Add support for recursively export all of the compressed files

[Dentrax]

What would you like to be added:

If given file is compressed or ISO, try to export all of the compressed files recursively to scan.

Why is this needed:

My use case was to scan Lima image as you can find here:

$ curl -sLO https://github.com/abiosoft/alpine-lima/releases/download/colima-v0.5.5/alpine-lima-clm-3.18.0-aarch64.iso
$ mkdir test
$ tar xvf alpine-lima-clm-3.18.0-aarch64.iso -C test
$ grype dir:test

But Grype returns No vulnerabilities found error. But ISO contains lots of tar files, if we recursively export all of compressed files, Grype can able to find the vulnerabilities as expected:

$ cd test
$ tar xvf alpine.apkovl.tar.gz
$ cd usr/
$ grype dir:.

Now Grype can able to find the packages and vulnerabilities.

Since ISO files are not actually compressed data, Grype could force try to uncompress of the given file regardless of its type.

$ file alpine-lima-clm-3.18.0-aarch64.iso
alpine-lima-clm-3.18.0-aarch64.iso: ISO 9660 CD-ROM filesystem data (DOS/MBR boot sector) 'alpine-lima clm-3.18.0 aarch64' (bootable)

What would be the most effective way to handle this kind of cases?

Additional context: As the context of Grype clearly mentioned already: vulnerability scanner FOR container images and filesystems, the goal here is not to add support for ISO files, since it could be out-of-context of what this tool is designed for.

[tgerla]

Hi @Dentrax, thanks for the suggestion. Some related issues might include: https://github.com/anchore/syft/issues/1379 and https://github.com/anchore/syft/issues/246

We would be happy to take a look at a pull request to add this support, if anyone in the community would like to tackle it. There is a Go library for ISO9660 images here: https://github.com/kdomanski/iso9660

I'll move this issue to the Syft project where this work will need to be done.