chore(docker/falco): add back some deps to falco docker image.

[FedeDP]

What type of PR is this?

/kind bug

Any specific area of the project related to this PR?

/area build

What this PR does / why we need it:

The PR adds back some deps that were removed in c2b940f from the Falco "fat" image.

Those deps are needed to build drivers on some distros/kernel configs.
I added back the ones that are provided by the falco-driver-loader-legacy image.
See relevant slack thread: https://kubernetes.slack.com/archives/CMWH3EH32/p1701249107807099

Which issue(s) this PR fixes:

Fixes #

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

NONE

[FedeDP]

/cc @LucaGuerra
/milestone 0.37.0

[LucaGuerra]

I know libelf-dev is useful for OpenShift compatibility but can we understand why the others? This is because we may be tempted to remove them in the future and it'd be good to have any kind of "trail" we can follow to understand why something was there in the first place.

[FedeDP]

These were used in the -legacy image.
My opinion is: using the ones used by -legacy image we are sure that we are not breaking an existing behavior; perhaps we miss some more, but at least the 2 images are equal now.

[LucaGuerra]

Let me take a bit of a closer look. I don't think we want a bloated image but at the same time we want to increase compatibility.

[LucaGuerra]

Hi! I'm back here. I analyzed two things about what we are attempting to do:

1. The size difference of the two images
2. The potential impact of the vulnerabilities that we may see in scanners due to these added packages (because I had a quick discussion with @leogr in the past about this)

The size of the compressed image is not a lot, about 23 MBs, I think we can live with that.
Regarding the vulnerabilities, I won't bore you with how I conducted the analysis but I noticed which packages, dependencies and "source packages" (a dpkg concept) are introduced with this change. Out of those, how often vulnerabilities are detected and if it's likely that they would very negatively impact our scanning results.

The result is that they won't. libbpf had two vulnerabilities per year recently and bison had a couple in 2020, the rest are in the security DBs even less frequently. They are massively outweighted by the many, many vulnerabilities (technically false positives but I digress) that are detected due to the dependencies of LLVM and the base image. Conclusion: I think we can add all of those!

Thank you Fede.

[FedeDP]

Thanks to you Luca for your great analysis!

[poiana]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: FedeDP, leogr, LucaGuerra

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• docker/OWNERS [FedeDP,LucaGuerra,leogr]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment