-
Notifications
You must be signed in to change notification settings - Fork 568
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Wrong layer attribution for alpine package #645
Comments
Hi @cdupuis — I see what you're saying. I think this would be accomplished by the feature request #435. I believe Syft is behaving as intended here, but I think there's room to improve the experience for SBOM consumers. Today, Syft has the notion of "scope", which governs how it interprets a set of image layers. This is described briefly here. Syft has a flag
When I run this:
I see Syft report busybox at layer Do you agree that this would be resolved by #435? Curious for your thoughts. 😃 |
Thanks for your response @luhring (as always). Really appreciate it. I see what you are saying. That makes sense. Although I still wonder why, even with the I wonder if internal catalogers that detect packages based on |
I think this is tricky. What's the best way to determine if a given package is installed? In my experience, different people have different answers. But if there's an approach that seems better all-around, and it can be implemented correctly in Syft, we're definitely open to considering it. |
Yeah, this is indeed tricky. I was wondering if you could compare the contents of the In this particular case it would have correctly reported out the fact that |
How would we determine this part? I follow that we'd look at a diff between two layers, but it's not yet clicking for me what we'd actually be looking at within that diff, and how we could determine positively that what we see in the diff means a package was installed. 🤔 |
Let me see if I can come with an example to explain what I mean. Let's use the following FROM alpine:3.8
RUN apk add --update openssl && \
rm -rf /var/cache/apk/*
RUN apk add --update git && \
rm -rf /var/cache/apk/*
And now extracting 542a543,677
> C:Q1msk1gr7VqUXzKzaJFftp7BkZN40=
> P:libcrypto1.0
> V:1.0.2u-r0
> A:x86_64
> S:1081261
> I:2527232
> T:Crypto library from openssl
> U:https://openssl.org
> L:openssl
> o:openssl
> m:Timo Teras <[email protected]>
> t:1577097004
> c:33832d93c0d87e0c90f543ea973e7d12ea27a3ee
> D:so:libc.musl-x86_64.so.1 so:libz.so.1
> p:so:libcrypto.so.1.0.0=1.0.0
> F:lib
> R:libcrypto.so.1.0.0
> a:0:0:555
> Z:Q1ODLwNd+vPlxqXtyqOPosQSp6S0o=
> F:usr
> F:usr/lib
> R:libcrypto.so.1.0.0
> a:0:0:777
> Z:Q1jLDKGBtunzKi5FKmK/QTAqfh6uI=
> F:usr/lib/engines
> R:libubsec.so
> a:0:0:555
> Z:Q1iiivUsMTTJMWQpEj8HY3IZZEf70=
> R:libatalla.so
> a:0:0:555
> Z:Q1eqkecvfWqutP5LPkvnrTBXFv13w=
> R:libcapi.so
> a:0:0:555
> Z:Q1u2M2IQyJrxdidQcT0dUnLchcROo=
> R:libgost.so
> a:0:0:555
> Z:Q1npvb9lOH9SspSTJGQNuk4+HySig=
> R:libcswift.so
> a:0:0:555
> Z:Q1wY3zhv7ZZoUh0FJQUkS6HZb5kF8=
> R:libchil.so
> a:0:0:555
> Z:Q1APntUyjcYghRksq6wFod7oipZbc=
> R:libgmp.so
> a:0:0:555
> Z:Q1sZjid4xbEJ7KHcrm9yn2Mcc97ws=
> R:libnuron.so
> a:0:0:555
> Z:Q1fCmj18y8yXwY7CPYySZMygigA2I=
> R:lib4758cca.so
> a:0:0:555
> Z:Q1X71JsOn/y8S9YLn+r/a+q1wQRyE=
> R:libsureware.so
> a:0:0:555
> Z:Q1dq4UpiuK68Py/IfGLlFjahexBwM=
> R:libpadlock.so
> a:0:0:555
> Z:Q1o5NkgSdiwazx0O/BFsMqyF2b3J8=
> R:libaep.so
> a:0:0:555
> Z:Q1Jk1Jm6rQz7/7iZS3wKfrSOhvM6Q=
>
> C:Q1j6f5OinvEk2hXX4ixBZAaSUyCFI=
> P:libssl1.0
> V:1.0.2u-r0
> A:x86_64
> S:178745
> I:446464
> T:SSL shared libraries
> U:https://openssl.org
> L:openssl
> o:openssl
> m:Timo Teras <[email protected]>
> t:1577097004
> c:33832d93c0d87e0c90f543ea973e7d12ea27a3ee
> D:so:libc.musl-x86_64.so.1 so:libcrypto.so.1.0.0
> p:so:libssl.so.1.0.0=1.0.0
> F:lib
> R:libssl.so.1.0.0
> a:0:0:555
> Z:Q16DcHo5QMCgiUp0m3PMz1vNcNloc=
> F:usr
> F:usr/lib
> R:libssl.so.1.0.0
> a:0:0:777
> Z:Q1ke5dnHGVWcEyRpOe0/lKEqizHHQ=
>
> C:Q1lqpDb+AGEDJhTe424m3ypSjTetE=
> P:openssl
> V:1.0.2u-r0
> A:x86_64
> S:225381
> I:606208
> T:Toolkit for SSL v2/v3 and TLS v1
> U:https://openssl.org
> L:openssl
> o:openssl
> m:Timo Teras <[email protected]>
> t:1577097004
> c:33832d93c0d87e0c90f543ea973e7d12ea27a3ee
> D:so:libc.musl-x86_64.so.1 so:libcrypto.so.1.0.0 so:libssl.so.1.0.0
> p:cmd:openssl
> F:etc
> F:etc/ssl
> F:etc/ssl/misc
> R:CA.sh
> a:0:0:755
> Z:Q1VUnDWEc6DtI6M1Ngvvwp0bA0kuo=
> R:CA.pl
> a:0:0:755
> Z:Q1Te7DTzGXy7s1g4UxBpjWkQlttlY=
> R:c_issuer
> a:0:0:755
> Z:Q1DMeRt9xZV79DtM/LXmid6o2Dsa4=
