My question therefore is if there is a reason the file /var/lib/dpkg/status was not removed when minifying the image? Seems like it is throwing a lot of SBOM generators off.
Cheers
","upvoteCount":1,"answerCount":1,"acceptedAnswer":{"@type":"Answer","text":"Normally /var/lib/dpkg/status would be removed.
The only default case when it wouldn't removed is when the containers are designed to install debian packages at runtime. Some containers have entrypoints that bootstrap the container with extra components (installing additional packages, downloading new data files, etc). By default, Mint/DockerSlim will keep newly created files. If you install a new package in the entrypoint container logic everything in the install package flow will be kept as well. The --include-new flag controls this behavior. If you set it to false then anything that's not already in the container when it starts will not be kept.
Another possible way to explain /var/lib/dpkg/status is the --include-path flag. It's possible ghcr.io/sbb-design-systems/sbb-angular/showcase:14.4.3 was created with the --include-path /var/lib/dpkg/status flag set to intentionally keep the debian package metadata, but this needs to be done intentionally by the user.
-
|
Hello As an example lets take a look at the following image: Lets now generate the SBOM of said image with the open source tool syft (the result is the same with other SBOM generation tools): My question therefore is if there is a reason the file Cheers |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 2 replies
-
|
Normally The only default case when it wouldn't removed is when the containers are designed to install debian packages at runtime. Some containers have entrypoints that bootstrap the container with extra components (installing additional packages, downloading new data files, etc). By default, Mint/DockerSlim will keep newly created files. If you install a new package in the entrypoint container logic everything in the install package flow will be kept as well. The Another possible way to explain |
Beta Was this translation helpful? Give feedback.
-
|
Hi @kcq |
Beta Was this translation helpful? Give feedback.
-
|
Hello @kcq and @PinkSheep |
Beta Was this translation helpful? Give feedback.
Normally
/var/lib/dpkg/statuswould be removed.The only default case when it wouldn't removed is when the containers are designed to install debian packages at runtime. Some containers have entrypoints that bootstrap the container with extra components (installing additional packages, downloading new data files, etc). By default, Mint/DockerSlim will keep newly created files. If you install a new package in the entrypoint container logic everything in the install package flow will be kept as well. The
--include-newflag controls this behavior. If you set it to false then anything that's not already in the container when it starts will not be kept.Another possible way to explain
/var/lib…