feat: add basic zstd compression support (#842)

Malcontent was not properly scanning zstd compressed files e.g. kernel
modules on modern Ubuntu systems. As an example, without this change:

```
$  mal --format=simple --verbose analyze /lib/modules/6.11.0-19-generic/kernel/fs/smb/server/ksmbd.ko.zst
time=2025-03-24T20:51:36.262-07:00 level=DEBUG source=$HOME/git/chainguard-dev/malcontent/pkg/action/scan.go:71 msg="skipping /usr/lib/modules/6.11.0-19-generic/kernel/fs/smb/server/ksmbd.ko.zst [<unknown>]: data file or empty" path=/usr/lib/modules/6.11.0-19-generic/kernel/fs/smb/server/ksmbd.ko.zst
```

With this patch applied:

```
$ ./mal --format=simple --verbose analyze /lib/modules/6.11.0-19-generic/kernel/fs/smb/server/ksmbd.ko.zst
time=2025-03-24T20:53:47.375-07:00 level=DEBUG source=$HOME/git/chainguard-dev/malcontent/pkg/archive/archive.go:110 msg="creating temp dir" path=/usr/lib/modules/6.11.0-19-generic/kernel/fs/smb/server/ksmbd.ko.zst
time=2025-03-24T20:53:47.375-07:00 level=DEBUG source=$HOME/git/chainguard-dev/malcontent/pkg/archive/zstd.go:18 msg="extracting zstd" dir=$HOME/tmp/ksmbd.ko.zst439390431 file=/usr/lib/modules/6.11.0-19-generic/kernel/fs/smb/server/ksmbd.ko.zst
c2/addr/ip: medium
crypto/aes: low
crypto/cipher: medium
fs/attributes/remove: medium
fs/attributes/set: medium
fs/directory/create: low
fs/directory/remove: low
fs/file/delete: low
fs/file/open: low
fs/lock_update: low
impact/remote_access/heartbeat: medium
net/ip/send_unicast: low
net/rpc/ntlm: medium
net/socket/listen: medium
net/socket/peer_address: low
net/socket/receive: low
net/socket/send: low
os/kernel/netlink: low
persist/daemon: medium
persist/kernel_module/module: medium
persist/kernel_module/name: medium
sus/exclamation: medium
```

This patch was mostly copy-wasting from the bz2 archive implementation
and cherry-picking bits and bobs from the zstd support in the rpm.go
implementation.

Signed-off-by: Steve Beattie <steve.beattie@chainguard.dev>

Author: stevebeattie

pkg/archive/archive.go

@@ -212,6 +212,8 @@ func ExtractionMethod(ext string) func(context.Context, string, string) error {
 		return ExtractZip
 	case ".bz2", ".bzip2":
 		return ExtractBz2
+	case ".zst", ".zstd":
+		return ExtractZstd
 	case ".rpm":
 		return ExtractRPM
 	case ".deb":

pkg/archive/zstd.go

@@ -0,0 +1,74 @@
+package archive
+
+import (
+	"context"
+	"fmt"
+	"io"
+	"os"
+	"path/filepath"
+	"strings"
+
+	"github.com/chainguard-dev/clog"
+	"github.com/klauspost/compress/zstd"
+)
+
+// ExtractZstd extracts .zst and .zstd archives.
+func ExtractZstd(ctx context.Context, d string, f string) error {
+	logger := clog.FromContext(ctx).With("dir", d, "file", f)
+	logger.Debug("extracting zstd")
+
+	buf, ok := bufferPool.Get().(*[]byte)
+	if !ok {
+		return fmt.Errorf("failed to retrieve buffer for zstd")
+	}
+	defer bufferPool.Put(buf)
+
+	fi, err := os.Stat(f)
+	if err != nil {
+		return fmt.Errorf("failed to stat zstd file %s: %w", f, err)
+	}
+	if fi.Size() == 0 {
+		return fmt.Errorf("empty zstd file: %s", f)
+	}
+
+	uncompressed := strings.TrimSuffix(filepath.Base(f), ".zstd")
+	uncompressed = strings.TrimSuffix(uncompressed, ".zst")
+	target := filepath.Join(d, uncompressed)
+
+	if !IsValidPath(target, d) {
+		return fmt.Errorf("invalid zstd decompression file path: %s", target)
+	}
+
+	if err := os.MkdirAll(d, 0o700); err != nil {
+		return fmt.Errorf("failed to create directory for decomrpessed zstd file: %w", err)
+	}
+
+	out, err := os.OpenFile(target, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0o600)
+	if err != nil {
+		return fmt.Errorf("failed to create decompressed zstd file: %w", err)
+	}
+	defer out.Close()
+
+	zstdFile, err := os.Open(f)
+	if err != nil {
+		return fmt.Errorf("failed to open zstd file: %w", err)
+	}
+	defer zstdFile.Close()
+
+	zr, err := zstd.NewReader(zstdFile)
+	if err != nil {
+		return fmt.Errorf("failed to open zstd file %s: %w", f, err)
+	}
+	defer zr.Close()
+
+	written, err := io.CopyBuffer(out, io.LimitReader(zr, maxBytes), *buf)
+	if err != nil {
+		return fmt.Errorf("failed to copy zstd compressed file: %w", err)
+	}
+
+	if written >= maxBytes {
+		return fmt.Errorf("file exceeds maximum allowed size (%d bytes): %s", maxBytes, target)
+	}
+
+	return nil
+}

pkg/programkind/programkind.go

@@ -35,6 +35,8 @@ var ArchiveMap = map[string]bool{
 	".upx":    true,
 	".whl":    true,
 	".xz":     true,
+	".zst":    true,
+	".zstd":   true,
 	".zip":    true,
 }