Update distroless dependencies

[dhalperi]

It's been over a year since they were updated. For Java at least, many security updates in that time.

I had to manually skip static and debian9 in the update_deps.sh script, as they
failed on https://gcr.io/v2/distroless/static/manifests/debug

{
  errors: [
    {
      code: "MANIFEST_UNKNOWN",
      message: "Failed to fetch "debug" from request "/v2/distroless/static/manifests/debug"."
    }
  ]
}

---

This change is 

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: dhalperi
To complete the pull request process, please assign smukherj1 after the PR has been reviewed.
You can assign the PR to them by writing /assign @smukherj1 in a comment when ready.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[dhalperi]

Hmm. this changes ~the exact same files as #480, yet the tests fail. Not yet able to figure out why.

[dhalperi]

@smukherj1 @alex1545 - GitHub seems to have assigned you as reviewers. Any suggestions?

[smukherj1]

It looks like one of these is problematic. Try manually reverting the changes in this file?

[dhalperi]

Hmm. I reran the script completely and it now is reporting errors for both python and go containers :).The errors is non-deterministic, based on which CI step you look at -- which means it may also have messed up any others, but Bazel is reporting the first error.

Locally, I also get errors for cc_image:

ERROR: /Users/dan/rules_docker/tests/container/rust/BUILD:20:11: //tests/container/rust:rust_image depends on @cc_image_base//image:image in repository @cc_image_base which failed to fetch. no such package '@cc_image_base//image': SHA256 of the image specified does not match SHA256 of the pulled image. Expected sha256:ac75dbf0b249e5e3758134458d447bfd6a85d74c262ecb7cd88df68a3f53c6e3, but pulled image with sha256:c4014bdecaede16f767f8cfc496f968736bc08632bf54a37c004820e85cd8209. It is possible that you have a pin to a manifest list which points to another image, if so, change the pin to point at the actual Docker image

Do you know what the pin it's talking about refers to?

[dhalperi]

Playing around:

$ ~/go/bin/crane digest gcr.io/distroless/cc:latest 
2020/10/30 13:17:44 No matching credentials were found, falling back on anonymous
sha256:ac75dbf0b249e5e3758134458d447bfd6a85d74c262ecb7cd88df68a3f53c6e3

$ ~/go/bin/crane manifest gcr.io/distroless/cc:latest 
2020/10/30 13:15:34 No matching credentials were found, falling back on anonymous
{
   "schemaVersion": 2,
   "mediaType": "application/vnd.docker.distribution.manifest.list.v2+json",
   "manifests": [
      {
         "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
         "size": 947,
         "digest": "sha256:c4014bdecaede16f767f8cfc496f968736bc08632bf54a37c004820e85cd8209",
         "platform": {
            "architecture": "amd64",
            "os": "linux"
         }
      },
      {
         "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
         "size": 947,
         "digest": "sha256:ec7bfcbba262708761909c65c9d26358a1785b849bf32507fa785ddaed77e9bd",
         "platform": {
            "architecture": "arm64",
            "os": "linux"
         }
      }
   ]
}%

So I can see where both the shas in the error are coming from.

[dhalperi]

I'm guessing that google/go-containerregistry#625 is related.

[dhalperi]

Ah, and duh, I have confirmed that the sha256sum of the manifest is the string returned by crane digest:

$  ~/go/bin/crane manifest gcr.io/distroless/cc:latest | sha256sum 
2020/10/30 13:44:37 No matching credentials were found, falling back on anonymous
ac75dbf0b249e5e3758134458d447bfd6a85d74c262ecb7cd88df68a3f53c6e3  -

[dhalperi]

Figured out how to fix update_deps, will send another PR.