I know this is a fairly old question, but if you are still wondering there is a file called /etc/cos-package-info.json which has the installed package information. It is discussed in the vulnerability scanning section of the COS documentation.