> R:c_name
> a:0:0:755
> Z:Q1dq38GG/1BidPqAZgB52sqOUrsLw=
> R:c_hash
> a:0:0:755
> Z:Q13rsdWLk2vlPk3gD8ylFFOWSi58s=
> R:tsget
> a:0:0:755
> Z:Q1nmxuEYwvukO24lcnedWx5HlDxzU=
> R:c_info
> a:0:0:755
> Z:Q1GmZ/x6gIUw9ccftpFx7CRD/ykSU=
> F:etc/ssl/certs
> F:etc/ssl/private
> F:usr
> F:usr/bin
> R:openssl
> a:0:0:755
> Z:Q1yMYRzAPYCIFie0jFMltqNl/5R1w=
> F:usr/lib
> This diff would indicate that Now doing the same with the 2 and 3 shows a similar result and indicates that 677a678,1728
> C:Q1PThpYjYSaExuaI3FKwWmG/jupq0=
> P:ca-certificates
> V:20191127-r2
> A:x86_64
> S:174932
> I:733184
> T:Common CA certificates PEM files from Mozilla
> U:https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/
> L:MPL-2.0 GPL-2.0-or-later
> o:ca-certificates
> m:Natanael Copa <[email protected]>
> t:1591195980
> c:f91a48ba3659cc21c3b5467576f4b35da642164b
> D:/bin/sh so:libc.musl-x86_64.so.1 so:libcrypto.so.43
> p:cmd:c_rehash cmd:update-ca-certificates
> r:libcrypto1.0 openssl
> F:etc
> R:ca-certificates.conf
> Z:Q1bWg/EVw1q6GtWhym7eF5k72sZF4=
> F:etc/ca-certificates
> F:etc/ca-certificates/update.d
> R:certhash
> a:0:0:755
> Z:Q1pxPSWX01pfOF6GEDK4MWWAXF/GI=
> F:etc/apk
> F:etc/apk/protected_paths.d
> R:ca-certificates.list
> Z:Q15Z0Sr1o7f7TchDHWcWYgW7zi8JU=
> F:etc/ssl
> F:etc/ssl/certs
> F:usr
> F:usr/sbin
> R:update-ca-certificates
> a:0:0:755
> Z:Q189BstbJPKJTamk1e2ZLKZQUUFO0=
> F:usr/bin
> R:c_rehash
> a:0:0:755
> Z:Q1680+HtWIcQStByj6WQxLMF6+PSc=
> F:usr/local
> F:usr/local/share
> F:usr/local/share/ca-certificates
> F:usr/share
> F:usr/share/ca-certificates
> F:usr/share/ca-certificates/mozilla
> R:Certigna_Root_CA.crt
> Z:Q1VdBji67nphRLjjwCjCTuEScgLDw=
> R:Taiwan_GRCA.crt
> Z:Q1JY+r3c8G1ZOygwPrFezjs52t318=
> R:LuxTrust_Global_Root_2.crt
> Z:Q1VGlaQPYfCtkuauec9h6UYgmSvJE=
> R:OISTE_WISeKey_Global_Root_GC_CA.crt
> Z:Q1s9z9hD3/Vmr07wpIPmV5/7USzDc=
> R:Starfield_Class_2_CA.crt
> Z:Q1x4mQIjkIDcfi6C+oVqX2yiDsyX4=
> R:Izenpe.com.crt
> Z:Q1GeaIXHKBc2WVUUgM5R3dJoDGgFs=
> R:GTS_Root_R3.crt
> Z:Q1cw4ZH/NhO2AAGClZwxr2pLGRgVE=
> R:SecureTrust_CA.crt
> Z:Q1YnaZhQ0ZyJ9uDLdJTXfLDGwrgc4=
> R:Hellenic_Academic_and_Research_Institutions_RootCA_2011.crt
> Z:Q1bi0FmdlvvYon38mjVfT446CbNd4=
> R:Go_Daddy_Root_Certificate_Authority_-_G2.crt
> Z:Q1dg+7Ns+1WmfHHKw9zw02jqn5juc=
> R:QuoVadis_Root_CA_2_G3.crt
> Z:Q1Xz/eGc+P/GA4VXW5iXVkS3t/8DE=
> R:Security_Communication_Root_CA.crt
> Z:Q1hHXaxl+s+AkgSwN4hsJyFzYPhyo=
> R:Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068.crt
> Z:Q152hIZP/jRh+jHTYn0f5bhMMk3xk=
> R:CA_Disig_Root_R2.crt
> Z:Q1caI4aKvuMtU9JXPcc7guC3fXb7g=
> R:Amazon_Root_CA_1.crt
> Z:Q18NLSUe9e6EuOBdgBIFahSV/PNLM=
> R:Verisign_Class_1_Public_Primary_Certification_Authority_-_G3.crt
> Z:Q11k0g4DoAXieyeb4onAM2NE4G3tI=
> R:Amazon_Root_CA_3.crt
> Z:Q1LnFTqB+5ig+7UIs7k4KeTp7aXSM=
> R:ISRG_Root_X1.crt
> Z:Q1Telif+ms5KzOJ+qhoIN809tVcEs=
> R:Comodo_AAA_Services_root.crt
> Z:Q1sKnpNU0d6bSImINWsCsa//WGMG0=
> R:CFCA_EV_ROOT.crt
> Z:Q1loKCArxcjbb09WtNgaJVPBCM4jo=
> R:DigiCert_Trusted_Root_G4.crt
> Z:Q14Y5YxyFxxjGFPyHd7u8PPt3/ETw=
> R:OISTE_WISeKey_Global_Root_GA_CA.crt
> Z:Q1CTFJalKdfCdTeDrjliAiZ8pIvwk=
> R:SZAFIR_ROOT_CA2.crt
> Z:Q1A9PJoBIp7M4pCCh7xT9fiyz6NuI=
> R:AddTrust_Low-Value_Services_Root.crt
> Z:Q1hmp2vWN5BgEOa2BG7c1F8HIXiXg=
> R:T-TeleSec_GlobalRoot_Class_2.crt
> Z:Q1fxseQorG0szm6j7hBs3dbVaG7u4=
> R:SSL.com_Root_Certification_Authority_RSA.crt
> Z:Q1e/+WIUpPklH+avUkzl6bKkIWFE4=
> R:GlobalSign_Root_CA_-_R3.crt
> Z:Q1GwlPBX3l+kTXlYJo2T7V9NbF29w=
> R:Global_Chambersign_Root_-_2008.crt
> Z:Q1zib8NgSVQ+4UfPeo7orQQ/CzOKI=
> R:AffirmTrust_Commercial.crt
> Z:Q1MWKWEe/aNVzcYng71h6RqguiCqY=
> R:Symantec_Class_2_Public_Primary_Certification_Authority_-_G4.crt
> Z:Q10Hp0kVBVQBfAm9wBo871UKX6QjA=
> R:SwissSign_Gold_CA_-_G2.crt
> Z:Q1W7RaFtsQpJCJYOUSdokxP/9EIgg=
> R:GlobalSign_Root_CA.crt
> Z:Q16IMApFoHJhWCQ6TvfyCVvjE+WU0=
> R:AC_RAIZ_FNMT-RCM.crt
> Z:Q1zrQ8jr6mXkYXKfBxrS9O9iqDG6E=
> R:DigiCert_Assured_ID_Root_G3.crt
> Z:Q1B2g6wk4HH2F5S47x13+pCWuNapA=
> R:Symantec_Class_1_Public_Primary_Certification_Authority_-_G6.crt
> Z:Q1kCPnRN0wRwpolLsDOgD8gAENeuQ=
> R:Atos_TrustedRoot_2011.crt
> Z:Q1PnvxSafNMice8YMooix2a9sZLHY=
> R:GeoTrust_Primary_Certification_Authority.crt
> Z:Q1vYDbTdnayFLLcmp5ZypayM0Vipo=
> R:certSIGN_ROOT_CA.crt
