Expand deb cataloger to include opkg

[johnDeSilencio]

What?

This PR expands on the Debian cataloger so that it also catalogs packages installed by opkg.

Why?

#1847 documents the reasons that @spiffcs, myself, and others may have for wanting to be able to catalog packages installed with opkg using syft. In short, by supporting opkg, syft will support those creating SBOMs for software containerized with OpenWrt, those working in the Yocto ecosystem, and broadens support for generating SBOMs for embedded systems in general.

How?

Because opkg strives to conform "to a subset of debian’s policy manual regarding control files", opkg package metadata is actually deb package metadata and can be parsed with the same cataloger - albeit from a different location.

The image openwrt/rootfs stores opkg package metadata under the directory /var/lib/opkg/info/*. The company I work for uses tools from the Yocto ecosystem, not OpenWRT, and we have an internal image that stores the metadata under /usr/lib/opkg/info/*. To generalize, I made the globs look for anything under a directory like **/lib/opkg.

Before putting up this PR, I discussed the possibility of creating a dedicated cataloger for opkg with @kzantow over Slack. Not only will this not work without an upstream PR to package-URL to define a new type for opkg, but it doesn't make any sense. The deb PURL type is for debian and debian-derived packages; opkg packages are debian-derived. Making a separate cataloger for opkg is not necessary since opkg packages can and should be cataloged as deb packages.

Testing?

1. Clone the repo with git clone https://github.com/johnDeSilencio/syft and navigate to the new directory with cd syft/
2. Checkout the most recent commit from feature/expand-deb-cataloger-to-include-opkg
3. Run make bootstrap
4. Run make snapshot
5. Run syft openwrt/rootfs. You should see something like the following output:

 ✔ Loaded image
 ✔ Parsed image
 ✔ Cataloged packages      [1 packages]
NAME     VERSION  TYPE
busybox  1.34.9    binary

7. Run docker run -it anchore/syft:latest openwrt/rootfs. You should see something like the following output:

 ✔ Parsed image                                                                                     sha256:df1f661107dca36745dd2bd9f36e1a760f7c90ae7b88270795d52c8b6b4697fe
 ✔ Cataloged packages              [197 packages]
NAME                        VERSION                                      TYPE
base-files                  1233-r03459-4c5d910ef1                       deb
busybox                     1.34.9                                       binary
busybox                     1.31.2-2                                     deb
ca-bundle                   20231214-1                                   deb
// ...
urngd                       2023-01-01-7aefb47b-1                        deb
usign                       2020-08-04-a1f326562e-1                      deb

[spiffcs]

@johnDeSilencio thanks so much for the quick contribution - this is great and we'll be sure to get it tried out for the next release =)

[johnDeSilencio]

@johnDeSilencio thanks so much for the quick contribution - this is great and we'll be sure to get it tried out for the next release =)

You're welcome! Thank you and @kzantow for being responsive and helping me work out the best way to go about creating this PR. Seems like you have a great team at Anchore 😃

Also, heads up that I posted a follow-up PR. I forgot to run syft on the private image used by company, and I noticed there were warnings when I did. This PR removes those warnings.