Describe the bug
When you remove, but don't purge a package on Debian/Ubuntu, cnspec still scans it as an installed package and reports CVEs in the package.
To Reproduce
Steps to reproduce the behavior:
apt-get install foo; apt-get remove foo
Wait for some CVEs to show up in foo
cnspec scan
Note you're seeing CVEs for foo even though it's not installed
Expected behavior
A removed package should not show as having CVEs. All that's left when it's not purged is some config files.
root@timnas:/etc# dpkg -l | grep grub
ii grub-common 2.06-3~deb11u5 amd64 GRand Unified Bootloader (common files)
rc grub-efi 2.02+dfsg1-20 amd64 GRand Unified Bootloader, version 2 (dummy package)
rc grub-efi-amd64 2.02+dfsg1-20 amd64 GRand Unified Bootloader, version 2 (EFI-AMD64 version)
ii grub-efi-amd64-bin 2.06-3~deb11u5 amd64 GRand Unified Bootloader, version 2 (EFI-AMD64 modules)
ii grub-efi-amd64-signed 1+2.06+3~deb11u5 amd64 GRand Unified Bootloader, version 2 (amd64 UEFI signed by Debian)
ii grub-pc 2.06-3~deb11u5 amd64 GRand Unified Bootloader, version 2 (PC/BIOS version)
ii grub-pc-bin 2.06-3~deb11u5 amd64 GRand Unified Bootloader, version 2 (PC/BIOS modules)
ii grub2-common 2.06-3~deb11u5 amd64 GRand Unified Bootloader (common files for version 2)
root@timnas:/etc# dpkg -l | grep libnginx
rc libnginx-mod-http-auth-pam 1.18.0-6.1 amd64 PAM authentication module for Nginx
rc libnginx-mod-http-dav-ext 1.18.0-6.1 amd64 WebDAV missing commands support for Nginx
rc libnginx-mod-http-echo 1.18.0-6.1 amd64 Bring echo and more shell style goodies to Nginx
ii libnginx-mod-http-geoip 1.18.0-6.1+deb11u3 amd64 GeoIP HTTP module for Nginx
rc libnginx-mod-http-geoip2 1.18.0-6.1 amd64 GeoIP2 HTTP module for Nginx
ii libnginx-mod-http-image-filter 1.18.0-6.1+deb11u3 amd64 HTTP image filter module for Nginx
rc libnginx-mod-http-subs-filter 1.18.0-6.1 amd64 Substitution filter module for Nginx
rc libnginx-mod-http-upstream-fair 1.18.0-6.1 amd64 Nginx Upstream Fair Proxy Load Balancer
ii libnginx-mod-http-xslt-filter 1.18.0-6.1+deb11u3 amd64 XSLT Transformation module for Nginx
ii libnginx-mod-mail 1.18.0-6.1+deb11u3 amd64 Mail module for Nginx
ii libnginx-mod-stream 1.18.0-6.1+deb11u3 amd64 Stream module for Nginx
ii libnginx-mod-stream-geoip 1.18.0-6.1+deb11u3 amd64 GeoIP Stream module for Nginx
rc libnginx-mod-stream-geoip2 1.18.0-6.1 amd64 GeoIP2 Stream module for Nginx
Desktop (please complete the following information):
Describe the bug When you remove, but don't purge a package on Debian/Ubuntu, cnspec still scans it as an installed package and reports CVEs in the package.
To Reproduce Steps to reproduce the behavior:
apt-get install foo; apt-get remove foo
foo
cnspec scan
Expected behavior A removed package should not show as having CVEs. All that's left when it's not purged is some config files.
Screenshots or CLI Output
Desktop (please complete the following information):