> Z:Q1NyaLsxBz4ftdfjIhwgPScDOIbnI=
> R:GDCA_TrustAUTH_R5_ROOT.crt
> Z:Q1J27wGT+f8qXuQ3rKpAacjUxBhR4=
> R:thawte_Primary_Root_CA.crt
> Z:Q1UNB2LvgVRjHW+5z9fzOP5I8nqpA=
> R:Hongkong_Post_Root_CA_1.crt
> Z:Q1kD9hfEiU7vcIF6vuRufvKyna8t4=
> R:Cybertrust_Global_Root.crt
> Z:Q1F/LhdIx7Hf4Q5ctq+UYn10e7OZQ=
> R:Starfield_Services_Root_Certificate_Authority_-_G2.crt
> Z:Q1KQkbdqCOUgSGV551isbEoJ6g/g4=
> R:QuoVadis_Root_CA_2.crt
> Z:Q1HI16QKVk+1nqGAgCBC2Lgqiu2jg=
> R:GeoTrust_Global_CA.crt
> Z:Q1A+C3nAWpKpU+F/oiPnmVlCR4AWg=
> R:Hongkong_Post_Root_CA_3.crt
> Z:Q11ceM459tfKe1iQF+u1em2iH6j8o=
> R:SecureSign_RootCA11.crt
> Z:Q1KBJxBxytqPGGdGdkQoEgY+p3NgE=
> R:Go_Daddy_Class_2_CA.crt
> Z:Q1mPHMPZ8Jc2ketK6aHq+sf9YwHfs=
> R:IdenTrust_Commercial_Root_CA_1.crt
> Z:Q1T6cBv1VrjS+3j6j0dkOiElI/Gnc=
> R:TWCA_Root_Certification_Authority.crt
> Z:Q1YMM+hVeJEGv3WjyXaW/dLViJBGc=
> R:Staat_der_Nederlanden_EV_Root_CA.crt
> Z:Q1JmwEU697kLbFSLPcQR0wkB+JN+0=
> R:OISTE_WISeKey_Global_Root_GB_CA.crt
> Z:Q1/OLA3AWcGtOsk9QWtrquu16Xt18=
> R:DigiCert_Assured_ID_Root_G2.crt
> Z:Q1lmLQRiWxg2Vf2wME9kSGWiiir3w=
> R:Starfield_Root_Certificate_Authority_-_G2.crt
> Z:Q1ZZS+OnDfqpy7m0htvG4CcWR/tho=
> R:SSL.com_EV_Root_Certification_Authority_ECC.crt
> Z:Q1w9AVqjkkw0B32+f1eNbOOJuRnXE=
> R:EE_Certification_Centre_Root_CA.crt
> Z:Q1uRHLGr4AOPeZul0eCu9npI1RjG8=
> R:Buypass_Class_2_Root_CA.crt
> Z:Q1Cj5B506aQTcDZSXwwv1tjt/cfDk=
> R:emSign_Root_CA_-_G1.crt
> Z:Q1b4bdtYXS9RawKPohlY8Jq+RjuMw=
> R:Certum_Root_CA.crt
> Z:Q1n5ENSiPh/TnI0lplSAGAxYPPSP8=
> R:TeliaSonera_Root_CA_v1.crt
> Z:Q1oiGaf9Cne+dCKgIEm40ngFwCULo=
> R:AffirmTrust_Networking.crt
> Z:Q1h6mFdWOWfVnMvlHkqPwrov2h6Rk=
> R:AffirmTrust_Premium_ECC.crt
> Z:Q1QHiDLI6H4VUqYdLyfjiRfxQ8iRk=
> R:ACCVRAIZ1.crt
> Z:Q1Yg+imHdMYbwUfkdmdTJSJnpNnJ0=
> R:DigiCert_Assured_ID_Root_CA.crt
> Z:Q11jaiOW4ptOkeABBqGDk4ptdG9xY=
> R:QuoVadis_Root_CA_3.crt
> Z:Q1yF3UetR2TiqvM+KLZ2+1A4wFaKg=
> R:SwissSign_Silver_CA_-_G2.crt
> Z:Q1yfZUppgAQEFV06v7PvIzgs2pLa0=
> R:TUBITAK_Kamu_SM_SSL_Kok_Sertifikasi_-_Surum_1.crt
> Z:Q1IF7PbkDY+dxwC5Ms5qOiaDaZRlI=
> R:GeoTrust_Primary_Certification_Authority_-_G3.crt
> Z:Q1B0wBQW9PsFBqAAEmZkAmMSwGNmQ=
> R:QuoVadis_Root_CA_1_G3.crt
> Z:Q1d0Rc+cAAiFiNDnwzBmJTicMP9L4=
> R:Entrust_Root_Certification_Authority_-_G2.crt
> Z:Q1YDDay2u0w6zVi1KDE6a0F83bzbg=
> R:Staat_der_Nederlanden_Root_CA_-_G3.crt
> Z:Q1yU4jwLLkuY8HsvPOYS09eITzVd8=
> R:COMODO_ECC_Certification_Authority.crt
> Z:Q16Zlove6WSuq9LwJcyr4dEIWy+Iw=
> R:COMODO_RSA_Certification_Authority.crt
> Z:Q19AaUb0qbN51K+YR0UcoB3EDPuWg=
> R:QuoVadis_Root_CA.crt
> Z:Q1meTudHGg/QmEMGekm8fy5lpYz2I=
> R:D-TRUST_Root_Class_3_CA_2_EV_2009.crt
> Z:Q1mzrwTFcbong1Q8WrUZOqJ5OY+nY=
> R:DigiCert_Global_Root_G2.crt
> Z:Q1vNYPBwCO7TvR0WqXT/8Lk85oEQs=
> R:Entrust_Root_Certification_Authority.crt
> Z:Q1hMJwKUa2iVrAniX8TszWhRKaLic=
> R:EC-ACC.crt
> Z:Q19zNyDboW8eGeSJ6YeggR5OuojxM=
> R:UCA_Extended_Validation_Root.crt
> Z:Q1c2xtj6NuNIe0Y7XBSN1qCos5qZw=
> R:XRamp_Global_CA_Root.crt
> Z:Q1i3Ay7Lre5sw0bSuFushbUD7rcA0=
> R:Trustis_FPS_Root_CA.crt
> Z:Q1Av11SZPSgw5yvqA6nmA9RvovIz0=
> R:GeoTrust_Primary_Certification_Authority_-_G2.crt
> Z:Q1Jdu0/LQSs41IgsBujmo2bHmQcg4=
> R:emSign_ECC_Root_CA_-_G3.crt
> Z:Q1P1uKoUGnyo2ucdhrcHR5Bxf/vnY=
> R:thawte_Primary_Root_CA_-_G3.crt
> Z:Q1OBZ4LvJifyj5ckbtBnZA+8gS3e4=
> R:Verisign_Class_2_Public_Primary_Certification_Authority_-_G3.crt
> Z:Q1ezXs+8GTPJzzPTU0NwF0cEKwMms=
> R:NetLock_Arany_=Class_Gold=_Főtanúsítvány.crt
> Z:Q1PBwBdef4LfpqpvbMMqrtFaxQ9C0=
> R:Amazon_Root_CA_2.crt
> Z:Q1Mjt7ShDA2NoZij6MBZyb7CT0ky0=
> R:Camerfirma_Global_Chambersign_Root.crt
> Z:Q1C7KdDorgV040tTuAwVRjNm4oXbI=
> R:TrustCor_RootCert_CA-2.crt
> Z:Q1b75fdaAKuvpLlRqotHptQk7zBA4=
> R:Amazon_Root_CA_4.crt
> Z:Q12ayOl3M2DRbZUiV0diaHPoGqn9Y=
> R:Symantec_Class_2_Public_Primary_Certification_Authority_-_G6.crt
> Z:Q1EkWUBO/EgriupS76AwgK5EJJGuY=
> R:emSign_ECC_Root_CA_-_C3.crt
> Z:Q1zYsDcDDxkMsTErh0fzzRhBWGq7I=
> R:Security_Communication_RootCA2.crt
> Z:Q1aFENB5LpVZLc/j6tIwpYCWz0334=
> R:DigiCert_Global_Root_CA.crt
> Z:Q1RBgpDAr2YYQ7KMcPTrco9MxGKWA=
> R:ePKI_Root_Certification_Authority.crt
> Z:Q1ukis7BL6ag6KKa2IAYJcbQorhek=
> R:GlobalSign_Root_CA_-_R6.crt
> Z:Q1pfhGidPu6wwM9n3QvPp+hzs1U7M=
> R:D-TRUST_Root_CA_3_2013.crt
> Z:Q16ESZiwdqsH2cMXAS56Hz8j0eRLY=
