System

How FOSSA identifies operating-system packages found in container images during container scanning.

1 min readUpdated Jul 9, 2026

Overview

System packages are the operating-system-level packages installed in a container image, as opposed to application dependencies pulled in by a language ecosystem. When the FOSSA CLI scans a container image, it inspects the image's package databases to identify these OS packages and report them alongside your application's dependencies.

The package database FOSSA reads depends on the base distribution of the image:

Package managerDistributionsSupport
apkAlpine LinuxGeneral
dpkgDebian, UbuntuGeneral
rpmRHEL, CentOS, Oracle LinuxGeneral
rpmFedora, SLESBeta

These strategies apply to container scanning. See each page for the specific files and databases FOSSA reads.

How system packages are licensed

FOSSA resolves licenses for system packages from its Knowledge service using each package's declared-license metadata. It does not read license fields out of the image at scan time. Alpine and Debian/Ubuntu packages generally include complete license information; RHEL and Oracle Linux RPM packages may be reported as unlicensed where that data is incomplete (see rpm).

How versions are matched

FOSSA preserves each package's distribution, version, and release/revision (for example 1.2.2-r7 on Alpine or 5.1-2+deb11u1 on Debian). Distributions backport security fixes into new releases of the same upstream version, so keeping the release is what lets FOSSA match packages to the right vulnerabilities. Distribution versions are normalized for matching, Alpine to major.minor (e.g. 3.15), and the RHEL family and Debian/Ubuntu to the major version (e.g. 9).

© 2026 FOSSA, Inc.support@fossa.com