Add spdxjson predicate type for attestations

[jdolitsky]

Related to #1954

In attempt to dive deeper into the SBOM structure in attestations, added new predicate type "spdxjson" which allows us to apply Cue policies against inner fields in JSON-formatted SPDX documents. For example:

predicate: {
    Data: {
        spdxVersion: "SPDX-2.2"
    }
}

In the case of the "spdx" type, the Data field is just a string which prevents further progress on this.

It's still not 100% clear how Cue can be used to detect a specific package version within an SBOM, but this gets us one step further. Happy to follow up with "cyclone" predicate type too.

[codecov-commenter]

Codecov Report

Merging #1974 (5f3486d) into main (2ef684f) will not change coverage.
The diff coverage is 50.00%.

@@           Coverage Diff           @@
##             main    #1974   +/-   ##
=======================================
  Coverage   34.66%   34.66%           
=======================================
  Files         152      152           
  Lines       10090    10090           
=======================================
  Hits         3498     3498           
  Misses       6222     6222           
  Partials      370      370           

Impacted Files	Coverage Δ
cmd/cosign/cli/options/predicate.go	0.00% <0.00%> (ø)
pkg/policy/attestation.go	43.03% <0.00%> (ø)
...s/policy/v1alpha1/clusterimagepolicy_validation.go	94.97% <100.00%> (ø)
...is/policy/v1beta1/clusterimagepolicy_validation.go	94.97% <100.00%> (ø)

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 2ef684f...5f3486d. Read the comment docs.

[developer-guy]

Approve party! Great work @jdolitsky 👏