec_Class_2_Public_Primary_Certification_Authority_-_G6.crt
> Z:Q1EkWUBO/EgriupS76AwgK5EJJGuY=
> R:emSign_ECC_Root_CA_-_C3.crt
> Z:Q1zYsDcDDxkMsTErh0fzzRhBWGq7I=
> R:Security_Communication_RootCA2.crt
> Z:Q1aFENB5LpVZLc/j6tIwpYCWz0334=
> R:DigiCert_Global_Root_CA.crt
> Z:Q1RBgpDAr2YYQ7KMcPTrco9MxGKWA=
> R:ePKI_Root_Certification_Authority.crt
> Z:Q1ukis7BL6ag6KKa2IAYJcbQorhek=
> R:GlobalSign_Root_CA_-_R6.crt
> Z:Q1pfhGidPu6wwM9n3QvPp+hzs1U7M=
> R:D-TRUST_Root_CA_3_2013.crt
> Z:Q16ESZiwdqsH2cMXAS56Hz8j0eRLY=
> R:VeriSign_Universal_Root_Certification_Authority.crt
> Z:Q1HErww9hPl6NJFnDXXcKtruu1Bxs=
> R:Certum_Trusted_Network_CA.crt
> Z:Q1dsOv1er41cvyUPCLkj+/kIXGeT4=
> R:COMODO_Certification_Authority.crt
> Z:Q1tLncnPRwxmsenlPDApoHqUGJgYU=
> R:SwissSign_Platinum_CA_-_G2.crt
> Z:Q1dFWSBC5s8ZsU8OxQ9bvtgciEEjI=
> R:Camerfirma_Chambers_of_Commerce_Root.crt
> Z:Q1j4l3MEzwpsbzZYSlzGBIoWCFwlU=
> R:emSign_Root_CA_-_C1.crt
> Z:Q1mbgWLDLz7PBYBhErqnercjDpmNU=
> R:T-TeleSec_GlobalRoot_Class_3.crt
> Z:Q1KoPK9TUdQT1Ev/m36j4Gz2JA7uQ=
> R:DigiCert_Global_Root_G3.crt
> Z:Q17gm3Wh+4D3Y1T0Xazjb6UXTZa7A=
> R:Symantec_Class_1_Public_Primary_Certification_Authority_-_G4.crt
> Z:Q1m9n9nAlOJnAllvtVxbmBMbUWQhk=
> R:VeriSign_Class_3_Public_Primary_Certification_Authority_-_G4.crt
> Z:Q1XFspUHyVErZYgHyHlnrbaOZQqC8=
> R:Secure_Global_CA.crt
> Z:Q1hq7QkVBqW9ZIBb1DMFSQXDmkLBA=
> R:Actalis_Authentication_Root_CA.crt
> Z:Q1URypVgcCKpntjmi9Y/E2xIVM78s=
> R:Hellenic_Academic_and_Research_Institutions_RootCA_2015.crt
> Z:Q1Itn+gzAv8GriXm77jMH6Id+vDnI=
> R:USERTrust_RSA_Certification_Authority.crt
> Z:Q1LyOAaFvg6owb4eGoSW/58iDE9hw=
> R:D-TRUST_Root_Class_3_CA_2_2009.crt
> Z:Q1CVXtoLnzXYkVz8Xey6D97/owehU=
> R:AffirmTrust_Premium.crt
> Z:Q1Kke7oacZjzthsXkjna3IttlVWIc=
> R:GTS_Root_R2.crt
> Z:Q1kZ6ME6RbjL9lEz+dzLRPOBlvUqk=
> R:Certigna.crt
> Z:Q1/l30B8TLpw9JkoQQv1XfA9Hicy8=
> R:TWCA_Global_Root_CA.crt
> Z:Q1OH9yg4dVzVC6GdL7KcHwOAN3btg=
> R:IdenTrust_Public_Sector_Root_CA_1.crt
> Z:Q1thO7Om3MLuesYtCVHg6pvL1I/4w=
> R:TrustCor_ECA-1.crt
> Z:Q1kuNY0O+oHUTetOVaxmxTUl8EChE=
> R:Staat_der_Nederlanden_Root_CA_-_G2.crt
> Z:Q1q+zK+4s+BdPglYHM3INKUgkBuWY=
> R:Hellenic_Academic_and_Research_Institutions_ECC_RootCA_2015.crt
> Z:Q1/CxV6yQo8lb/VblsISOoKOmPGmY=
> R:SSL.com_EV_Root_Certification_Authority_RSA_R2.crt
> Z:Q1LEFEQi79PXeM9fPCgHJOYS7Ymyk=
> R:QuoVadis_Root_CA_3_G3.crt
> Z:Q1fHadn9tN9NdDrJ24/SY3Y+Hp5J4=
> R:Chambers_of_Commerce_Root_-_2008.crt
> Z:Q1aoheWbyYbE4o92pjJwCxxa5Hub0=
> R:DST_Root_CA_X3.crt
> Z:Q1Y28cdtgN5tSRYwE9weYkpsp6Ta0=
> R:TrustCor_RootCert_CA-1.crt
> Z:Q1aw5p4YFvGgp12pdaPzKfD15WfR8=
> R:Entrust.net_Premium_2048_Secure_Server_CA.crt
> Z:Q1LicN/AuTM/JrWZ6s9CzhD7JoIVQ=
> R:GTS_Root_R1.crt
> Z:Q1gf+QIXSflI4PvFaPVMhsL5m0dU8=
> R:Verisign_Class_3_Public_Primary_Certification_Authority_-_G3.crt
> Z:Q1tqyQI09yWCWAznc5WvrGgKUfhsE=
> R:USERTrust_ECC_Certification_Authority.crt
> Z:Q12c4P9Wxxu0CROI6jjgHZdWWnVX8=
> R:DigiCert_High_Assurance_EV_Root_CA.crt
> Z:Q1/yQqgtaVyh5HbsWkZctE8HR+21g=
> R:thawte_Primary_Root_CA_-_G2.crt
> Z:Q1UwAy9Mi2fIePO/aFn3cizaoSALc=
> R:GlobalSign_Root_CA_-_R2.crt
> Z:Q1M5SBYtNGil17CwFHxY1ssEesQpY=
> R:GeoTrust_Universal_CA.crt
> Z:Q1cNlhXZdJneVCQrosysxpGwnChOE=
> R:GlobalSign_ECC_Root_CA_-_R4.crt
> Z:Q14ofywW9sCB/uwcjaRPHuR+W01Mo=
> R:Entrust_Root_Certification_Authority_-_G4.crt
> Z:Q12M+H1tKT+20y4srpA0MxJ0JvxpQ=
> R:Baltimore_CyberTrust_Root.crt
> Z:Q1r4Wn/AFocJkJ5dnML2BgnFHI/sc=
> R:Sonera_Class_2_Root_CA.crt
> Z:Q1cVjaI6B6aKMib0aXrmdsGrknca4=
> R:GTS_Root_R4.crt
> Z:Q1TDyFCqaL2QfnpMtfEWAU0n4UMCU=
> R:GlobalSign_ECC_Root_CA_-_R5.crt
> Z:Q1tTA6apTbLuUc6bB84FcApoOcTQw=
> R:Microsec_e-Szigno_Root_CA_2009.crt
> Z:Q12GFvQ5RYNm5qWpTSxycTwMj/zTs=
> R:GeoTrust_Universal_CA_2.crt
> Z:Q1DxMFS5f9TVpxEIyE18U2DQn2BSM=
> R:VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5.crt
> Z:Q1O135aetWqrFqIlY6Lrg7wodsXdw=
> R:UCA_Global_G2_Root.crt
> Z:Q1FAwCc4Q3HykwmMXJPJOI2f3iJZU=
> R:Entrust_Root_Certification_Authority_-_EC1.crt
> Z:Q1vsDvp7XZRmS2Qn0L3CLneubtHWs=
> R:E-Tugra_Certification_Authority.crt
> Z:Q18XY975DIsrXcz7TdUqctRp3oMPQ=
> R:Buypass_Class_3_Root_CA.crt
> Z:Q1W4iUMLfdFRfJT4e3cXXFr5V7FaQ=
> R:SSL.com_Root_Certification_Authority_ECC.crt
> Z:Q10PJ40hKbrw0b5weDETb1zhbeyY4=
> R:Network_Solutions_Certificate_Authority.crt
> Z:Q1E/17ob1ZlENzmyurStRUJ26xYxc=
> R:Certum_Trusted_Network_CA_2.crt
> Z:Q1Fk2yMYJ/htcwEtxmgPtr53fyBaw=
>
> C:Q1EToCBKEmeBdTneiJj7exZpuUtS0=
> P:nghttp2-libs
> V:1.39.2-r0
> A:x86_64
> S:67180
> I:155648
> T:Experimental HTTP/2 client, server and proxy (libraries)
> U:https://nghttp2.org
> L:MIT
> o:nghttp2
> m:Francesco Colista <fcolista@alpinelinux.org>
> t:1568186892
> c:1dc7b4f0c96ed51dcf6d72c6251e6bb4f6ff24ea
> D:so:libc.musl-x86_64.so.1
> p:so:libnghttp2.so.14=14.18.0
> F:usr
> F:usr/lib
> R:libnghttp2.so.14
> a:0:0:777
> Z:Q1LPn1/GhjknxncslDnIV2sozleRg=
> R:libnghttp2.so.14.18.0
> a:0:0:755
> Z:Q1n1yCxO+rgqHtKRvYz/4byA3czbE=
>
> C:Q1HZNUYHGFSlhSOEdrONERG5VpMqE=
> P:libssh2
> V:1.9.0-r1
> A:x86_64
> S:93814
> I:221184
> T:library for accessing ssh1/ssh2 protocol servers
> U:https://libssh2.org/
> L:BSD
> o:libssh2
> m:Natanael Copa <ncopa@alpinelinux.org>
> t:1571996730
> c:4763b1bc00bf1da982aabff8810e53fd9dced2f0
> D:so:libc.musl-x86_64.so.1 so:libcrypto.so.43 so:libz.so.1
> p:so:libssh2.so.1=1.0.1
> F:usr
> F:usr/lib
> R:libssh2.so.1
> a:0:0:777
> Z:Q1D2bctUiR7ouD4db7CotuX/7bOl8=
> R:libssh2.so.1.0.1
> a:0:0:755
> Z:Q1/iM/3g+JPd47eY90ZgzpZRkpIUk=
>
> C:Q1fyUS5OyIxEQ7kHjju3h54DsN1Zc=
> P:libcurl
> V:7.61.1-r3
> A:x86_64
> S:216028
> I:466944
> T:The multiprotocol file transfer library
> U:https://curl.haxx.se
> L:MIT
> o:curl
> m:Natanael Copa <ncopa@alpinelinux.org>
> t:1568707440
> c:c64caaa6d0cf04cf1a2a90b1b751edef900fd849
> D:ca-certificates so:libc.musl-x86_64.so.1 so:libcrypto.so.43 so:libnghttp2.so.14 so:libssh2.so.1 so:libssl.so.45 so:libz.so.1
> p:so:libcurl.so.4=4.5.0
> F:usr
> F:usr/lib
> R:libcurl.so.4
> a:0:0:777
> Z:Q1ngrNm+ppawZtfHpO0LvmUxP8f58=
> R:libcurl.so.4.5.0
> a:0:0:755
> Z:Q1LZx+ksH6MHln5rfb1QnCWS/nHk8=
>
> C:Q1ivNP9Fg164j6sWYwhw6I3vrgex8=
> P:expat
> V:2.2.8-r0
> A:x86_64
> S:66892
> I:176128
> T:An XML Parser library written in C
> U:http://www.libexpat.org/
> L:MIT
> o:expat
> m:Carlo Landmeter <clandmeter@gmail.com>
> t:1568974105
> c:f8aaee8bb88596131af189a58b1e5a210c085584
> D:so:libc.musl-x86_64.so.1
