Capture Alpine repository lists and world dependencies

[luhring]

It would be great if Syft captured some global information from apk while analyzing Alpine images/systems in order to provide a fuller picture of apk-based software installations.

And specifically, if Syft's output included apk's world dependencies and repository lists, this would allow users to create apko configurations from previously generated SBOMs. This apko feature idea is tracked in https://github.com/chainguard-dev/apko/issues/167.

Here's a look at the raw sources of this information in alpine:3.15:

$ cat /etc/apk/world
alpine-baselayout
alpine-keys
apk-tools
busybox
libc-utils
$ cat /etc/apk/repositories
https://dl-cdn.alpinelinux.org/alpine/v3.15/main
https://dl-cdn.alpinelinux.org/alpine/v3.15/community

Questions for consideration:

1. Should additional apk information be captured, too? (e.g. from /etc/apk/keys)
2. What's the best way to represent this information in Syft's various output formats? (specifically, in CycloneDX, SPDX, and Syft JSON)
3. Should we consider opening additional issues in Syft to capture this kind of information for other distros (e.g. from /etc/dpkg/...)?

cc: @kaniini — let me know if I missed anything important!

[kaniini]

That looks good to me!