Add support for distroless-based Docker images

[pombredanne]

distroless images are really based on Debian with a slightly different layout for installed packages data.

See also:

• https://github.com/nexB/container-inspector/blob/90c4aa61be4d69f3392b6e02e88f3996f8375f68/src/container_inspector/distro.py#L420
• https://github.com/GoogleContainerTools/distroless
• https://medium.com/@luke_perry_dev/dockerizing-with-distroless-f3b84ae10f3a

[pombredanne]

There are some issues on the observability of Distroless images in particular this https://github.com/GoogleContainerTools/distroless/issues/741 And there are regression even on this lack observability with https://github.com/GoogleContainerTools/distroless/issues/787 where the names of the status files in the status.d directory are now base64-encoded e.g. mangled.

[pombredanne]

This is blocked by lack of observability of Distroless images package files.

[pombredanne]

I think we can now move forward based on comments and PRs posted:

• https://github.com/bazelbuild/rules_docker/issues/1876 has been merged with https://github.com/bazelbuild/rules_docker/pull/2065 and https://github.com/GoogleContainerTools/distroless/pull/1367 uses that version
• https://github.com/GoogleContainerTools/distroless/issues/741 should be closed once we tested here.

Note that rules_docker has been archived and replaced by rules_oci:

• https://github.com/bazel-contrib/rules_oci

And rules_oci does not know about Debian-specific package files.

In the end, distroless instead uses this shell script in rules_distroless https://github.com/GoogleContainerTools/rules_distroless/blob/35a7d5a37b34e68f1d58d7e452147afe941f3e5a/apt/private/dpkg_statusd.sh#L10

The format spec is:

• a /var/lib/dpkg/status.d/ directory
• inside this dir, for each package:
  • a debian control file named after the the package name
  • a debian md5sums file named after the the .md5sums
  • as before, a /usr/share/doc//copyright debian copyright file

For instance with get:

• http://localhost/project/gcriodistrolessbase-debian12-2b808ec5/resources/gcr_io_distroless_base_debian12.tar-extract/949b44fda9d054b2b420218f6b156e222fb1f89f38dc45521c1b9ac73c7a9c9e/var/lib/dpkg/status.d/libssl3/#viewer

  Package: libssl3
  Source: openssl
  Version: 3.0.14-1~deb12u2
  Architecture: amd64
  Maintainer: Debian OpenSSL Team <pkg-openssl-devel@alioth-lists.debian.net>
  Installed-Size: 6021
  Depends: libc6 (>= 2.34)
  Section: libs
  Priority: optional
  Multi-Arch: same
  Homepage: https://www.openssl.org/
  Description: Secure Sockets Layer toolkit - shared libraries
  This package is part of the OpenSSL project's implementation of the SSL
  and TLS cryptographic protocols for secure communication over the
  Internet.
  .
  It provides the libssl and libcrypto shared libraries.

And http://localhost/project/gcriodistrolessbase-debian12-2b808ec5/resources/gcr_io_distroless_base_debian12.tar-extract/949b44fda9d054b2b420218f6b156e222fb1f89f38dc45521c1b9ac73c7a9c9e/var/lib/dpkg/status.d/libssl3.md5sum/#viewer

41f2830840762278c3eea9f210d766bb  usr/lib/x86_64-linux-gnu/engines-3/afalg.so
cf0b11ae7ebc72735b07f66ca9689ff0  usr/lib/x86_64-linux-gnu/engines-3/loader_attic.so
120a42bed88d3307c29c399e54afdf6a  usr/lib/x86_64-linux-gnu/engines-3/padlock.so
5538de8b84c0804f36598ecc307279fd  usr/lib/x86_64-linux-gnu/libcrypto.so.3
8128c7581b84dbce11cbaee835e2a4cc  usr/lib/x86_64-linux-gnu/libssl.so.3
51f6c8e9e460a9cd16a761a37f4b4f6b  usr/lib/x86_64-linux-gnu/ossl-modules/legacy.so
d01f389114a4319471b487544ef32a85  usr/share/doc/libssl3/changelog.Debian.gz
3345b69c1ee497bb55492eeca358d3fb  usr/share/doc/libssl3/changelog.gz
6264b3617e9bd0092102a2ab8db06adb  usr/share/doc/libssl3/copyright

@thesayyn @loosebazooka Thanks for having fixed this upstream.