> R:VeriSign_Universal_Root_Certification_Authority.crt
> Z:Q1HErww9hPl6NJFnDXXcKtruu1Bxs=
> R:Certum_Trusted_Network_CA.crt
> Z:Q1dsOv1er41cvyUPCLkj+/kIXGeT4=
> R:COMODO_Certification_Authority.crt
> Z:Q1tLncnPRwxmsenlPDApoHqUGJgYU=
> R:SwissSign_Platinum_CA_-_G2.crt
> Z:Q1dFWSBC5s8ZsU8OxQ9bvtgciEEjI=
> R:Camerfirma_Chambers_of_Commerce_Root.crt
> Z:Q1j4l3MEzwpsbzZYSlzGBIoWCFwlU=
> R:emSign_Root_CA_-_C1.crt
> Z:Q1mbgWLDLz7PBYBhErqnercjDpmNU=
> R:T-TeleSec_GlobalRoot_Class_3.crt
> Z:Q1KoPK9TUdQT1Ev/m36j4Gz2JA7uQ=
> R:DigiCert_Global_Root_G3.crt
> Z:Q17gm3Wh+4D3Y1T0Xazjb6UXTZa7A=
> R:Symantec_Class_1_Public_Primary_Certification_Authority_-_G4.crt
> Z:Q1m9n9nAlOJnAllvtVxbmBMbUWQhk=
> R:VeriSign_Class_3_Public_Primary_Certification_Authority_-_G4.crt
> Z:Q1XFspUHyVErZYgHyHlnrbaOZQqC8=
> R:Secure_Global_CA.crt
> Z:Q1hq7QkVBqW9ZIBb1DMFSQXDmkLBA=
> R:Actalis_Authentication_Root_CA.crt
> Z:Q1URypVgcCKpntjmi9Y/E2xIVM78s=
> R:Hellenic_Academic_and_Research_Institutions_RootCA_2015.crt
> Z:Q1Itn+gzAv8GriXm77jMH6Id+vDnI=
> R:USERTrust_RSA_Certification_Authority.crt
> Z:Q1LyOAaFvg6owb4eGoSW/58iDE9hw=
> R:D-TRUST_Root_Class_3_CA_2_2009.crt
> Z:Q1CVXtoLnzXYkVz8Xey6D97/owehU=
> R:AffirmTrust_Premium.crt
> Z:Q1Kke7oacZjzthsXkjna3IttlVWIc=
> R:GTS_Root_R2.crt
> Z:Q1kZ6ME6RbjL9lEz+dzLRPOBlvUqk=
> R:Certigna.crt
> Z:Q1/l30B8TLpw9JkoQQv1XfA9Hicy8=
> R:TWCA_Global_Root_CA.crt
> Z:Q1OH9yg4dVzVC6GdL7KcHwOAN3btg=
> R:IdenTrust_Public_Sector_Root_CA_1.crt
> Z:Q1thO7Om3MLuesYtCVHg6pvL1I/4w=
> R:TrustCor_ECA-1.crt
> Z:Q1kuNY0O+oHUTetOVaxmxTUl8EChE=
> R:Staat_der_Nederlanden_Root_CA_-_G2.crt
> Z:Q1q+zK+4s+BdPglYHM3INKUgkBuWY=
> R:Hellenic_Academic_and_Research_Institutions_ECC_RootCA_2015.crt
> Z:Q1/CxV6yQo8lb/VblsISOoKOmPGmY=
> R:SSL.com_EV_Root_Certification_Authority_RSA_R2.crt
> Z:Q1LEFEQi79PXeM9fPCgHJOYS7Ymyk=
> R:QuoVadis_Root_CA_3_G3.crt
> Z:Q1fHadn9tN9NdDrJ24/SY3Y+Hp5J4=
> R:Chambers_of_Commerce_Root_-_2008.crt
> Z:Q1aoheWbyYbE4o92pjJwCxxa5Hub0=
> R:DST_Root_CA_X3.crt
> Z:Q1Y28cdtgN5tSRYwE9weYkpsp6Ta0=
> R:TrustCor_RootCert_CA-1.crt
> Z:Q1aw5p4YFvGgp12pdaPzKfD15WfR8=
> R:Entrust.net_Premium_2048_Secure_Server_CA.crt
> Z:Q1LicN/AuTM/JrWZ6s9CzhD7JoIVQ=
> R:GTS_Root_R1.crt
> Z:Q1gf+QIXSflI4PvFaPVMhsL5m0dU8=
> R:Verisign_Class_3_Public_Primary_Certification_Authority_-_G3.crt
> Z:Q1tqyQI09yWCWAznc5WvrGgKUfhsE=
> R:USERTrust_ECC_Certification_Authority.crt
> Z:Q12c4P9Wxxu0CROI6jjgHZdWWnVX8=
> R:DigiCert_High_Assurance_EV_Root_CA.crt
> Z:Q1/yQqgtaVyh5HbsWkZctE8HR+21g=
> R:thawte_Primary_Root_CA_-_G2.crt
> Z:Q1UwAy9Mi2fIePO/aFn3cizaoSALc=
> R:GlobalSign_Root_CA_-_R2.crt
> Z:Q1M5SBYtNGil17CwFHxY1ssEesQpY=
> R:GeoTrust_Universal_CA.crt
> Z:Q1cNlhXZdJneVCQrosysxpGwnChOE=
> R:GlobalSign_ECC_Root_CA_-_R4.crt
> Z:Q14ofywW9sCB/uwcjaRPHuR+W01Mo=
> R:Entrust_Root_Certification_Authority_-_G4.crt
> Z:Q12M+H1tKT+20y4srpA0MxJ0JvxpQ=
> R:Baltimore_CyberTrust_Root.crt
> Z:Q1r4Wn/AFocJkJ5dnML2BgnFHI/sc=
> R:Sonera_Class_2_Root_CA.crt
> Z:Q1cVjaI6B6aKMib0aXrmdsGrknca4=
> R:GTS_Root_R4.crt
> Z:Q1TDyFCqaL2QfnpMtfEWAU0n4UMCU=
> R:GlobalSign_ECC_Root_CA_-_R5.crt
> Z:Q1tTA6apTbLuUc6bB84FcApoOcTQw=
> R:Microsec_e-Szigno_Root_CA_2009.crt
> Z:Q12GFvQ5RYNm5qWpTSxycTwMj/zTs=
> R:GeoTrust_Universal_CA_2.crt
> Z:Q1DxMFS5f9TVpxEIyE18U2DQn2BSM=
> R:VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5.crt
> Z:Q1O135aetWqrFqIlY6Lrg7wodsXdw=
> R:UCA_Global_G2_Root.crt
> Z:Q1FAwCc4Q3HykwmMXJPJOI2f3iJZU=
> R:Entrust_Root_Certification_Authority_-_EC1.crt
> Z:Q1vsDvp7XZRmS2Qn0L3CLneubtHWs=
> R:E-Tugra_Certification_Authority.crt
> Z:Q18XY975DIsrXcz7TdUqctRp3oMPQ=
> R:Buypass_Class_3_Root_CA.crt
> Z:Q1W4iUMLfdFRfJT4e3cXXFr5V7FaQ=
> R:SSL.com_Root_Certification_Authority_ECC.crt
> Z:Q10PJ40hKbrw0b5weDETb1zhbeyY4=
> R:Network_Solutions_Certificate_Authority.crt
> Z:Q1E/17ob1ZlENzmyurStRUJ26xYxc=
> R:Certum_Trusted_Network_CA_2.crt
> Z:Q1Fk2yMYJ/htcwEtxmgPtr53fyBaw=
>
> C:Q1EToCBKEmeBdTneiJj7exZpuUtS0=
> P:nghttp2-libs
> V:1.39.2-r0
> A:x86_64
> S:67180
> I:155648
> T:Experimental HTTP/2 client, server and proxy (libraries)
> U:https://nghttp2.org
> L:MIT
> o:nghttp2
> m:Francesco Colista <[email protected]>
> t:1568186892
> c:1dc7b4f0c96ed51dcf6d72c6251e6bb4f6ff24ea
> D:so:libc.musl-x86_64.so.1
> p:so:libnghttp2.so.14=14.18.0
> F:usr
> F:usr/lib
