Add support for distroless-based Docker images

[pombredanne]

distroless images are really based on Debian with a slightly different layout for installed packages data.

See also:

• https://github.com/nexB/container-inspector/blob/90c4aa61be4d69f3392b6e02e88f3996f8375f68/src/container_inspector/distro.py#L420
• https://github.com/GoogleContainerTools/distroless
• https://medium.com/@luke_perry_dev/dockerizing-with-distroless-f3b84ae10f3a

[pombredanne]

There are some issues on the observability of Distroless images in particular this GoogleContainerTools/distroless#741
And there are regression even on this lack observability with GoogleContainerTools/distroless#787 where the names of the status files in the status.d directory are now base64-encoded e.g. mangled.

[pombredanne]

This is blocked by lack of observability of Distroless images package files.

[pombredanne]

I think we can now move forward based on comments and PRs posted:

• Keep package-installed files listing for Debian packages installed in a distroless image bazelbuild/rules_docker#1876 has been merged with Add md5sums file list to distroless container bazelbuild/rules_docker#2065 and .bazelversion,WORKSPACE: Bazel 6.0.0 -> 6.3.0; Update dependencies GoogleContainerTools/distroless#1367 uses that version
• Keep lists of packaged-installed files inside a built image GoogleContainerTools/distroless#741 should be closed once we tested here.

Note that rules_docker has been archived and replaced by rules_oci:

• https://github.com/bazel-contrib/rules_oci

And rules_oci does not know about Debian-specific package files.

In the end, distroless instead uses this shell script in rules_distroless
https://github.com/GoogleContainerTools/rules_distroless/blob/35a7d5a37b34e68f1d58d7e452147afe941f3e5a/apt/private/dpkg_statusd.sh#L10

The format spec is:

• a /var/lib/dpkg/status.d/ directory
• inside this dir, for each package:
  • a debian control file named after the the package name
  • a debian md5sums file named after the the .md5sums
  • as before, a /usr/share/doc//copyright debian copyright file

For instance with get:

• http://localhost/project/gcriodistrolessbase-debian12-2b808ec5/resources/gcr_io_distroless_base_debian12.tar-extract/949b44fda9d054b2b420218f6b156e222fb1f89f38dc45521c1b9ac73c7a9c9e/var/lib/dpkg/status.d/libssl3/#viewer

Package: libssl3
Source: openssl
Version: 3.0.14-1~deb12u2
Architecture: amd64
Maintainer: Debian OpenSSL Team <pkg-openssl-devel@alioth-lists.debian.net>
Installed-Size: 6021
Depends: libc6 (>= 2.34)
Section: libs
Priority: optional
Multi-Arch: same
Homepage: https://www.openssl.org/
Description: Secure Sockets Layer toolkit - shared libraries
 This package is part of the OpenSSL project's implementation of the SSL
 and TLS cryptographic protocols for secure communication over the
 Internet.
 .
 It provides the libssl and libcrypto shared libraries.

And http://localhost/project/gcriodistrolessbase-debian12-2b808ec5/resources/gcr_io_distroless_base_debian12.tar-extract/949b44fda9d054b2b420218f6b156e222fb1f89f38dc45521c1b9ac73c7a9c9e/var/lib/dpkg/status.d/libssl3.md5sum/#viewer

41f2830840762278c3eea9f210d766bb  usr/lib/x86_64-linux-gnu/engines-3/afalg.so
cf0b11ae7ebc72735b07f66ca9689ff0  usr/lib/x86_64-linux-gnu/engines-3/loader_attic.so
120a42bed88d3307c29c399e54afdf6a  usr/lib/x86_64-linux-gnu/engines-3/padlock.so
5538de8b84c0804f36598ecc307279fd  usr/lib/x86_64-linux-gnu/libcrypto.so.3
8128c7581b84dbce11cbaee835e2a4cc  usr/lib/x86_64-linux-gnu/libssl.so.3
51f6c8e9e460a9cd16a761a37f4b4f6b  usr/lib/x86_64-linux-gnu/ossl-modules/legacy.so
d01f389114a4319471b487544ef32a85  usr/share/doc/libssl3/changelog.Debian.gz
3345b69c1ee497bb55492eeca358d3fb  usr/share/doc/libssl3/changelog.gz
6264b3617e9bd0092102a2ab8db06adb  usr/share/doc/libssl3/copyright

@thesayyn @loosebazooka Thanks for having fixed this upstream.