dpkg
How FOSSA detects, licenses, and reports Debian and Ubuntu (dpkg) packages during container scanning.
Overview
The Debian Package Manager (dpkg) installs system packages on Debian and Ubuntu images. FOSSA detects dpkg packages when it scans a container image.
Note
dpkg packages are detected only during container scanning, not during a normal fossa analyze of a source repository.
How FOSSA identifies dpkg packages
A detected dpkg package is identified by its name, the distribution (Debian or Ubuntu) and version, its architecture, and its package version. Debian and Ubuntu versions are normalized to the major version. Licenses are resolved from FOSSA's Knowledge service using each package's declared-license metadata; Debian and Ubuntu packages generally include complete license information.
Discovery
FOSSA looks for a file named status or status.d under **/var/lib/dpkg/*, the dpkg installed-package database.
Analysis
FOSSA parses the database and reports each package's name, version, and architecture. For example, this record:
Package: bash
Status: install ok installed
Priority: required
Section: shells
Installed-Size: 6512
Maintainer: Matthias Klose <doko@debian.org>
Architecture: arm64
Multi-Arch: foreign
Version: 5.1-2+deb11u1
Depends: base-files (>= 2.1.12), debianutils (>= 2.15)
Description: GNU Bourne Again SHell
Homepage: http://tiswww.case.edu/php/chet/bash/bashtop.htmlis reported as the dependency bash at version 5.1-2+deb11u1 for architecture arm64. The Debian revision (-2+deb11u1) is preserved, which matters for vulnerability matching: Debian and Ubuntu backport security fixes into new revisions of the same upstream version.
FAQ
How do I only analyze dpkg packages?
Specify the dpkgdb analysis target in a .fossa.yml file to exclude all other targets:
# .fossa.ymlversion: 3targets: only: - type: dpkgdb