Add support for Alpine (apk)

[cmur2]

This PR proposes to add support for analyzing and diffing Alpine Docker images with container-diff (amazing tool!).
I want to contribute a differ for apk which is very similar to the Debian apt differ since the database that apk uses (located at /lib/apk/db/installed) is also very similar to that of dpkg, with a line-based key value format.

I also include tests for the new differ in this PR.

Demo of how the feature works:

$ out/container-diff analyze alpine:3.15 --type=apk

-----Apk-----

Packages found in alpine:3.15:
NAME                           VERSION            SIZE
-alpine-baselayout             3.2.0-r18          404K
-alpine-keys                   2.4-r1             156K
-apk-tools                     2.12.7-r3          304K
-busybox                       1.34.1-r3          924K
-ca-certificates-bundle        20191127-r7        228K
-libc-utils                    0.7.2-r3           4K
-libcrypto1.1                  1.1.1l-r7          2.6M
-libretls                      3.3.4-r2           84K
-libssl1.1                     1.1.1l-r7          528K
-musl                          1.2.2-r7           608K
-musl-utils                    1.2.2-r7           140K
-scanelf                       1.3.3-r0           92K
-ssl_client                    1.34.1-r3          28K
-zlib                          1.2.11-r3          108K

out/container-diff diff alpine:3.14 alpine:3.15 --type=apk

-----Apk-----

Packages found only in alpine:3.14: None

Packages found only in alpine:3.15: None

Version differences:
PACKAGE                        IMAGE1 (alpine:3.14)        IMAGE2 (alpine:3.15)
-alpine-baselayout             3.2.0-r16, 404K             3.2.0-r18, 404K
-alpine-keys                   2.4-r0, 156K                2.4-r1, 156K
-apk-tools                     2.12.7-r0, 304K             2.12.7-r3, 304K
-busybox                       1.33.1-r6, 928K             1.34.1-r3, 924K
-ca-certificates-bundle        20191127-r5, 228K           20191127-r7, 228K
-libcrypto1.1                  1.1.1l-r0, 2.6M             1.1.1l-r7, 2.6M
-libretls                      3.3.3p1-r2, 84K             3.3.4-r2, 84K
-libssl1.1                     1.1.1l-r0, 528K             1.1.1l-r7, 528K
-musl                          1.2.2-r3, 608K              1.2.2-r7, 608K
-musl-utils                    1.2.2-r3, 144K              1.2.2-r7, 140K
-scanelf                       1.3.2-r0, 92K               1.3.3-r0, 92K
-ssl_client                    1.33.1-r6, 28K              1.34.1-r3, 28K

I use Go 1.17 locally and did run make test integration and received the following output:

Running go tests...
?   	github.com/GoogleContainerTools/container-diff	[no test files]
ok  	github.com/GoogleContainerTools/container-diff/cmd	(cached)
?   	github.com/GoogleContainerTools/container-diff/cmd/util/output	[no test files]
ok  	github.com/GoogleContainerTools/container-diff/differs	0.037s
?   	github.com/GoogleContainerTools/container-diff/hack/release_notes	[no test files]
?   	github.com/GoogleContainerTools/container-diff/pkg/util	[no test files]
ok  	github.com/GoogleContainerTools/container-diff/util	(cached)
?   	github.com/GoogleContainerTools/container-diff/version	[no test files]
Checking gofmt...
Gofmt errors in files: ./tests/integration_test.go
make: *** [Makefile:59: test] Fehler 1

Edit2: With Go 1.16 it works like a charm, seems to be related to introduction of https://go.googlesource.com/proposal/+/master/design/draft-gobuild.md in Go 1.17.

Since this PR does not touch tests/integration_test.go I assume it should be fine.

Closes #361

Edit: anyone wanting to get quick access to the Linux amd64 binary can look at https://github.com/cmur2/container-diff/releases/tag/add-alpine-support at their own risk.

[cmur2]

Could I get a review from any of the codeowners @nkubala @tstromberg 🙏🏼 ?

[cmur2]

Bump :)

[bostrowski13]

Boy would I love apline support.

[cmur2]

@tequilarista sorry for the cold call but you seem to be able to merge PRs like #376 - would you mind looking at my PR?

[mesaglio]

This feature is good to chainguard-images, other distroless technology builded with declarative system, apko, base on apk.

@nkubala 🏓

We can use this to analyze fs under some new apk installation.
@dlorenc @kaniini

[mesaglio]

@loosebazooka

[loosebazooka]

Yeah no reason this can't be in here. I'll see if someone with alpine experience could help review this. @imjasonh @jonjohnsonjr perhaps?

[akashagarwal7]

Bump! This would be very handy.