Feature/chiselled distroless image

[endersonmaia]

This PR will introduce a distroless container image based on Canonical's chisel tool.

COmparing the current ubuntu based to the chiselled one, we have no CVEs, and a reduced final size.

builtins:0.5.0

> docker images ghcr.io/crypto-bug-hunters/builtins:0.5.0 --format "{{.Repository}}: {{.Size}}"
ghcr.io/crypto-bug-hunters/builtins: 209MB
> grype ghcr.io/crypto-bug-hunters/builtins:0.5.0
 ✔ Vulnerability DB                [no update available]
 ✔ Loaded image                                                                                                                               ghcr.io/crypto-bug-hunters/builtins:0.5.0
 ✔ Parsed image                                                                                                 sha256:6a9cc6c774cdf62c89656d581686dee88a4795232dcb88ab58e399f1b3e1e779
 ✔ Cataloged contents                                                                                                  7a2734e2eb921648e25993f0c2e747e734daa7b400760cd4b84441f1ccaed847
   ├── ✔ Packages                        [90 packages]
   ├── ✔ File digests                    [2,037 files]
   ├── ✔ File metadata                   [2,037 locations]
   └── ✔ Executables                     [728 executables]
 ✔ Scanned for vulnerabilities     [8 vulnerability matches]
   ├── by severity: 0 critical, 0 high, 3 medium, 3 low, 2 negligible
   └── by status:   1 fixed, 7 not-fixed, 0 ignored
NAME          INSTALLED          FIXED-IN           TYPE  VULNERABILITY   SEVERITY
coreutils     9.4-3ubuntu6                          deb   CVE-2016-2781   Low
gpgv          2.4.4-2ubuntu17                       deb   CVE-2022-3219   Low
libc-bin      2.39-0ubuntu8.3                       deb   CVE-2016-20013  Negligible
libc6         2.39-0ubuntu8.3                       deb   CVE-2016-20013  Negligible
libgcrypt20   1.10.3-2build1                        deb   CVE-2024-2236   Medium
libpcre2-8-0  10.42-4ubuntu2                        deb   CVE-2022-41409  Low
libssl3t64    3.0.13-0ubuntu3.3  3.0.13-0ubuntu3.4  deb   CVE-2024-6119   Medium
libssl3t64    3.0.13-0ubuntu3.3                     deb   CVE-2024-41996  Medium

builtins:pr-15

> docker images ghcr.io/crypto-bug-hunters/builtins:pr-15 --format "{{.Repository}}: {{.Size}}"
ghcr.io/crypto-bug-hunters/builtins: 144MB
> grype ghcr.io/crypto-bug-hunters/builtins:pr-15
 ✔ Vulnerability DB                [no update available]
 ✔ Loaded image                                                                                                                               ghcr.io/crypto-bug-hunters/builtins:pr-15
 ✔ Parsed image                                                                                                 sha256:2f5cc98b501db3d3a1965a52a0a0627fa0a70661f2b9a2432008a60809f78de2
 ✔ Cataloged contents                                                                                                  fbb2b43af7cc0092511400e18e3974f73ab06597d7eaf02d6145884a00d4eb3a
   ├── ✔ Packages                        [0 packages]
   └── ✔ Executables                     [30 executables]
 ✔ Scanned for vulnerabilities     [0 vulnerability matches]
   ├── by severity: 0 critical, 0 high, 0 medium, 0 low, 0 negligible
   └── by status:   0 fixed, 0 not-fixed, 0 ignored
No vulnerabilities found

Running command from the contaienr

And it's still possible to run the binaries using the container.

docker run -ti --rm --platform=linux/riscv64 ghcr.io/crypto-bug-hunters/builtins:pr-15 /opt/bundle/reth-1.0.5-linux-riscv64 --version
reth Version: 1.0.5
Commit SHA: 603e39ab74509e0863fc023461a4c760fb2126d1
Build Timestamp: 1970-01-01T00:00:00.000000000Z
Build Features: jemalloc
Build Profile: release

[endersonmaia]

This less/0 CVEs is a false negative, since chisel doesn't provides the information the way grype knows how to find.

So take this information with a grain of salt.

There are issues on the chisel side to address it, and we could address it ourselves generating proper SBOMs for our packages and using it as input for grype, but that's out of scope for this PR.