fix(image): add system installed files in blob info

[dheerajkadri]

This PR adds system-installed files to the blob info. We have a case where a resource is being classified as both an Executable and a package. For example, the wget resource is being classified as both an Executable (version 1.3.1) and a Debian package (version 1.24.5-2+b1), which causes false positive results.

We need to add system-installed file information to the blob info of a layer, which is eventually uploaded to the cache. While merging the layers, we will check for system-installed files and filter them out from the executables list so that system-installed files are not detected as executables.

[CLAassistant]

All committers have signed the CLA.

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.

---

Dheeraj Kadri seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[DmitriyLewen]

Hello @dheerajkadri
But BlobInfo already contains installed files in Package:
BlobInfo->PackageInfos ->Package ->InstalledFiles

Is this not enough?

[dheerajkadri]

Hey @DmitriyLewen

BlobInfo->PackageInfos ->Package ->InstalledFiles ==> this will hold all the packages and its info for all the layers and analyzers.

We need system-installed files that will be detected by the package manager analyzer. These files will be set only for the layer where the package manager is present, and all files installed by the package manager will be recorded.
For ex, https://github.com/aquasecurity/trivy/blob/main/pkg/fanal/analyzer/pkg/rpm/rpm.go#L87

For Trivy Premium, where we use the executables analyzer in most cases, this information is crucial to avoid false positives. The issue arises when the executables analyzer detects executables that have already been identified as packages. This can happen if there is a permission change on a path, causing all executables in that path to be detected—even if they were originally installed by a package manager.

Many customers have reported this issue, so we need to track system-installed files separately. This will allow us to filter them out from all layer blob infos during the merging process, improving accuracy and reducing false positives.

[DmitriyLewen]

maybe I don't understand you correctly.

let's figure it out:
you need information about installed files from one layer, right?
BlobInfo contains information about one layer. It contains information about each installed package (for this layer) and its installed files.
Look at this example:

IIUC you can just loop through PackageInfos.Packages.InstalledFiles files and get a list of installed files.
Correct me, if i am wrong and missed something.

[github-actions]

This PR is stale because it has been labeled with inactivity.