feat: introduce application dependency discovery for container rootfs

[PrasanthYT]

Overview

This change introduces application dependency discovery within container images.

The container engine now scans the reconstructed root filesystem for common dependency manifests and extracts application-level dependencies using the existing SCA parsing logic.

Supported Manifest Types

The scanner searches the container filesystem for the following files:

package.json
requirements.txt
Cargo.lock
pyproject.toml

These files represent dependencies for Node, Python, and Rust applications.

Parser Reuse

Existing dependency parsers from the SCA engine are reused to avoid code duplication.

Supported ecosystems include:

• npm
• pypi
• cargo

Dependency Extraction

Each discovered dependency is converted into the internal dependency representation used by the scanning engine.

Example:

Dependency {
    ecosystem,
    name,
    version
}

Dependency Merging

The container engine now merges dependencies from two sources:

OS packages
Application dependencies

Both sets are combined into a unified dependency list.

Deduplication

Dependencies are deduplicated using the composite identity:

ecosystem + name + version

This ensures deterministic results and prevents duplicate vulnerability checks.

Updated Container Pipeline

The container scanning flow now becomes:

ContainerEngine
  → Image acquisition
  → RootFS builder
  → Distro detection
  → OS package extraction
  → Application dependency discovery
  → Dependency merge

Impact

• Enables detection of application dependencies inside container images
• Reuses existing SCA parsing logic
• Maintains deterministic scanning behavior
• No changes to standalone SCA scanning