> p:so:libexpat.so.1=1.6.10 cmd:xmlwf
> F:usr
> F:usr/bin
> R:xmlwf
> a:0:0:755
> Z:Q1J/ePy7lvBqK3m1i4wX0J9HCCO08=
> F:usr/lib
> R:libexpat.so.1.6.10
> a:0:0:755
> Z:Q1dKmXIEhVFoThew/M1zpyk+tnzHg=
> R:libexpat.so.1
> a:0:0:777
> Z:Q1DBU5ysdwK91copPhknaLG4SxYgo=
>
> C:Q1dAOptgXbFQyMv8D1boHibW36t3U=
> P:pcre2
> V:10.31-r0
> A:x86_64
> S:225993
> I:602112
> T:Perl-compatible regular expression library
> U:http://pcre.sourceforge.net/
> L:BSD-3-Clause
> o:pcre2
> m:Jakub Jirutka <jakub@jirutka.cz>
> t:1525177497
> c:f15559ce104532156bf682903cec5ced0bec1426
> D:so:libc.musl-x86_64.so.1
> p:so:libpcre2-8.so.0=0.7.0 so:libpcre2-posix.so.2=2.0.0
> F:usr
> F:usr/lib
> R:libpcre2-8.so.0.7.0
> a:0:0:755
> Z:Q1PhoXKII1nLphwj01/k4F8fys20c=
> R:libpcre2-8.so.0
> a:0:0:777
> Z:Q1VDS0WV6wx1Sn8zNR/rTPN5IJcdQ=
> R:libpcre2-posix.so.2
> a:0:0:777
> Z:Q1ui7wLyv6d05O7H5YMRQN5ft2e7o=
> R:libpcre2-posix.so.2.0.0
> a:0:0:755
> Z:Q1tU9/aLuC36Kjk6nP2IwZrOftTkQ=
>
> C:Q1ubA4spcN4PRTWxVOI1GHI3+Ii74=
> P:git
> V:2.18.4-r0
> A:x86_64
> S:6568718
> I:13213696
> T:Distributed version control system
> U:https://www.git-scm.com/
> L:GPL-2.0-or-later
> o:git
> m:Natanael Copa <ncopa@alpinelinux.org>
> t:1587495829
> c:f32b8f8df8e99e7b325c18d9faefd359d2f1a39a
> D:so:libc.musl-x86_64.so.1 so:libcurl.so.4 so:libexpat.so.1 so:libpcre2-8.so.0 so:libz.so.1
> p:cmd:git cmd:git-receive-pack cmd:git-shell cmd:git-upload-archive cmd:git-upload-pack
> r:git-perl
> F:usr
> F:usr/libexec
> F:usr/libexec/git-core
> R:git-fmt-merge-msg
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-parse-remote
> Z:Q1JJP2c5/FjhaiD9dr0Ue+FYnk4zg=
> R:git-describe
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-repack
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-bisect--helper
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-whatchanged
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-revert
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-cat-file
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-merge-tree
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-serve
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-merge-subtree
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-read-tree
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-verify-tag
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-commit
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-var
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-rebase--helper
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-reset
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-diff
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-clean
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-verify-commit
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-push
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-remote-ftps
> a:0:0:755
> Z:Q1FNQ3oYyunabkCkiwZ2XTxnn1+0U=
> R:git-credential-cache--daemon
> a:0:0:755
> Z:Q1rp8cQFyXI34CT30j/Z5Ya9bDyqc=
> R:git-merge-base
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-branch
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-bisect
> a:0:0:755
> Z:Q1c2PO1ax6h+ynMqJUITYNu+kdZkQ=
> R:git-pack-redundant
