Expand check for libraries provided by the host (#2077)

* Expand the list of libraries that can be provided by the host

nvidia-container-toolkit will provide all of these libraries to a
container if the NVIDIA_DRIVER_CAPABILITIES=all environment variable is
set. To avoid conflicts with the host let's not generate provides for
any of them.

The list of libraries was generated by installing
nvidia-container-toolkit 1.17.8-1 on an Ubuntu 24.04 system with an
NVIDIA GPU and then running the Chainguard bash docker container with
`-e NVIDIA_DRIVER_CAPABILITIES=all --gpus all` and checking /usr/lib/
for all libraries with the same version number as the NVIDIA drivers
installed on the host.

Author: murraybd

pkg/sca/sca.go

@@ -99,6 +99,48 @@ func isInDir(path string, dirs []string) bool {
 	return false
 }
 
+// isHostProvidedLibrary returns true if the library is provided by the host
+// system and should not be included in dependency or provides generation.
+// These are typically NVIDIA libraries that are installed by the host driver.
+func isHostProvidedLibrary(lib string) bool {
+	hostLibs := []string{
+		"libEGL_nvidia.so.1",
+		"libGLESv1_CM_nvidia.so.1",
+		"libGLESv2_nvidia.so.1",
+		"libGLX_nvidia.so.1",
+		"libcuda.so.1",
+		"libcudadebugger.so.1",
+		"libnvcuvid.so.1",
+		"libnvidia-allocator.so.1",
+		"libnvidia-cfg.so.1",
+		"libnvidia-eglcore.so.1",
+		"libnvidia-encode.so.1",
+		"libnvidia-fbc.so.1",
+		"libnvidia-glcore.so.1",
+		"libnvidia-glsi.so.1",
+		"libnvidia-glvkspirv.so.1",
+		"libnvidia-gpucomp.so.1",
+		"libnvidia-ml.so.1",
+		"libnvidia-ngx.so.1",
+		"libnvidia-nvvm.so.1",
+		"libnvidia-opencl.so.1",
+		"libnvidia-opticalflow.so.1",
+		"libnvidia-pkcs11-openssl3.so.1",
+		"libnvidia-pkcs11.so.1",
+		"libnvidia-ptxjitcompiler.so.1",
+		"libnvidia-rtcore.so.1",
+		"libnvidia-tls.so.1",
+		"libnvoptix.so.1",
+	}
+	
+	for _, hostLib := range hostLibs {
+		if lib == hostLib {
+			return true
+		}
+	}
+	return false
+}
+
 // getLdSoConfDLibPaths will iterate over the files being installed by
 // the package and all its subpackages, and for each configuration
 // file found under /etc/ld.so.conf.d/ it will parse the file and add
@@ -590,8 +632,8 @@ func generateSharedObjectNameDeps(ctx context.Context, hdl SCAHandle, generated
 		}
 
 		for _, lib := range libs {
-			// Cuda is a dangling library, which must come from the host
-			if lib == "libcuda.so.1" {
+			// These are dangling libraries, which must come from the host
+			if isHostProvidedLibrary(lib) {
 				continue
 			}
 			if strings.Contains(lib, ".so.") {
@@ -631,9 +673,9 @@ func generateSharedObjectNameDeps(ctx context.Context, hdl SCAHandle, generated
 			}
 
 			for _, soname := range sonames {
-				// Packages should not provide libcuda.so.1 because they will
-				// conflict with the driver injected by the host.
-				if soname == "libcuda.so.1" {
+				// Packages should not provide these shared objects because they
+				// will conflict with the driver injected by the host.
+				if isHostProvidedLibrary(soname) {
 					continue
 				}