Add a flag to optionally build without containerd dependency

[slonka]

What is the underlying problem you're trying to solve?

Containerd frequently shows up on our security scans due to CVEs - https://osv.dev/list?page=2&q=containerd. In our case we don't use OCI download so it would be great if OPA could introduce a flag to build without containerd.

Describe the ideal solution

I can run

make GO_TAGS="-tags=no_oci" build

to build without containerd. And running

go version -m opa_darwin_arm64  | grep containerd

shows no containerd included.

Describe a "Good Enough" solution

Containerd is either included as a dependency or not, I don't think there is a "good enough" solution.

Additional Context

Due to the frequency of CVEs reported in containerd the maintenance cost is higher. We would love to minimise that. I have created a draft PR to show how it could be implemented.

[srenatus]

Thanks for raising this, and thanks for drafting a PR. I can understand that false positive CVEs for functionality you don't even use are annoying.

As per "good enough", I think what you propose is good enough; the ideal solution would be to get rid of the dependency without introducing a build flag. We could check if it is really, really needed, or if we could make do with ORAS v2 alone. (cc @carabasdaniel: Any ideas?)

The problem with the build flag is that it won't have an effect on go.mod and go.sum, which some tools also use for determining the project's dependencies... it would only help with tools clever enough to checkgo version -m BINARY.

[slonka]

I agree on the "good enough" part. What's our path forward here? Should I wait for @carabasdaniel answer? Would anyone help me get the PR in "green tick" shape?

[srenatus]

@ashutosh-narkar is back on Monday. Let's see what he thinks; the PR looks almost good to go -- see my comment on it. Thanks again for working on this!

[ashutosh-narkar]

Fixed in #6159.