All,
I logged this bug. Grype .98 misidentifies the container package version · Issue #2884 · anchore/grype
I am trying to see if there is a way to debug this and better understand exactly why Grype is saying I have version of libc 2.39.9_deb12u10 rather than what I see when logged into the container (libc-2.28.so)
The -vvvv generates a lot of output, but I don’t see what it is basing its decision on. Someone else ran a previous version of Grype and it seemed to find the correct versions.
Hi @wagner-robert thanks for the question! I’ve tried to ask more about how to reproduce the issue you’re seeing at Grype .98 misidentifies the container package version · Issue #2884 · anchore/grype · GitHub - let’s continue the conversation over there, since there’s already been a lot more context shared on that thread. Thanks!
As I understand the software looking at Syft. For Debian it parses /var/lib/dpkg/status file to get versions. I running Syft 1.18.1 I see that Syft does not match the version field for any package as seen in the /var/lib/dpkg/status file. I cannot determine where it gets the version numbers listed as I cannot see those version numbers in any file on the container (grep the whole container).
Syft: adduser 3.124, apt 2.6.1
/var/lib/dpkg/status: adduser 3.118, apt 1.8.2.3
@wagner-robert can you please tell me what you are scanning? How are you invoking Syft? For example I would say syft ubuntu:22.04 scans the ubuntu:22.04 image from Docker Hub. What are you scanning?
syft nginx:latest I don’t know where this particular image came from.
Another observation (not sure it impacts anything):
- syft/syft/pkg/dpkg.go at main · anchore/syft · GitHub
const DpkgDBGlob = “/var/lib/dpkg/{status,status.d/}”
- syft/syft/pkg/cataloger/debian/cataloger.go at main · anchore/syft · GitHub
func NewDBCataloger() pkg.Cataloger {
return generic.NewCataloger(“dpkg-db-cataloger”).
// note: these globs have been intentionally split up in order to improve search performance,
// please do NOT combine into: “/var/lib/dpkg/{status,status.d/*}"
WithParserByGlobs(parseDpkgDB, "/lib/dpkg/status”, “/lib/dpkg/status.d/*", "/lib/opkg/info/*.control”, “**/lib/opkg/status”).
WithProcessors(dependency.Processor(dbEntryDependencySpecifier))
The cataloger.go file does not appear to look at the /var/lib/dpkg/status file. Also, one file says do not use {status, status.d/} construct and another uses it.
Hi @wagner-robert I’m confused.
When I run syft nginx:latest | grep -e NAME -e adduser, it prints:
NAME VERSION TYPE
adduser 3.134 deb
When I try to get the version manually, with docker run --rm nginx:latest cat /var/lib/dpkg/status | less, I see the following block in the dpkg status file:
Package: adduser
Status: install ok installed
Priority: important
Section: admin
Installed-Size: 686
Maintainer: Debian Adduser Developers <adduser@packages.debian.org>
Architecture: all
Multi-Arch: foreign
Version: 3.134
It seems that Syft and the file at /var/lib/dpkg/status agree on the version of adduser present in the image. Are you seeing something different than this? Am I misunderstanding your question?
They DO NOT agree for me. (Not yelling, just trying to be clear). The actual adduser package installed is 3.118. Syft says I am running 3.124 (a more recent version).
I see that yours matches. My nginx:latest may be a bit dated (like by a couple of years).
@wagner-robert thanks for the clarification! Something is different between our environments.
In normal configuration, syft nginx:latest will use the system’s Docker daemon to pull nginx:latest and analyze that. It seems we are not pulling the latest package.
Are you running the latest Syft? Here’s my attempt to run this as unambigously as possible to get to the bottom of it (-q is just a quiet option to make pasting out of the terminal cleaner):
$ syft -q nginx@sha256:33e0bbc7ca9ecf108140af6288c7c9d1ecc77548cbfd3952fd8466a75edefe57 | grep -e NAME -e adduser
NAME VERSION TYPE
adduser 3.134 deb
$ syft version
Application: syft
Version: 1.31.0
BuildDate: 2025-08-13T14:50:51Z
GitCommit: ab9db0024ed35ab6a4e33e539593f5a3c58a5594
GitDescription: v1.31.0
Platform: darwin/arm64
GoVersion: go1.24.5
Compiler: gc
SchemaVersion: 16.0.37
$ docker run --rm nginx@sha256:33e0bbc7ca9ecf108140af6288c7c9d1ecc77548cbfd3952fd8466a75edefe57 cat /var/lib/dpkg/status | grep -A 10 'Package: adduser'
Package: adduser
Status: install ok installed
Priority: important
Section: admin
Installed-Size: 686
Maintainer: Debian Adduser Developers <adduser@packages.debian.org>
Architecture: all
Multi-Arch: foreign
Version: 3.134
Depends: passwd
Suggests: liblocale-gettext-perl, perl, cron, quota
Are you perhaps running an old Syft? Or pointing at a different nginx:latest? (I don’t understand the remark that you have an old nginx:latest - syft should re-pull the tag if it can.) If you are running an old Syft, does upgrading fix it? If you’re pointing at an old nginx:latest, can you share the digest? (I think docker image inspect nginx:latest | jq '.[0].RepoDigests' will print the info I need to pull it if I’m able.)
Another possible variable is that docker pull nginx:latest will try to match the architecture it’s on, so even if we’re both pulling the latest tag, we might be getting slightly different material. To try to control for this, I ran the commands again passing --platform linux/amd64 to the Syft and Docker commands, and got the same results.
I have access to Syft 1.27.1 - same issue exists.
I repeated the checks from my previous command with Syft 1.27.1 downloaded from Release v1.27.1 · anchore/syft · GitHub.
I still see adduser at 3.134 in this image.
It sounds like we are running the same version of Syft, and the difference is, as you expected, that you have an old nginx:latest image.
Can you tell me the repo digest for that image in your environment? Or can you tell me the version of nginx packaged in that image? (I’m trying to find the image you’re looking at so that I can see what’s going on.)
I just wanted to close the loop here. We’ve learned that the apparent version inconsistencies were due to running Syft or Grype against an image, and then execing into a running container in which packages had been upgraded or downgraded when doing comparisons. Currently, Syft and Grype scan images but not running containers.
This discussion ended in a feature request to scanning a running container: Can Syft scan a running container, in case it has changed from the image it started from? · Issue #4158 · anchore/syft · GitHub