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-interpret-trailers
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-prune-packed
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-diff-index
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-show-branch
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-rebase--interactive
> Z:Q1H21TeAx/uJhd08DlSLHHoTsF69k=
> R:git-check-mailmap
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-cherry-pick
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-worktree
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-fetch-pack
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-mailinfo
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-format-patch
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-tag
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-add
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-column
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-mailsplit
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-filter-branch
> a:0:0:755
> Z:Q1BobShuYt3dHDekXsvGNKPh21oOM=
> R:git-stash
> a:0:0:755
> Z:Q1hal+sCJldSaTpM1BsaFJbVvhqnA=
> R:git-name-rev
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-rebase--am
> Z:Q1AdwlHaafb0eiDS7XrQAQdaslUgk=
> R:git-rev-list
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-notes
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-init
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-init-db
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-shortlog
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-rerere
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-fsck-objects
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-mv
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-fetch
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-for-each-ref
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-difftool--helper
> a:0:0:755
> Z:Q1lW64qKFngkdzefVkZdluuw43vbE=
> R:git-stage
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-pull
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-diff-tree
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-rev-parse
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-check-attr
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-credential-store
> a:0:0:755
> Z:Q18kiG7CfYtU/O6OM8P4qNqgAKlrM=
> R:git-remote-fd
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-annotate
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-apply
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-checkout-index
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-commit-graph
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-pack-objects
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-http-push
> a:0:0:755
> Z:Q1GWZrtmiFQdW3Ir+rwnuSBdCLgao=
> R:git-mergetool
> a:0:0:755
> Z:Q1S6vLNe594R6J5/OBz2l5ndp2Xnw=
> R:git-update-ref
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-merge-octopus
> a:0:0:755
> Z:Q1D7/bjLf08RRck/mSVIBckjmztZY=
> R:git-blame
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-merge-one-file
> a:0:0:755
> Z:Q122u2LgGsqtiPEzBR/FtOZ4F5JIY=
> R:git-symbolic-ref
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-ls-remote