> R:libnghttp2.so.14
> a:0:0:777
> Z:Q1LPn1/GhjknxncslDnIV2sozleRg=
> R:libnghttp2.so.14.18.0
> a:0:0:755
> Z:Q1n1yCxO+rgqHtKRvYz/4byA3czbE=
>
> C:Q1HZNUYHGFSlhSOEdrONERG5VpMqE=
> P:libssh2
> V:1.9.0-r1
> A:x86_64
> S:93814
> I:221184
> T:library for accessing ssh1/ssh2 protocol servers
> U:https://libssh2.org/
> L:BSD
> o:libssh2
> m:Natanael Copa <[email protected]>
> t:1571996730
> c:4763b1bc00bf1da982aabff8810e53fd9dced2f0
> D:so:libc.musl-x86_64.so.1 so:libcrypto.so.43 so:libz.so.1
> p:so:libssh2.so.1=1.0.1
> F:usr
> F:usr/lib
> R:libssh2.so.1
> a:0:0:777
> Z:Q1D2bctUiR7ouD4db7CotuX/7bOl8=
> R:libssh2.so.1.0.1
> a:0:0:755
> Z:Q1/iM/3g+JPd47eY90ZgzpZRkpIUk=
>
> C:Q1fyUS5OyIxEQ7kHjju3h54DsN1Zc=
> P:libcurl
> V:7.61.1-r3
> A:x86_64
> S:216028
> I:466944
> T:The multiprotocol file transfer library
> U:https://curl.haxx.se
> L:MIT
> o:curl
> m:Natanael Copa <[email protected]>
> t:1568707440
> c:c64caaa6d0cf04cf1a2a90b1b751edef900fd849
> D:ca-certificates so:libc.musl-x86_64.so.1 so:libcrypto.so.43 so:libnghttp2.so.14 so:libssh2.so.1 so:libssl.so.45 so:libz.so.1
> p:so:libcurl.so.4=4.5.0
> F:usr
> F:usr/lib
> R:libcurl.so.4
> a:0:0:777
> Z:Q1ngrNm+ppawZtfHpO0LvmUxP8f58=
> R:libcurl.so.4.5.0
> a:0:0:755
> Z:Q1LZx+ksH6MHln5rfb1QnCWS/nHk8=
>
> C:Q1ivNP9Fg164j6sWYwhw6I3vrgex8=
> P:expat
> V:2.2.8-r0
> A:x86_64
> S:66892
> I:176128
> T:An XML Parser library written in C
> U:http://www.libexpat.org/
> L:MIT
> o:expat
> m:Carlo Landmeter <[email protected]>
> t:1568974105
> c:f8aaee8bb88596131af189a58b1e5a210c085584
> D:so:libc.musl-x86_64.so.1
> p:so:libexpat.so.1=1.6.10 cmd:xmlwf
> F:usr
> F:usr/bin
> R:xmlwf
> a:0:0:755
> Z:Q1J/ePy7lvBqK3m1i4wX0J9HCCO08=
> F:usr/lib
> R:libexpat.so.1.6.10
> a:0:0:755
> Z:Q1dKmXIEhVFoThew/M1zpyk+tnzHg=
> R:libexpat.so.1
> a:0:0:777
> Z:Q1DBU5ysdwK91copPhknaLG4SxYgo=
>
> C:Q1dAOptgXbFQyMv8D1boHibW36t3U=
> P:pcre2
> V:10.31-r0
> A:x86_64
> S:225993
> I:602112
> T:Perl-compatible regular expression library
> U:http://pcre.sourceforge.net/
> L:BSD-3-Clause
> o:pcre2
> m:Jakub Jirutka <[email protected]>
> t:1525177497
> c:f15559ce104532156bf682903cec5ced0bec1426
> D:so:libc.musl-x86_64.so.1
> p:so:libpcre2-8.so.0=0.7.0 so:libpcre2-posix.so.2=2.0.0
> F:usr
> F:usr/lib
> R:libpcre2-8.so.0.7.0
> a:0:0:755
> Z:Q1PhoXKII1nLphwj01/k4F8fys20c=
> R:libpcre2-8.so.0
> a:0:0:777
> Z:Q1VDS0WV6wx1Sn8zNR/rTPN5IJcdQ=
> R:libpcre2-posix.so.2
> a:0:0:777
> Z:Q1ui7wLyv6d05O7H5YMRQN5ft2e7o=
> R:libpcre2-posix.so.2.0.0
> a:0:0:755
> Z:Q1tU9/aLuC36Kjk6nP2IwZrOftTkQ=
>
> C:Q1ubA4spcN4PRTWxVOI1GHI3+Ii74=
> P:git
> V:2.18.4-r0
> A:x86_64
> S:6568718
> I:13213696
> T:Distributed version control system
> U:https://www.git-scm.com/
> L:GPL-2.0-or-later
> o:git
> m:Natanael Copa <[email protected]>
> t:1587495829
> c:f32b8f8df8e99e7b325c18d9faefd359d2f1a39a
> D:so:libc.musl-x86_64.so.1 so:libcurl.so.4 so:libexpat.so.1 so:libpcre2-8.so.0 so:libz.so.1
> p:cmd:git cmd:git-receive-pack cmd:git-shell cmd:git-upload-archive cmd:git-upload-pack
> r:git-perl
> F:usr
> F:usr/libexec
> F:usr/libexec/git-core
> R:git-fmt-merge-msg
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-parse-remote
> Z:Q1JJP2c5/FjhaiD9dr0Ue+FYnk4zg=
> R:git-describe
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-repack
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-bisect--helper
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-whatchanged
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-revert
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-cat-file
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-merge-tree
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-serve
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-merge-subtree
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-read-tree
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-verify-tag
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-commit
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-var
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-rebase--helper
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-reset
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-diff
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-clean
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-verify-commit
