feat: introduce rootfs builder module for container images

[PrasanthYT]

Overview

This change introduces a container filesystem reconstruction pipeline for the container engine.

The builder reconstructs the merged root filesystem from container image layers, enabling accurate analysis of files and packages inside container images.

RootFS Builder

A new module constructs the final container filesystem by applying layers in order.

Result structure:

pub struct RootFs {
    pub path: PathBuf,
}

The returned path points to the fully reconstructed filesystem.

Layer Processing

The builder performs the following steps:

1. Extract the container image archive.
2. Read manifest.json.
3. Determine the ordered layer sequence.
4. Extract each layer sequentially.
5. Apply filesystem changes to the working rootfs.

Whiteout Handling

OCI whiteout files are respected during layer merging.

Supported behaviors:

• .wh.<file> → deletes file
• .wh..wh..opq → clears directory contents

This ensures the reconstructed filesystem matches container runtime behavior.

Extraction Safeguards

To prevent malicious archives or resource exhaustion, several protections were added:

• Maximum extraction size limits
• Entry count limits
• Path traversal protection
• Tar bomb mitigation

Timeout Protection

A timeout guard prevents extremely slow or malicious extractions from blocking the scan process.

Temporary Workspace Cleanup

RootFS extraction occurs inside a temporary workspace.

All temporary directories are cleaned up automatically on success or failure.

Impact

• Enables accurate container filesystem reconstruction
• Prepares container engine for package detection
• No impact on existing SCA scanning
• Maintains deterministic behavior

Result

Container images can now be reconstructed into a merged root filesystem: