include package metadata in chiseled images

[sozercan]

custom ubuntu chiseled images doesn't seem to contain package metadata. This makes it unable to be scanned for vulnerabilities or patched with https://github.com/project-copacetic/copacetic

$ trivy image <chiseled>
...
024-07-12T16:29:43Z WARN    No OS package is detected. Make sure you haven't deleted any files that contain information about the installed packages.
2024-07-12T16:29:43Z    WARN    e.g. files under "/lib/apk/db/", "/var/lib/dpkg/" and "/var/lib/rpm"
...

For example, Google distroless contains package information in /var/lib/dpkg/status.d/ https://oci.dag.dev/layers/gcr.io/distroless/static-debian12@sha256:e9168165836a0e692fbd161177ea950bfc17e3ec476fff726ff7c038e62e5cc8/var/lib/dpkg/status.d/

and similarly in Azure Linux in /var/lib/rpmmanifest/ https://oci.dag.dev/layers/mcr.microsoft.com/cbl-mariner/distroless/minimal@sha256:421cb3d7179891ba8ab574f6170b9b2e9e19531575446df7b5abffd4c6f2394b/var/lib/rpmmanifest/

[sozercan]

looks like this is part of https://github.com/canonical/rocks-toolbox/blob/main/chisel-wrapper as --generate-dpkg-status, would be great to have this in chisel directly

[rebornplusplus]

Hi @sozercan, you found the chisel-wrapper!

We do have some plans to have a DB generated by Chisel directly which will resolve this issue. The PRs are very close to be merged and will hopefully land in a new version soon! Until then, please feel free to use the chisel-wrapper. We are currently using the wrapper for building ubuntu/dotnet-* docker images too.

Let me know if you have any more questions. Cheers!