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-push
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-remote-ftps
> a:0:0:755
> Z:Q1FNQ3oYyunabkCkiwZ2XTxnn1+0U=
> R:git-credential-cache--daemon
> a:0:0:755
> Z:Q1rp8cQFyXI34CT30j/Z5Ya9bDyqc=
> R:git-merge-base
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-branch
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-bisect
> a:0:0:755
> Z:Q1c2PO1ax6h+ynMqJUITYNu+kdZkQ=
> R:git-pack-redundant
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-interpret-trailers
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-prune-packed
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-diff-index
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-show-branch
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-rebase--interactive
> Z:Q1H21TeAx/uJhd08DlSLHHoTsF69k=
> R:git-check-mailmap
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-cherry-pick
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-worktree
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-fetch-pack
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-mailinfo
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-format-patch
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-tag
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-add
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-column
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-mailsplit
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-filter-branch
> a:0:0:755
> Z:Q1BobShuYt3dHDekXsvGNKPh21oOM=
> R:git-stash
> a:0:0:755
> Z:Q1hal+sCJldSaTpM1BsaFJbVvhqnA=
> R:git-name-rev
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-rebase--am
> Z:Q1AdwlHaafb0eiDS7XrQAQdaslUgk=
> R:git-rev-list
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-notes
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-init
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-init-db
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-shortlog
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-rerere
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-fsck-objects
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-mv
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-fetch
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-for-each-ref
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-difftool--helper
> a:0:0:755
> Z:Q1lW64qKFngkdzefVkZdluuw43vbE=
> R:git-stage
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-pull
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-diff-tree
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-rev-parse
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-check-attr
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-credential-store
> a:0:0:755
> Z:Q18kiG7CfYtU/O6OM8P4qNqgAKlrM=
> R:git-remote-fd
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-annotate
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-apply
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-checkout-index
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-commit-graph
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-pack-objects
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-http-push
> a:0:0:755
> Z:Q1GWZrtmiFQdW3Ir+rwnuSBdCLgao=
> R:git-mergetool
> a:0:0:755
> Z:Q1S6vLNe594R6J5/OBz2l5ndp2Xnw=
> R:git-update-ref
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-merge-octopus
> a:0:0:755
> Z:Q1D7/bjLf08RRck/mSVIBckjmztZY=
> R:git-blame
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-merge-one-file
> a:0:0:755
> Z:Q122u2LgGsqtiPEzBR/FtOZ4F5JIY=
> R:git-symbolic-ref
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-ls-remote
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-commit-tree
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-merge-recursive
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-check-ref-format
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-grep
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-merge-ours
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-bundle
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-show-index
> a:0:0:755
> Z:Q104N0BrxcTf0jH8kJeDCxMFxReFw=
> R:git-mergetool--lib
> Z:Q1nhobQiqq/DMQPakNKFzyMKAR0Rc=
> R:git-upload-pack
