Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

include package metadata in chiseled images #148

Open
sozercan opened this issue Jul 12, 2024 · 4 comments
Open

include package metadata in chiseled images #148

sozercan opened this issue Jul 12, 2024 · 4 comments

Comments

@sozercan
Copy link

sozercan commented Jul 12, 2024

custom ubuntu chiseled images doesn't seem to contain package metadata. This makes it unable to be scanned for vulnerabilities or patched with https://github.com/project-copacetic/copacetic

$ trivy image <chiseled>
...
024-07-12T16:29:43Z	WARN	No OS package is detected. Make sure you haven't deleted any files that contain information about the installed packages.
2024-07-12T16:29:43Z	WARN	e.g. files under "/lib/apk/db/", "/var/lib/dpkg/" and "/var/lib/rpm"
...

For example, Google distroless contains package information in /var/lib/dpkg/status.d/
https://oci.dag.dev/layers/gcr.io/distroless/static-debian12@sha256:e9168165836a0e692fbd161177ea950bfc17e3ec476fff726ff7c038e62e5cc8/var/lib/dpkg/status.d/

and similarly in Azure Linux in /var/lib/rpmmanifest/
https://oci.dag.dev/layers/mcr.microsoft.com/cbl-mariner/distroless/minimal@sha256:421cb3d7179891ba8ab574f6170b9b2e9e19531575446df7b5abffd4c6f2394b/var/lib/rpmmanifest/

@sozercan
Copy link
Author

sozercan commented Jul 12, 2024

looks like this is part of https://github.com/canonical/rocks-toolbox/blob/main/chisel-wrapper as --generate-dpkg-status, would be great to have this in chisel directly

@rebornplusplus
Copy link
Member

Hi @sozercan, you found the chisel-wrapper!

We do have some plans to have a DB generated by Chisel directly which will resolve this issue. The PRs are very close to be merged and will hopefully land in a new version soon! Until then, please feel free to use the chisel-wrapper. We are currently using the wrapper for building ubuntu/dotnet-* docker images too.

Let me know if you have any more questions. Cheers!

@sozercan
Copy link
Author

sozercan commented Sep 27, 2024

@rebornplusplus do you know the latest status on this? will this have the same structure with what's available with chisel-wrapper (single status file)?

thanks!

@rebornplusplus
Copy link
Member

Hello! The last PR for the Chisel DB/manifest is in the final review stage: #142. The format will not be the same as the dpkg status file. The format is introduced in the internal/manifest/manifest.go file.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants