include package metadata in chiseled images

[sozercan]

custom ubuntu chiseled images doesn't seem to contain package metadata. This makes it unable to be scanned for vulnerabilities or patched with https://github.com/project-copacetic/copacetic

$ trivy image <chiseled>
...
024-07-12T16:29:43Z	WARN	No OS package is detected. Make sure you haven't deleted any files that contain information about the installed packages.
2024-07-12T16:29:43Z	WARN	e.g. files under "/lib/apk/db/", "/var/lib/dpkg/" and "/var/lib/rpm"
...

For example, Google distroless contains package information in /var/lib/dpkg/status.d/
https://oci.dag.dev/layers/gcr.io/distroless/static-debian12@sha256:e9168165836a0e692fbd161177ea950bfc17e3ec476fff726ff7c038e62e5cc8/var/lib/dpkg/status.d/

and similarly in Azure Linux in /var/lib/rpmmanifest/
https://oci.dag.dev/layers/mcr.microsoft.com/cbl-mariner/distroless/minimal@sha256:421cb3d7179891ba8ab574f6170b9b2e9e19531575446df7b5abffd4c6f2394b/var/lib/rpmmanifest/

[sozercan]

looks like this is part of https://github.com/canonical/rocks-toolbox/blob/main/chisel-wrapper as --generate-dpkg-status, would be great to have this in chisel directly

[rebornplusplus]

Hi @sozercan, you found the chisel-wrapper!

We do have some plans to have a DB generated by Chisel directly which will resolve this issue. The PRs are very close to be merged and will hopefully land in a new version soon! Until then, please feel free to use the chisel-wrapper. We are currently using the wrapper for building ubuntu/dotnet-* docker images too.

Let me know if you have any more questions. Cheers!

[sozercan]

@rebornplusplus do you know the latest status on this? will this have the same structure with what's available with chisel-wrapper (single status file)?

thanks!

[rebornplusplus]

Hello! The last PR for the Chisel DB/manifest is in the final review stage: #142. The format will not be the same as the dpkg status file. The format is introduced in the internal/manifest/manifest.go file.

[cjdcordeiro]

Closing this issue as:

• the chisel-wrapper offers the ability to generate an artificial dpkg/status for legacy compatibility with 3rd party tools
• the chisel manifest is now supported

Native Trivy support for Chisel Manifests is also being proposed in aquasecurity/trivy#8644. Your upvote/comment might help speed things up.