Use image catalogers

[cdupuis]

This pull request switches from the directory layout catalogers to explicitly use the image layout catalogers to align BuildKit SBOMs with ones created post build.

Additionally, this PR also records file relationships for package files that aren't recorded already so that we can keep track of layer information.

[cdupuis]

@jedevc could you take a look at this here, please?

[jedevc]

So because we also support scanning directories in the form of the build context using BUILDKIT_SBOM_SCAN_CONTEXT (see https://docs.docker.com/build/attestations/sbom/#arguments), I wonder if we'd stop detecting things from there that we might have otherwise found.

Would AllCatalogers present problems? Curious if maybe the same packages might be duplicated or something like that?

Alternatively, we could make changes to try and indicate to the scanner which of the directories is the context, so we could apply a different scanner? Though this requires some more significant changes to buildkit.

[cdupuis]

I can run some experiments and see what the results are with AllCatalogers

[jedevc]

That would be super helpful 👍 We have some examples in the examples/ directory, that might be interesting to you.

[jedevc]

ping @cdupuis did you manage to take a look at this?

[jedevc]

As a concrete example of where ImageCataloguers causes a regression: if I have a local context that contains go.mod, ImageCatalogers won't detect any go packages, while DirectoryCataloguers and AllCataloguers do. IMO we probably want to be able to detect this case?

[cdupuis]

@jedevc I've pushed another update to get to the latest version of Syft with all the PRs merged we need. With this, the SBOMs (e2e tests as well as manual tests) are looking good.

[jedevc]

Can you rebase this onto master? I've just merged #46 🙏