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-merge-resolve
> a:0:0:755
> Z:Q1qXe+7FKzOYXP9jacviX3AuQWcHU=
> R:git-update-index
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-sh-i18n--envsubst
> a:0:0:755
> Z:Q1sEv3uqlZ7aW0BagK4R91dp5yKYA=
> R:git-mktag
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-write-tree
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-credential
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-remote-http
> a:0:0:755
> Z:Q1FNQ3oYyunabkCkiwZ2XTxnn1+0U=
> R:git-quiltimport
> a:0:0:755
> Z:Q1qJCfrOj32gkJYRazhr6Cvn8gkxk=
> R:git-cherry
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-archive
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-get-tar-commit-id
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-send-pack
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-fsck
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-difftool
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-gc
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-fast-export
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-check-ignore
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-reflog
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-remote-ext
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-merge-file
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-mktree
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-hash-object
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-web--browse
> a:0:0:755
> Z:Q1qX7DL65PBzXmnuPW/syYuSeRlwI=
> R:git-submodule--helper
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-receive-pack
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-pack-refs
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-help
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-stripspace
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-sh-setup
> Z:Q1VKoKc5Q+/bWM/+5XK56AotDH710=
> R:git-merge
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-verify-pack
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-rebase--merge
> Z:Q1vmlrQBLQEjwhjrL5pTtaJQWCT7s=
> R:git-rebase
> a:0:0:755
> Z:Q1CHGDrlug0LXERUqTTx8s3MWd6lI=
> R:git-am
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-request-pull
> a:0:0:755
> Z:Q1f8a0I498h60PoTShUoiCxlV12Sg=
> R:git-log
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-unpack-file
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-checkout
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-status
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-remote-https
> a:0:0:755
> Z:Q1FNQ3oYyunabkCkiwZ2XTxnn1+0U=
> R:git-http-fetch
> a:0:0:755
> Z:Q1oVJyHIjvW7q5wnaP7awKe8WrffA=
> R:git-index-pack
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-upload-archive
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-rm
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-remote-ftp
> a:0:0:755
> Z:Q1FNQ3oYyunabkCkiwZ2XTxnn1+0U=
> R:git-count-objects
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-unpack-objects
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-ls-files
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-merge-index
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-show-ref
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-sh-i18n
> Z:Q1Lkxz61Y0A8dP1ttT0uGkZTeZ9CI=
> R:git-diff-files
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-patch-id
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-show
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-remote
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-submodule
> a:0:0:755
> Z:Q1fRozSa44ONNN5yypfsSv2ewhj2I=
> R:git-prune
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-update-server-info
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-ls-tree
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-credential-cache
> a:0:0:755
> Z:Q1LYo3i6pRNwyxLs/Wd78v26BCaj8=
> R:git-clone
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-config
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-replace
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> F:usr/libexec/git-core/mergetools
> R:meld
> Z:Q1cNfAI8kVh5xLjIsj4PWxA6vAJG0=
> R:guiffy
> Z:Q1iFG0w9sQa8g5yl1BDMyI/zGwVgI=
> R:examdiff
> Z:Q1SwktMjUpAM45lzuQjPcYQIb3xFs=
> R:opendiff
