What happened:
When running Syft on a filesystem from a distribution that has the CONFIG_MODULE_COMPRESS kernel config option enabled, Syft does not scan the kernel module finds and thus reports a lot less packages than on a non-compressed distribution.
For example, on my custom distribution based on Debian 13, here is the total size of the /lib/modules directory and the example of a dir:
# du -sh lib/modules/
107M lib/modules/
# ls lib/modules/6.12.74+deb13+1-rt-amd64/kernel/drivers/net/ethernet/intel/ice
-rw-r--r--. 1 root root 494K Mar 8 19:54 ice.ko.xz
syft scan / on the filesystem only finds 2 packages (probably the vmlinux ones):
[0003] DEBUG discovered 2 packages cataloger=linux-kernel-cataloger
[0003] INFO task completed elapsed=35.271986ms task=linux-kernel-cataloger
What you expected to happen:
Way more packages should be detected. Here is an example for a scan on a Debian 12 filesystem that does not have the CONFIG_MODULE_COMPRESS kernel config option enabled:
# du -sh lib/modules
396M lib/modules
# ls lib/modules/6.1.0-41-rt-amd64/kernel/drivers/net/ethernet/intel/ice
ice.ko
[0003] DEBUG discovered 4021 packages cataloger=linux-kernel-cataloger
... lot of "missing version" messages
[0003] DEBUG package with missing version, stubbing with default value location=/usr/lib/modules/6.1.0-41-rt-amd64/kernel/sound/soc/intel/skylake/snd-soc-skl.ko pkg=Pkg(name="snd_soc_skl" version="" type="linux-kernel-module" id="5cd10619b7945d61")
[0003] INFO task completed elapsed=850.796168ms task=linux-kernel-cataloger
Steps to reproduce the issue:
- Start a Debian 13 VM
- Run a syft scan on /
Anything else we need to know?:
It looks like this is because the kernel cataloger only scans .ko files and not .ko.xz ones:
|
criteria: |
|
- '**/kernel' |
|
- '**/kernel-*' |
|
- '**/vmlinux' |
|
- '**/vmlinux-*' |
|
- '**/vmlinuz' |
|
- '**/vmlinuz-*' |
|
- '**/lib/modules/**/*.ko' |
The MR that introduced modules compression on Debian 13:
https://salsa.debian.org/kernel-team/linux/-/merge_requests/1279
Environment:
- Output of
syft version: syft 1.42.3
- OS (e.g:
cat /etc/os-release or similar): custom image based upon the latest version of debian trixie
What happened:
When running Syft on a filesystem from a distribution that has the
CONFIG_MODULE_COMPRESSkernel config option enabled, Syft does not scan the kernel module finds and thus reports a lot less packages than on a non-compressed distribution.For example, on my custom distribution based on Debian 13, here is the total size of the
/lib/modulesdirectory and the example of a dir:syft scan /on the filesystem only finds 2 packages (probably the vmlinux ones):What you expected to happen:
Way more packages should be detected. Here is an example for a scan on a Debian 12 filesystem that does not have the
CONFIG_MODULE_COMPRESSkernel config option enabled:Steps to reproduce the issue:
Anything else we need to know?:
It looks like this is because the kernel cataloger only scans
.kofiles and not.ko.xzones:syft/syft/pkg/cataloger/kernel/capabilities.yaml
Lines 27 to 34 in 90198da
The MR that introduced modules compression on Debian 13: https://salsa.debian.org/kernel-team/linux/-/merge_requests/1279
Environment:
syft version:syft 1.42.3cat /etc/os-releaseor similar): custom image based upon the latest version ofdebian trixie