apk
How FOSSA detects, licenses, and reports Alpine Linux (apk) packages during container scanning.
Overview
The Alpine Package Manager (apk) installs system packages on Alpine Linux images. FOSSA detects apk packages when it scans a container image.
Note
apk packages are detected only during container scanning, not during a normal fossa analyze of a source repository.
How FOSSA identifies apk packages
A detected apk package is identified by its name, the Alpine distribution and version, its architecture, and its package version. Alpine versions are normalized to major.minor (for example, 3.15), so packages from 3.15.2 and 3.15.4 resolve against the same Alpine release line.
Licenses for apk packages are resolved from FOSSA's Knowledge service using each package's declared-license metadata, rather than being read out of the image at scan time. Alpine packages generally include complete license information.
Discovery
FOSSA looks for a file named installed under any **/apk/** path in the image, the apk installed-package database.
Analysis
FOSSA parses the database and reports each package's name, version, and architecture. For example, this record:
C:Q1Deb0jNytkrjPW4N/eKLZ43BwOlw=
P:musl
V:1.2.2-r7
A:x86_64
S:383152
I:622592
T:the musl c library (libc) implementation
U:https://musl.libc.org/
L:MIT
o:musl
m:Timo Teräs <timo.teras@iki.fi>
t:1632431095is reported as the dependency musl at version 1.2.2-r7 for architecture x86_64. The package release suffix (-r7) is preserved, which matters for vulnerability matching: Alpine backports security fixes into new releases of the same version.
FAQ
How do I only analyze apk packages?
Specify the apkdb analysis target in a .fossa.yml file to exclude all other targets:
# .fossa.ymlversion: 3targets: only: - type: apkdb