System
How FOSSA identifies operating-system packages found in container images during container scanning.
Overview
System packages are the operating-system-level packages installed in a container image, as opposed to application dependencies pulled in by a language ecosystem. When the FOSSA CLI scans a container image, it inspects the image's package databases to identify these OS packages and report them alongside your application's dependencies.
The package database FOSSA reads depends on the base distribution of the image:
| Package manager | Distributions | Support |
|---|---|---|
| apk | Alpine Linux | General |
| dpkg | Debian, Ubuntu | General |
| rpm | RHEL, CentOS, Oracle Linux | General |
| rpm | Fedora, SLES | Beta |
These strategies apply to container scanning. See each page for the specific files and databases FOSSA reads.
How system packages are licensed
FOSSA resolves licenses for system packages from its Knowledge service using each package's declared-license metadata. It does not read license fields out of the image at scan time. Alpine and Debian/Ubuntu packages generally include complete license information; RHEL and Oracle Linux RPM packages may be reported as unlicensed where that data is incomplete (see rpm).
How versions are matched
FOSSA preserves each package's distribution, version, and release/revision (for example 1.2.2-r7 on Alpine or 5.1-2+deb11u1 on Debian). Distributions backport security fixes into new releases of the same upstream version, so keeping the release is what lets FOSSA match packages to the right vulnerabilities. Distribution versions are normalized for matching, Alpine to major.minor (e.g. 3.15), and the RHEL family and Debian/Ubuntu to the major version (e.g. 9).