What happened:
Many official docker images (provided by https://github.com/docker-library) are derived from buildpack-deps, which includes a large number of build-related packages, like gcc, git, subversion, perl, imagemagick, ... so programs that are useful for building the program (and maybe further dependencies), but won't be used at runtime.

In order to meet security regulations, this poses an issue, as many of these dependencies have vulnerabilities, e.g. at the time of writing CVE-2024-32002, CVE-2016-10144, CVE-2016-10145, CVE-2023-47100, CVE-2023-31486.

In order to get these vulnerabilities off the audit list, I'm apt-get removeing these packages once all RUN steps depending on any of those programs/libraries are done - so perl, git, ... is no longer part of the final container.

However, when scanning such an issue with syft, these packages are still reported as found.

What you expected to happen:
If a package is installed in an earlier layer of the image, and removed in a later layer, I expect the package to no longer be part of the BOM

Steps to reproduce the issue:

• create a Dockerfile with the following content:

  FROM python:3.12
  RUN apt-get remove -y perl git imagemagick gnupg && apt-get -y autoremove
  

• scan this image with syft
• check the created SBOM for perl, git, imagemagick, gnupg

Anything else we need to know?:

Environment:

• Output of syft version:
  Application: syft
  Version: 1.9.0
  BuildDate: 2024-07-11T17:32:46Z
  GitCommit: 4e09908
  GitDescription: v1.9.0
  Platform: linux/amd64
  GoVersion: go1.22.5
  Compiler: gc

• OS (e.g: cat /etc/os-release or similar):
  NAME="Arch Linux"
  PRETTY_NAME="Arch Linux"
  ID=arch
  BUILD_ID=rolling
  ANSI_COLOR="38;2;23;147;209"
  HOME_URL="https://archlinux.org/"
  DOCUMENTATION_URL="https://wiki.archlinux.org/"
  SUPPORT_URL="https://bbs.archlinux.org/"
  BUG_REPORT_URL="https://gitlab.archlinux.org/groups/archlinux/-/issues"
  PRIVACY_POLICY_URL="https://terms.archlinux.org/docs/privacy-policy/"
  LOGO=archlinux-logo