Syft finds no apks for some images with apks

[luhring]

Please provide a set of steps on how to reproduce the issue

syft -q registry:cgr.dev/chainguard/sdk@sha256:871b75ddd7b91a29ea0ed8695e271f59056c21af6a2f937f9224e81d6030dbec | grep 'apk\s'

What happened:

No apk type packages are found by Syft for this image.

What you expected to happen:

Since the image's /lib/apk/db/installed does contain several package entries, Syft should have reported those packages.

Anything else we need to know?:

I did a small amount of debugging. It seems like Syft does find the installed db and starts to find packages, but then hits a scanner error (ErrTooLong) and so it returns a nil slice of packages.

Package entries in the apk db can be pretty large. I think Syft's current parsing approach isn't able to handle these larger entries, because the entry's byte count exceeds the scanner's buffer size.

This may be solvable by increasing the size of the buffer, but it may be better to try an approach that doesn't require the scanner to hold an entire package entry in the buffer at once. I haven't thought through this idea, but would be happy to chat through it on this issue if that helps!

[kzantow]

We definitely should log issues instead of completely failing to return any packages when we hit an error like this. Also -- as you say, for this specific one, we could probably bump a buffer size somewhere.