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-commit-tree
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-merge-recursive
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-check-ref-format
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-grep
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-merge-ours
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-bundle
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-show-index
> a:0:0:755
> Z:Q104N0BrxcTf0jH8kJeDCxMFxReFw=
> R:git-mergetool--lib
> Z:Q1nhobQiqq/DMQPakNKFzyMKAR0Rc=
> R:git-upload-pack
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-merge-resolve
> a:0:0:755
> Z:Q1qXe+7FKzOYXP9jacviX3AuQWcHU=
> R:git-update-index
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-sh-i18n--envsubst
> a:0:0:755
> Z:Q1sEv3uqlZ7aW0BagK4R91dp5yKYA=
> R:git-mktag
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-write-tree
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-credential
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-remote-http
> a:0:0:755
> Z:Q1FNQ3oYyunabkCkiwZ2XTxnn1+0U=
> R:git-quiltimport
> a:0:0:755
> Z:Q1qJCfrOj32gkJYRazhr6Cvn8gkxk=
> R:git-cherry
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-archive
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-get-tar-commit-id
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-send-pack
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-fsck
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-difftool
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-gc
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-fast-export
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-check-ignore
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-reflog
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-remote-ext
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-merge-file
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-mktree
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-hash-object
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-web--browse
> a:0:0:755
> Z:Q1qX7DL65PBzXmnuPW/syYuSeRlwI=
> R:git-submodule--helper
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-receive-pack
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-pack-refs
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-help
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-stripspace
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-sh-setup
> Z:Q1VKoKc5Q+/bWM/+5XK56AotDH710=
> R:git-merge
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-verify-pack
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-rebase--merge
> Z:Q1vmlrQBLQEjwhjrL5pTtaJQWCT7s=
> R:git-rebase
> a:0:0:755
> Z:Q1CHGDrlug0LXERUqTTx8s3MWd6lI=
> R:git-am
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-request-pull
> a:0:0:755
> Z:Q1f8a0I498h60PoTShUoiCxlV12Sg=
> R:git-log
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-unpack-file
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-checkout
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-status
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-remote-https
> a:0:0:755
