CVE scans incorrectly claim that e.g., Alpine git package is included in EVE images

[eriknordmark]

Describe the unexpected behaviour

CVE scanners which use the SBoM see that some version of git is included in the image.
Turns out this is coming from lib/apk/db/installed which is collected by the linuxkit build and also placed in /lib/apk/db/installed in the final EVE image.

The particular issue with git has been tracked down to come from linuxkit/runc introduced by linuxkit/linuxkit#3913 and there are similar ones where Alpine packages like gcc, make, etc appear in apk/db/installed even though there is no content from those packages included in the EVE image.

It is useful to have the information from the apk/db/installed since it include package versions, but in these cases it seems problematic to use it as the authoritative source of which package content is included in the containers.

[deitch]

This was addressed partially (sysctl) by #5471 ; a second PR will be opened later today (runc, init), which should put this to rest.

[eriknordmark]

This was addressed partially (sysctl) by #5471 ; a second PR will be opened later today (runc, init), which should put this to rest.

We should also inspect the lf-edge/eve-* containers before closing this.
I have the raw data from all the containers which are pulled into the EVE-OS image, but still need to look at this.