dpkg

How FOSSA detects, licenses, and reports Debian and Ubuntu (dpkg) packages during container scanning.

1 min readUpdated Jul 9, 2026

Overview

The Debian Package Manager (dpkg) installs system packages on Debian and Ubuntu images. FOSSA detects dpkg packages when it scans a container image.

Note

dpkg packages are detected only during container scanning, not during a normal fossa analyze of a source repository.

How FOSSA identifies dpkg packages

A detected dpkg package is identified by its name, the distribution (Debian or Ubuntu) and version, its architecture, and its package version. Debian and Ubuntu versions are normalized to the major version. Licenses are resolved from FOSSA's Knowledge service using each package's declared-license metadata; Debian and Ubuntu packages generally include complete license information.

Discovery

FOSSA looks for a file named status or status.d under **/var/lib/dpkg/*, the dpkg installed-package database.

Analysis

FOSSA parses the database and reports each package's name, version, and architecture. For example, this record:

Package: bash
Status: install ok installed
Priority: required
Section: shells
Installed-Size: 6512
Maintainer: Matthias Klose <doko@debian.org>
Architecture: arm64
Multi-Arch: foreign
Version: 5.1-2+deb11u1
Depends: base-files (>= 2.1.12), debianutils (>= 2.15)
Description: GNU Bourne Again SHell
Homepage: http://tiswww.case.edu/php/chet/bash/bashtop.html

is reported as the dependency bash at version 5.1-2+deb11u1 for architecture arm64. The Debian revision (-2+deb11u1) is preserved, which matters for vulnerability matching: Debian and Ubuntu backport security fixes into new revisions of the same upstream version.

FAQ

How do I only analyze dpkg packages?

Specify the dpkgdb analysis target in a .fossa.yml file to exclude all other targets:

YAML
# .fossa.ymlversion: 3targets:  only:    - type: dpkgdb
© 2026 FOSSA, Inc.support@fossa.com