> Z:Q1FNQ3oYyunabkCkiwZ2XTxnn1+0U=
> R:git-http-fetch
> a:0:0:755
> Z:Q1oVJyHIjvW7q5wnaP7awKe8WrffA=
> R:git-index-pack
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-upload-archive
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-rm
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-remote-ftp
> a:0:0:755
> Z:Q1FNQ3oYyunabkCkiwZ2XTxnn1+0U=
> R:git-count-objects
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-unpack-objects
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-ls-files
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-merge-index
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-show-ref
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-sh-i18n
> Z:Q1Lkxz61Y0A8dP1ttT0uGkZTeZ9CI=
> R:git-diff-files
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-patch-id
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-show
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-remote
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-submodule
> a:0:0:755
> Z:Q1fRozSa44ONNN5yypfsSv2ewhj2I=
> R:git-prune
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-update-server-info
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-ls-tree
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-credential-cache
> a:0:0:755
> Z:Q1LYo3i6pRNwyxLs/Wd78v26BCaj8=
> R:git-clone
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-config
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-replace
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> F:usr/libexec/git-core/mergetools
> R:meld
> Z:Q1cNfAI8kVh5xLjIsj4PWxA6vAJG0=
> R:guiffy
> Z:Q1iFG0w9sQa8g5yl1BDMyI/zGwVgI=
> R:examdiff
> Z:Q1SwktMjUpAM45lzuQjPcYQIb3xFs=
> R:opendiff
> Z:Q1/Qp8ktBxoBFf37rN7suLs+0Skbs=
> R:gvimdiff
> Z:Q1jZuJYs9GrZlMHK8vb91YyJMJbYs=
> R:bc
> Z:Q1eP8Ti3qxGjR15KCuS+CaMwUkBws=
> R:araxis
> Z:Q1Nbn45diRNmggtfhiBcCgtnqEScQ=
> R:emerge
> Z:Q1NLBPgymCEVU/exZfeaVH3zZvwVc=
> R:vimdiff
> Z:Q1UyN15OIsVT/qF4XNj4DxQvGJJaY=
> R:vimdiff3
> Z:Q1jZuJYs9GrZlMHK8vb91YyJMJbYs=
> R:tkdiff
> Z:Q1Dx/CiXXX10cMNSmoU8UswnayICA=
> R:codecompare
> Z:Q1eETxVt0LsxxDJSrLfzKgdohPYws=
> R:kdiff3
> Z:Q1f1/c0x2kVOYS61gxcZc/OWiji+k=
> R:vimdiff2
> Z:Q1jZuJYs9GrZlMHK8vb91YyJMJbYs=
> R:kompare
> Z:Q1gv349exa6UCCz5F+SUF14CpUVZc=
> R:ecmerge
> Z:Q16/SvhyXRrNFXsI1xGR9smPc3UzU=
> R:diffmerge
> Z:Q1KIFMpr/3FOHmW3JMlQpNoNVudB8=
> R:xxdiff
> Z:Q1ai7xze9o8xoJfioXQcJO/aZjcfE=
> R:winmerge
> Z:Q1Mi6X4AgzTFgX14YKlxPmo9BqxZ4=
> R:gvimdiff3
> Z:Q1jZuJYs9GrZlMHK8vb91YyJMJbYs=
> R:tortoisemerge
> Z:Q11ZrkZMKW689SrCdF3ItTMMM2Oz4=
> R:diffuse
> Z:Q1xffz7Y1Svt0MMFU2CesOPPqTdTE=
> R:deltawalker
> Z:Q1PU/2BEGpv5F69I2kTEgGXgZxsJw=
> R:gvimdiff2
> Z:Q1jZuJYs9GrZlMHK8vb91YyJMJbYs=
> R:bc3
> Z:Q1nAzyoCjKTcWPYdXp1iLaKjEMcpY=
> F:usr/bin
> R:git
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-upload-pack
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-receive-pack
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-upload-archive
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-shell
> a:0:0:755
> Z:Q1Op7Sx1c6qZ1uBzzW0o37nu+2rBk=
> F:usr/share
> F:usr/share/git-core
> F:usr/share/git-core/templates
> M:0:0:2755
> R:description
> Z:Q1ljXxt+EsBFISgZ3ZNNgJ7wfvovQ=
