feat: treat manifests with equal digest as single image

[spiffcs]

Support for anchore/syft#1544

When considering the manifests in the oci directory provider we now check to see if all of the digests are equivalent. If we find that all manifests are the same digest with just different tags then it makes sense to process the tar as a single image for analysis.

Note - this change only affects the directory and tarball provider - we have no such manifest check for the OCI registry provider.

To validate these changes you can go over to syft and use a replace directive using this branch

To generate a local tar with the above conditions simply follow these instructions:

1. If you don't have one already use the docker-container driver with buildx

docker buildx create --use --name oci --driver docker-container

2. Using a simple dockerfile generate the oci tar:

FROM alpine:latest

docker buildx build . --platform=linux/amd64 --tag app:latest --tag app:1.0.0 --output type=oci,dest=app.tar

3. Use syft (with the replace directive consuming this branch) to scan app.tar

syft app.tar

Without the branch you should see:

syft app.tar
2023/09/19 12:22:21 error during command execution: 1 error occurred:
	* failed to construct source from user input "app.tar": unable to load image: unable to use OciTarball source: unexpected number of OCI directory manifests (found 2)

Consuming this branch as the stereoscope dependency you should see:

syft app.tar
 ✔ Parsed image                                                                                                                                          sha256:af663469120203843a0803c642a53d39e0db2aba02fc0e092320b05b1b7b767f
 ✔ Cataloged packages              [16 packages]
NAME                    VERSION      TYPE
alpine-baselayout       3.4.3-r1     apk
alpine-baselayout-data  3.4.3-r1     apk
alpine-keys             2.4-r1       apk
apk-tools               2.14.0-r2    apk
busybox                 1.36.1-r2    apk
busybox-binsh           1.36.1-r2    apk
ca-certificates-bundle  20230506-r0  apk
libc-utils              0.7.2-r5     apk
libcrypto3              3.1.2-r0     apk
libssl3                 3.1.2-r0     apk
musl                    1.2.4-r1     apk
musl-utils              1.2.4-r1     apk
scanelf                 1.3.7-r1     apk
ssl_client              1.36.1-r2    apk
zlib                    1.2.13-r1    apk

[github-actions]

Benchmark Test Results

Benchmark results from the latest changes vs base branch

latest: Pulling from library/ubuntu
tar: Option --mtime: Treating date 'UTC 2019-09-16' as 2019-09-16 00:00:00
goos: linux
goarch: amd64
pkg: github.com/anchore/stereoscope/pkg/file
cpu: Intel(R) Xeon(R) CPU E5-2673 v4 @ 2.30GHz
ctr: 
           │ ./.tmp/benchmark-c344541.txt │
           │            sec/op            │
TarIndex-2                   48.40µ ± ∞ ¹
¹ need >= 6 samples for confidence interval at level 0.95

           │ ./.tmp/benchmark-c344541.txt │
           │             B/op             │
TarIndex-2                  5.560Ki ± ∞ ¹
¹ need >= 6 samples for confidence interval at level 0.95

           │ ./.tmp/benchmark-c344541.txt │
           │          allocs/op           │
TarIndex-2                    93.00 ± ∞ ¹
¹ need >= 6 samples for confidence interval at level 0.95

pkg: github.com/anchore/stereoscope/test/integration
                                      │ ./.tmp/benchmark-c344541.txt │
                                      │            sec/op            │
SimpleImage_GetImage/docker-archive-2                   1.735m ± ∞ ¹
SimpleImage_GetImage/podman-2                           32.49m ± ∞ ¹
geomean                                                 7.508m
¹ need >= 6 samples for confidence interval at level 0.95

                                      │ ./.tmp/benchmark-c344541.txt │
                                      │             B/op             │
SimpleImage_GetImage/docker-archive-2                  320.1Ki ± ∞ ¹
SimpleImage_GetImage/podman-2                          435.4Ki ± ∞ ¹
geomean                                                373.4Ki
¹ need >= 6 samples for confidence interval at level 0.95

                                      │ ./.tmp/benchmark-c344541.txt │
                                      │          allocs/op           │
SimpleImage_GetImage/docker-archive-2                   2.516k ± ∞ ¹
SimpleImage_GetImage/podman-2                           2.756k ± ∞ ¹
geomean                                                 2.633k
¹ need >= 6 samples for confidence interval at level 0.95

ctr: failed to dial "/run/containerd/containerd.sock": connection error: desc = "transport: error while dialing: dial unix /run/containerd/containerd.sock: connect: permission denied"
                                                   │ ./.tmp/benchmark-c344541.txt │
                                                   │            sec/op            │
SimpleImage_FetchSquashedContents/docker-archive-2                   20.84µ ± ∞ ¹
SimpleImage_FetchSquashedContents/podman-2                           20.43µ ± ∞ ¹
geomean                                                              20.63µ
¹ need >= 6 samples for confidence interval at level 0.95

                                                   │ ./.tmp/benchmark-c344541.txt │
                                                   │             B/op             │
SimpleImage_FetchSquashedContents/docker-archive-2                  2.648Ki ± ∞ ¹
SimpleImage_FetchSquashedContents/podman-2                          2.648Ki ± ∞ ¹
geomean                                                             2.648Ki
¹ need >= 6 samples for confidence interval at level 0.95

                                                   │ ./.tmp/benchmark-c344541.txt │
                                                   │          allocs/op           │
SimpleImage_FetchSquashedContents/docker-archive-2                    21.00 ± ∞ ¹
SimpleImage_FetchSquashedContents/podman-2                            21.00 ± ∞ ¹
geomean                                                               21.00
¹ need >= 6 samples for confidence interval at level 0.95