In many cases, in order to reflect actually software dependency introduce, we need scan base and scan finally package, but we do not want to measure base.
SBOM_full - SBOM_base = SBOM_real
if we could support such add/sub operation, that could help a lot.
in case of images you can try the mode deep-squashed which will tell you in which layer a package existed
Even not for image scan, but for rootfs scan can also help, basiclly this is a general requirement I believe.
# Install debootstrap
sudo apt-get update
sudo apt-get install -y debootstrap
# Bootstrap Ubuntu 24.04 (noble)
sudo rm -rf "${BUILD_DIR_SYFT}/nfpm_home/ubuntu-rootfs"
sudo mkdir -p "${BUILD_DIR_SYFT}/nfpm_home/ubuntu-rootfs"
# 1. Read package list from dependency_list.txt and join with commas
PACKAGE_LIST=$(tr '\n' ',' < "${BUILD_DIR_SYFT}/dependency_list.txt" | sed 's/,$//')
# 2. debootstrap install with the package list
sudo debootstrap --variant=minbase --include="$PACKAGE_LIST" noble "${BUILD_DIR_SYFT}/nfpm_home/ubuntu-rootfs" http://archive.ubuntu.com/ubuntu/
There’s a discussion and sample python code on this issue → Add option to exclude packages introduced from a base layer · Issue #1809 · anchore/syft · GitHub