> F:usr/share/git-core/templates/info
> M:0:0:2755
> R:exclude
> Z:Q1yHnfAV2XYVBQr6e5ZB4zUqHnAaw=
> F:usr/share/git-core/templates/branches
> M:0:0:2755
> F:usr/share/git-core/templates/hooks
> M:0:0:2755
> R:pre-push.sample
> a:0:0:755
> Z:Q1XIUYv9HR09LBpxlJlMChbYoxOkE=
> R:commit-msg.sample
> a:0:0:755
> Z:Q17h7VqtmKQ18gILbeNcFzt12a/6w=
> R:prepare-commit-msg.sample
> a:0:0:755
> Z:Q1JYSAa6FHFSrgBctnWqTwHV0GhFY=
> R:pre-applypatch.sample
> a:0:0:755
> Z:Q18ggofBqSUl3p9UYukFqdMd4eLXU=
> R:pre-receive.sample
> a:0:0:755
> Z:Q1cFoX0lnniW8Agv4unywMOxJ75aw=
> R:update.sample
> a:0:0:755
> Z:Q15ynNYbJ8EolR0Tnejnxj0aN1jd4=
> R:pre-commit.sample
> a:0:0:755
> Z:Q1M3Ka1M5RrNo1CU5YHkCI8xZ6Cvg=
> R:pre-rebase.sample
> a:0:0:755
> Z:Q1KI79wAJ9tM/Yt8R8Su3boJtt7RI=
> R:applypatch-msg.sample
> a:0:0:755
> Z:Q1TeiOuVpek/0n54tfs7UjGo2JF90=
> R:post-update.sample
> a:0:0:755
> Z:Q1thTC9j2n3Knx2y563mHvMESPyWw=
> F:usr/share/perl5
> F:var
> F:var/git
This diff does not contain anything about openssl
and hence it can be asserted that openssl
wasn't actually installed or modified in this layer.
Of course, to do this kind of diffing one would need a proper parser for the lib/apk/db/installed
file and then check the parsed content of both versions of the file for modifications.
Does that make sense?
It does! I follow now, sorry. At first, I thought you were talking about inspecting other files (e.g. the busybox binaries) to make the determination.
I think this implementation is along the lines of we'd do for #435.
@cdupuis Would it be okay with you if we close this issue and track the feature via #435? I think the core request is the same between these two issues. And the issues are now linked, so we'll have the benefit of this issue's context as we work on #435.
Sure, yeah.
What happened:
When running
syft node@sha256:6cf4fe67db0c1e052ab251daab39e43a381a74c3738fe8207e613e416d9c30f8 -o json > syft.json
the result attributes thebusybox
package to a layer from thenode
image although IMHO this package comes in via thealpine
base image:This image contains the following layers:
3 of the 4 layers contain the
lib/apk/db/installed
file. The 1st layer hasbusybox
in itslib/apk/db/installed
:Extracting the layer tar balls and diff'ing the
lib/apk/db/installed
file between the layers reveals the following:To me this shows that none of the layers modify the
lib/apk/db/installed
to add thebusybox
package and that it really comes from the first layer and not from the 3rd layer as reported by syft.The downstream consequence of this bug is that CVE are getting reported against
node
images when those really originate from thealpine
base image and need to be fixed there.What you expected to happen:
I think that a container SBOM tool should correctly report the origin of a package. At least in this specific case, I don't think the origin of the
busybox
package can be trusted.How to reproduce it (as minimally and precisely as possible):
syft node@sha256:6cf4fe67db0c1e052ab251daab39e43a381a74c3738fe8207e613e416d9c30f8 -o json
Anything else we need to know?:
Please let me know if you need anything else to debug this. I'm happy to help.
Environment:
syft version
: