feat: add support of OCI tarballs

[DmitriyLewen]

Description

Buildx supports creating OCI images - https://docs.docker.com/build/exporters/oci-docker/
By default, images are compressed into tar archives.
We need to unzip archive before reading index.json file.

Before:

➜ docker buildx build -o type=oci,dest=image.tar .
...

➜ trivy image --input image.tar 
2023-12-12T14:51:42.742+0600	INFO	Vulnerability scanning is enabled
2023-12-12T14:51:42.743+0600	INFO	Secret scanning is enabled
2023-12-12T14:51:42.743+0600	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-12-12T14:51:42.743+0600	INFO	Please see also https://aquasecurity.github.io/trivy/v0.48/docs/scanner/secret/#recommendation for faster secret detection
2023-12-12T14:51:42.747+0600	FATAL	image scan error: scan error: unable to initialize a scanner: unable to initialize the archive scanner: 2 errors occurred:
	* unable to open image.tar as a Docker image: file manifest.json not found in tar
	* unable to open image.tar as an OCI Image: stat image.tar/index.json: not a directory

After:

➜ docker buildx build -o type=oci,dest=image.tar .
...

➜ ./trivy image --input image.tar
2023-12-12T14:51:50.599+0600	INFO	Vulnerability scanning is enabled
2023-12-12T14:51:50.599+0600	INFO	Secret scanning is enabled
2023-12-12T14:51:50.599+0600	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-12-12T14:51:50.599+0600	INFO	Please see also https://aquasecurity.github.io/trivy/dev/docs/scanner/secret/#recommendation for faster secret detection
2023-12-12T14:51:50.689+0600	INFO	Detected OS: alpine
2023-12-12T14:51:50.689+0600	INFO	Detecting Alpine vulnerabilities...
2023-12-12T14:51:50.692+0600	INFO	Number of language-specific files: 0

image.tar (alpine 3.18.4)

Total: 4 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 2, CRITICAL: 0)

┌────────────┬───────────────┬──────────┬────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────────┐
│  Library   │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │                         Title                          │
├────────────┼───────────────┼──────────┼────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────┤
│ libcrypto3 │ CVE-2023-5363 │ HIGH     │ fixed  │ 3.1.3-r0          │ 3.1.4-r0      │ openssl: Incorrect cipher key and IV length processing │
│            │               │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-5363              │
│            ├───────────────┼──────────┤        │                   ├───────────────┼────────────────────────────────────────────────────────┤
│            │ CVE-2023-5678 │ MEDIUM   │        │                   │ 3.1.4-r1      │ openssl: Generating excessively long X9.42 DH keys or  │
│            │               │          │        │                   │               │ checking excessively long X9.42...                     │
│            │               │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-5678              │
├────────────┼───────────────┼──────────┤        │                   ├───────────────┼────────────────────────────────────────────────────────┤
│ libssl3    │ CVE-2023-5363 │ HIGH     │        │                   │ 3.1.4-r0      │ openssl: Incorrect cipher key and IV length processing │
│            │               │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-5363              │
│            ├───────────────┼──────────┤        │                   ├───────────────┼────────────────────────────────────────────────────────┤
│            │ CVE-2023-5678 │ MEDIUM   │        │                   │ 3.1.4-r1      │ openssl: Generating excessively long X9.42 DH keys or  │
│            │               │          │        │                   │               │ checking excessively long X9.42...                     │
│            │               │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-5678              │
└────────────┴───────────────┴──────────┴────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────────┘

Related issues

• Close feat(oci): add support OCI tarballs #5775

Checklist

• I've read the guidelines for contributing to this repository.
• I've followed the conventions in the PR title.
• I've added tests that prove my fix is effective or that my feature works.
• I've updated the documentation with the relevant information (if needed).
• I've added usage information (if the PR introduces new options)
• I've included a "before" and "after" example to the description (if the PR is a user interface change).

[github-actions]

This PR is stale because it has been labeled with inactivity.