Feature Request: Report files installed per package in OS extractors

[samuelvl]

Currently the OS extractors do not report the files installed by each OS package. This feature would be valuable for mapping file accesses to the package that installed them, which is useful for security and forensic analysis.

For example, the os/apk extractor does not include package files in locations, only the APK index path (lib/apk/db/installed):

osv-scalibr/extractor/filesystem/os/apk/apk.go

Line 211 in e5afc71

Locations: []string{input.Path},

However this list of files installed per package can be retrieved from the APK index as well: https://wiki.alpinelinux.org/wiki/Apk_spec

Similar tools like Trivy or Syft report this information.

[samuelvl]

I'm happy to contribute to implementing this feature, let me know if you think this request makes sense

[erikvarga]

'cc @vpasdf
We had some performance concerns about this before - if every OS package added a lot of new file path strings we'd increase both the output size and the peak memory usage of the SCALIBR run which could be problematic in some resource constrained environments we're using the scanner in.

I think it should be fine to add this feature behind a flag that's disabled by default though.

[erikvarga]

Thanks for the interest in adding this feature! Feel free to send a PR our way.

[vpasdf]

Is the file information automatically generated and contains all the files or is it humanly generated?

For DPKG that list of files is very long. It's usually more efficient to loop over those paths once, rather than storing all of them.

Behind a feature flag its fine to add this feature. This might cause significantly higher memory usage depending on the number of packages and files, which might also slow down scanning. I'd recommend not adding this to Locations but adding a new field in the metadata, bc in Location we want to store where we found the package, not what is all related to the package.