Support for application/vnd.oci.image.index.v1+json manifests in root OCI layout

[saisatishkarra]

What would you like to be added:
Syft expects OCI layout to contain only 1 image of mediaType application/vnd.oci.image.manifest.v1+json and doesn't support mediaType application/vnd.oci.image.index.v1+json when building a single OCI tar ball for multiple architectures

Why is this needed:
This adds an additional layer of complexity to extract the digest of each image manifest for each architecture in the application/vnd.oci.image.index.v1+json (use regctl --platform for extraction) to run the scan

Additional context:
Uploaded a demo_alpine OCI layout (single architecture and image manifest) vs demo_amazonlinux OCI layout (multiple architectures within single manifest of type application/vnd.oci.image.index.v1+json)

Current behavior:

• works for demo_alpine oci layout with single image manifest

• Fails for demo_amazonlinux with error: * failed to construct source from user input "docker-archive-demo-amz-2.tar": could not fetch image "docker-archive-demo-amz-2.tar": unable to use OciTarball source: unable to parse OCI directory as an image: unexpected media type for sha256:1ab94ef8f74d975ce5b3637944358cce8d776259f493c4d857898dbe862c1fb3: application/vnd.oci.image.index.v1+json

[moos3]

Has there been any ideas on this? This becomes important when you start using multi-platform container builds.

[nekketsuuu]

🔗 I found similar issues #1683 and anchore/stereoscope#175