anchore
MSI support
What would you like to be added:
.msi files are very common way to distribute applications on Windows. https://en.wikipedia.org/wiki/Windows_Installer provides an overview of this format. It is part of offical MS Windows.
Cross-platform OSS tools for extracting .msi files exist; see https://superuser.com/questions/307678/how-do-i-extract-files-from-an-msi-package and https://superuser.com/questions/427980/extracting-msi-files-using-linux
I haven't found a Go implementation yet.
Why is this needed:
Often MSI generation tools pull in additional dependencies (i.e. dlls) that the packager isnt directly / explicitly requesting.
It would be useful for packagers to be able to scan a .msi file before distributing it, gaining confidence that the final artefact is free of vulns at the time of release.
It would be useful for users to be able to scan a .msi file before installing it.
Additional context:
https://gitlab.gnome.org/GNOME/msitools doesnt work on Windows yet. Its underlying library https://gitlab.gnome.org/GNOME/libgsf does build on Windows. I dont see a Go wrapper for it.
Just to touch on one point: we do not intend to enable CGO unless there is a very compelling reason to do so, as it would complicate the build process considerably. I don't believe MSI support would be enough of a reason to enable CGO, but we are always open to discussion!
There could be an alternate scenario that we shell out to other existing tools in an opt-in manner, but would of course much prefer a native go solution, as executing tools is far from ideal.
