search

aws / amazon-ssm-agent

An agent to enable remote management of your EC2 instances, on-premises servers, or virtual machines (VMs).
https://aws.amazon.com/systems-manager/
Apache License 2.0
1.04k stars 323 forks source link

DPKG package list contains uninstalled packages #421

Open webmozart opened 2 years ago

webmozart commented 2 years ago

On Ubuntu 20.04, the package list collected by SSM contains not only installed packages, but all packages in the DPKG registry, i.e. also those already uninstalled but where configuration is not purged yet. Like that, the package list is unusable. Furthermore, AWS Inspector (which is the reason I'm here) reports vulnerabilities for packages that are not even installed anymore.

Is this a bug?

I already traced it back to this commit: https://github.com/aws/amazon-ssm-agent/commit/87594da86a50c859caada0d49d1cfb4c8ae3290f

On Debian-based systems, dpkg-query -W is used to collect the list of packages. From the docs:

   -l, --list [package-name-pattern...]
          List  all known packages matching one or more patterns, *regardless of their status*, which includes
          any real or virtual package referenced in any  dependency  relationship  field  (such  as  Breaks,
          Enhances,  etc.).  [...]

          The output format of this option is not configurable, but varies automatically to fit the terminal
          width. It is intended for human readers, and is not easily machine-readable. See -W  (--show)  and
          --showformat for a way to configure the output format.

   -W, --show [package-name-pattern...]
          *Just  like  the  --list option* this will list all packages matching the given pattern. However the
          output can be customized using the --showformat option.  The default output format gives one  line
          per  matching  package,  each  line  having the name (extended with the architecture qualifier for
          Multi-Arch same packages) and installed version of the package, separated by a tab.

(emphasis put on "regardless of their status")

Why is that so? I can't believe nobody reported this so far?

ReillyBrogan commented 2 years ago

We're encountering this issue as well. FWIW you can purge all such packages with this command: dpkg --list |grep "^rc" | cut -d " " -f 3 | xargs sudo dpkg --purge which purges all packages in the DPKG registry of status rc (configuration remains but the package is uninstalled).

It would be great if rc packages were ignored instead however.