Filter extractors by actual capabilities

[cuixq]

We should filter extractors by actual capabilities. For example, only enable an extractor requiring network access when network access is available.

[erikvarga]

In the binary there's a flag to only enable plugins whose capabilities are met:

osv-scalibr/binary/scalibr/scalibr.go

Line 57 in 620a293

filterByCapabilities := flag.Bool("filter-by-capabilities", true, "If set, plugins whose requirements (network access, OS, etc.) aren't satisfied by the scanning environment will be silently disabled instead of throwing a validation error.")

And in the library the user can specify their capacities and call list.FilterByCapabilities to enable only those extractors -

osv-scalibr/extractor/filesystem/list/list.go

Line 255 in 620a293

func FilterByCapabilities(exs []filesystem.Extractor, capabs *plugin.Capabilities) []filesystem.Extractor {

Is there anything more we should add?

[cuixq]

Should this function to return false by default for capabilities?

[erikvarga]

Well that's the capability setup for the SCALIBR binary wrapper. When wrapped into a binary, SCALIBR always runs on a real filesystem so it makes sense to set all capabilities to true (unless --remote-image is specified which we take into account in the code).

The one assumption the binary wrapper does make is that we can connect to the internet. If we want we can introduce an --offline flag or similar that would set this capability to false.