Get archive image name from archive content

What does this MR do?

See original discussion regarding this implementation in !3162 (comment 2495523833).

With the implementation of Support tar file scanning (!3151 - merged) we may get scans of tar files. This results in location images set to .tar paths, both for display and for fingerprinting. This may not be ideal for some users as seeing a /path/to/tar as the image name may not be expected or preferred. This MR adds support for collecting image name information from the contents of the tar.

This MR adds archive_info.rb to analyze tar files, and scheme.rb to handle image scheme prefixes as this is now also needed in vulnerability.rb rather than just trivy.rb.

The archive data collection functionality is:

1. Check manifest.json (a docker-only file). If it exists and is populated, go over manifests until populated 'RepoTags' is found and then return first item in 'RepoTags'.
2. Otherwise, check index.json (an OCI standard file). If it exists and is populated, go over each manifest in the manifests field and if it has annotations, try to return 'io.containerd.image.name'.
3. Otherwise, return nil, resulting in using the tar path as the image name.

See manifest.json and index.json examples:

❯ jq . tmp/image/manifest.json
[
  {
    "Config": "blobs/sha256/116ce25a9bcb4011c5b5e51e89b7b089b4730600f755a0bee1a04e12bf165e00",
    "RepoTags": [
      "gcs:fips"
    ],
    "Layers": [
      "blobs/sha256/b2ef0aec0c615d1144042fc344d2644751157176cecd09f9fee9f771ece2e731",
      ...
      "blobs/sha256/4f4fb700ef54461cfa02571ae0db9a0dc1e0cdb5577484a6d75e68dc38e8acc1"
    ]
  }
]

❯ jq . tmp/image/index.json
{
  "schemaVersion": 2,
  "mediaType": "application/vnd.oci.image.index.v1+json",
  "manifests": [
    {
      "mediaType": "application/vnd.oci.image.index.v1+json",
      "digest": "sha256:20de357f6ba64c13d4adfa0ae1aaa29c0ef6cfbd16c3ccb05a3815d990d4db0a",
      "size": 856,
      "annotations": {
        "io.containerd.image.name": "docker.io/library/gcs:fips",
        "org.opencontainers.image.ref.name": "fips"
      }
    }
  ]
}

What are the relevant issue numbers / merge requests ?

Archive File Scanning for Container Scanning (gitlab-org/gitlab#501077 - closed)

Does this MR meet the acceptance criteria?

• Changelog entry added
• Documentation created/updated for GitLab EE, if necessary
• Documentation created/updated for this project, if necessary
• Documentation reviewed by technical writer or follow-up review issue created
• Tests added
• Job definition updated, if necessary
  • Auto-DevOps template
  • Job definition example
  • CI Templates
• Conforms to the code review guidelines
• Conforms to the Go guidelines
• Conforms to the Ruby guidelines
• Security reports checked/validated by reviewer