Skip to content

fix: support multi-arch packages in dpkg scanner#2500

Open
zozo123 wants to merge 1 commit intofuture-architect:masterfrom
zozo123:fix/multi-arch-package-keys
Open

fix: support multi-arch packages in dpkg scanner#2500
zozo123 wants to merge 1 commit intofuture-architect:masterfrom
zozo123:fix/multi-arch-package-keys

Conversation

@zozo123
Copy link
Copy Markdown

@zozo123 zozo123 commented Apr 5, 2026

Summary

  • Fixes package map key collisions for multi-arch dpkg packages by including architecture in the key
  • dpkg Multi-Arch allows packages with the same name for different architectures (e.g. libc6:amd64 and libc6:i386), but previously one would overwrite the other in the Packages map
  • Adds Package.MapKey() helper that returns name:arch when architecture is present, or just name otherwise
  • Parses architecture from the binary:Package field in dpkg-query output
  • Updates all Packages map lookups across debian.go, packages.go, and vuls2.go to use the new key format

Files Changed

  • models/packages.go: Added MapKey() method, updated NewPackages and MergeNewVersion to use map keys
  • scanner/debian.go: Parse arch from dpkg output, use name:arch map keys, updated fillCandidateVersion, changelog functions, and parseCheckRestart
  • detector/vuls2/vuls2.go: Updated preConvert to iterate with map keys instead of p.Name

Fixes #2423

Built autonomously by islo.dev Builder

@zozo123 @claude
fix: support multi-arch packages in dpkg scanner
86b264c 
dpkg Multi-Arch allows packages with the same name for different
architectures (e.g. libc6:amd64 and libc6:i386). Previously the
Packages map was keyed only by package name, causing multi-arch
packages to overwrite each other.

Changes:
- Parse architecture from dpkg-query binary:Package field
- Store architecture in Package.Arch field
- Use "name:arch" as map key when architecture is present
- Add Package.MapKey() helper for consistent key generation
- Update all Packages map lookups to use the new key format

Fixes future-architect#2423

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@zozo123
Copy link
Copy Markdown
Author

zozo123 commented Apr 5, 2026

islo.dev Review: #2500

Dimension Score
Correctness 4.0/5
Security 5.0/5
Performance 4.5/5
Best Practices 4.0/5
Overall 4.3/5

Grade: A- | Verdict: APPROVE

Summary

Adds multi-architecture support for dpkg packages by introducing a MapKey() method that returns name:arch when architecture is present, preventing collisions when the same package is installed for multiple architectures (e.g., libc6:amd64 and libc6:i386). The change propagates consistently through the scanner, detector, and package model layers.

Key Findings

# Sev File Issue
1 Medium debian.go In scanInstalledPackages, the loop matching updatable names now no longer break after the first match (updatable[key] = pack). This means all arch variants of a package get added to updatables, which is correct for multi-arch but changes previous behavior -- verify this doesn't cause duplicate processing downstream
2 Medium packages.go MapKey() returns name:arch when Arch != "". This applies to all package types, not just dpkg. Verify that RPM-based distros (which also set Arch) don't get unexpected key format changes
3 Low debian.go parseScannedPackagesLine now returns 7 values instead of 6 -- all call sites are updated, but this is a brittle pattern. Consider returning a struct instead of positional values
4 Low debian.go In fillCandidateVersion, the reverse lookup (pack.Name == k) iterates all updatables for each apt-cache entry. For large package lists this is O(n*m), but likely acceptable in practice
5 Info debian.go The BinaryNames field now stores mapKey (e.g., libc6:amd64) instead of plain name -- ensure downstream consumers expect this format

islo.dev PR Code Reviewer

zozo123
zozo123 commented Apr 5, 2026
View reviewed changes
Copy link
Copy Markdown
Author

@zozo123 zozo123 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

islo.dev — Score: 4.3/5 — APPROVE

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

scanner cannot manage same-named packages across different architectures or versions

1 participant

@zozo123