Provenance build-step analysis

[jedevc]

We can use the new SLSA provenance attestations to extract source information from an image.

Example use cases:

• Provide a more accurate image history view (e.g. on hub)

We should provide a way to lookup build step identifiers (e.g. sha256 digests, diffids, stage numbers, etc) in the sourcemap and return the LLB used to build it, as well as the source-mapping for the original component - I think it should be valid to allow a flexible lookup using different types of identifiers for this?

If SLSA provenance isn't available, we should provide fallbacks using the image config history - we can't reconstruct the LLB, but we can some guesses as to the original source code and build-steps using the layers - though this is definitely outside the initial scope.

For example, a struct might look something like this:

type Image struct {
    // ...
    BuildSteps []BuildStep
}

// GetBuildStep is a helper utility to get a BuildStep using a BuildStepIdentifier, could be an interface or similar that could be the sha256 digest of the layer, the DiffID for that layer, the stage name for that layer, etc.
func (img Image) GetBuildStep(id BuildStepIdentifier) BuildStep { ... }

type BuildStep struct {
    Digest digest.Digest
    DiffID digest.Digest
    Stage string  // e.g. stage0

    LLB
    Source
}

Ideally, if we can, we should represent Source in a VCS-rich way, so not only should it be possible to get the string that represents that snippet, but if we have Git metadata, we can attempt to link it back to source.