> Z:Q1/Qp8ktBxoBFf37rN7suLs+0Skbs=
> R:gvimdiff
> Z:Q1jZuJYs9GrZlMHK8vb91YyJMJbYs=
> R:bc
> Z:Q1eP8Ti3qxGjR15KCuS+CaMwUkBws=
> R:araxis
> Z:Q1Nbn45diRNmggtfhiBcCgtnqEScQ=
> R:emerge
> Z:Q1NLBPgymCEVU/exZfeaVH3zZvwVc=
> R:vimdiff
> Z:Q1UyN15OIsVT/qF4XNj4DxQvGJJaY=
> R:vimdiff3
> Z:Q1jZuJYs9GrZlMHK8vb91YyJMJbYs=
> R:tkdiff
> Z:Q1Dx/CiXXX10cMNSmoU8UswnayICA=
> R:codecompare
> Z:Q1eETxVt0LsxxDJSrLfzKgdohPYws=
> R:kdiff3
> Z:Q1f1/c0x2kVOYS61gxcZc/OWiji+k=
> R:vimdiff2
> Z:Q1jZuJYs9GrZlMHK8vb91YyJMJbYs=
> R:kompare
> Z:Q1gv349exa6UCCz5F+SUF14CpUVZc=
> R:ecmerge
> Z:Q16/SvhyXRrNFXsI1xGR9smPc3UzU=
> R:diffmerge
> Z:Q1KIFMpr/3FOHmW3JMlQpNoNVudB8=
> R:xxdiff
> Z:Q1ai7xze9o8xoJfioXQcJO/aZjcfE=
> R:winmerge
> Z:Q1Mi6X4AgzTFgX14YKlxPmo9BqxZ4=
> R:gvimdiff3
> Z:Q1jZuJYs9GrZlMHK8vb91YyJMJbYs=
> R:tortoisemerge
> Z:Q11ZrkZMKW689SrCdF3ItTMMM2Oz4=
> R:diffuse
> Z:Q1xffz7Y1Svt0MMFU2CesOPPqTdTE=
> R:deltawalker
> Z:Q1PU/2BEGpv5F69I2kTEgGXgZxsJw=
> R:gvimdiff2
> Z:Q1jZuJYs9GrZlMHK8vb91YyJMJbYs=
> R:bc3
> Z:Q1nAzyoCjKTcWPYdXp1iLaKjEMcpY=
> F:usr/bin
> R:git
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-upload-pack
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-receive-pack
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-upload-archive
> a:0:0:755
> Z:Q1Za0Wh3XgNnDhJ1jhzDjEM6VPI/8=
> R:git-shell
> a:0:0:755
> Z:Q1Op7Sx1c6qZ1uBzzW0o37nu+2rBk=
> F:usr/share
> F:usr/share/git-core
> F:usr/share/git-core/templates
> M:0:0:2755
> R:description
> Z:Q1ljXxt+EsBFISgZ3ZNNgJ7wfvovQ=
> F:usr/share/git-core/templates/info
> M:0:0:2755
> R:exclude
> Z:Q1yHnfAV2XYVBQr6e5ZB4zUqHnAaw=
> F:usr/share/git-core/templates/branches
> M:0:0:2755
> F:usr/share/git-core/templates/hooks
> M:0:0:2755
> R:pre-push.sample
> a:0:0:755
> Z:Q1XIUYv9HR09LBpxlJlMChbYoxOkE=
> R:commit-msg.sample
> a:0:0:755
> Z:Q17h7VqtmKQ18gILbeNcFzt12a/6w=
> R:prepare-commit-msg.sample
> a:0:0:755
> Z:Q1JYSAa6FHFSrgBctnWqTwHV0GhFY=
> R:pre-applypatch.sample
> a:0:0:755
> Z:Q18ggofBqSUl3p9UYukFqdMd4eLXU=
> R:pre-receive.sample
> a:0:0:755
> Z:Q1cFoX0lnniW8Agv4unywMOxJ75aw=
> R:update.sample
> a:0:0:755
> Z:Q15ynNYbJ8EolR0Tnejnxj0aN1jd4=
> R:pre-commit.sample
> a:0:0:755
> Z:Q1M3Ka1M5RrNo1CU5YHkCI8xZ6Cvg=
> R:pre-rebase.sample
> a:0:0:755
> Z:Q1KI79wAJ9tM/Yt8R8Su3boJtt7RI=
> R:applypatch-msg.sample
> a:0:0:755
> Z:Q1TeiOuVpek/0n54tfs7UjGo2JF90=
> R:post-update.sample
> a:0:0:755
> Z:Q1thTC9j2n3Knx2y563mHvMESPyWw=
> F:usr/share/perl5
> F:var
> F:var/git This diff does not contain anything about Of course, to do this kind of diffing one would need a proper parser for the Does that make sense? |
It does! I follow now, sorry. At first, I thought you were talking about inspecting other files (e.g. the busybox binaries) to make the determination. I think this implementation is along the lines of we'd do for #435. |
Sure, yeah. |
What happened:
When running
syft node@sha256:6cf4fe67db0c1e052ab251daab39e43a381a74c3738fe8207e613e416d9c30f8 -o json > syft.json
the result attributes thebusybox
package to a layer from thenode
image although IMHO this package comes in via thealpine
base image:This image contains the following layers:
3 of the 4 layers contain the
lib/apk/db/installed
file. The 1st layer hasbusybox
in itslib/apk/db/installed
:Extracting the layer tar balls and diff'ing the
lib/apk/db/installed
file between the layers reveals the following:To me this shows that none of the layers modify the
lib/apk/db/installed
to add thebusybox
package and that it really comes from the first layer and not from the 3rd layer as reported by syft.The downstream consequence of this bug is that CVE are getting reported against
node
images when those really originate from thealpine
base image and need to be fixed there.What you expected to happen:
I think that a container SBOM tool should correctly report the origin of a package. At least in this specific case, I don't think the origin of the
busybox
package can be trusted.How to reproduce it (as minimally and precisely as possible):
syft node@sha256:6cf4fe67db0c1e052ab251daab39e43a381a74c3738fe8207e613e416d9c30f8 -o json
Anything else we need to know?:
Please let me know if you need anything else to debug this. I'm happy to help.
Environment:
syft version
:The text was updated successfully, but these errors were encountered: