feat: Add support for multiple attestation output formats

[Pyronewbic]

Allow syft attest to accept multiple -o flags (e.g. -o spdx-json -o cyclonedx-json) so users can generate attestations in several SBOM formats from a single invocation. The SBOM is cataloged once and each format gets its own cosign attestation with the appropriate predicate type.

Description

Allow syft attest to accept multiple -o flags so users can generate attestations in several SBOM formats from a single invocation:

# before: two separate commands
syft attest --key k image -o cyclonedx-json
syft attest --key k image -o spdx-json

# after: one command
syft attest --key k image -o cyclonedx-json -o spdx-json

The SBOM is cataloged once. Each output format gets its own temp file and cosign invocation with the appropriate predicate type. Fails fast on the first format error.

Type of change

• New feature (non-breaking change which adds functionality)

Checklist

• I have added unit tests that cover changed behavior
• I have tested my code in common scenarios and confirmed there are no regressions
• I have added comments to my code, particularly in hard-to-understand sections

Issue references:

Closes #4938

Test evidence

$ go test -v ./cmd/syft/internal/commands/... -run "Test_attest|Test_predicate"
=== RUN   Test_attestSingleFormat
--- PASS: Test_attestSingleFormat (0.00s)
=== RUN   Test_attestCommand
=== RUN   Test_attestCommand/with_key_and_password
=== RUN   Test_attestCommand/keyless
=== RUN   Test_attestCommand/spdx-json_format
=== RUN   Test_attestCommand/cyclonedx-json_format
--- PASS: Test_attestCommand (0.01s)
    --- PASS: Test_attestCommand/with_key_and_password (0.00s)
    --- PASS: Test_attestCommand/keyless (0.00s)
    --- PASS: Test_attestCommand/spdx-json_format (0.00s)
    --- PASS: Test_attestCommand/cyclonedx-json_format (0.00s)
=== RUN   Test_predicateType
=== RUN   Test_predicateType/cyclonedx-json
=== RUN   Test_predicateType/spdx-tag-value
=== RUN   Test_predicateType/spdx-tv
=== RUN   Test_predicateType/spdx-json
=== RUN   Test_predicateType/json
=== RUN   Test_predicateType/syft-json
--- PASS: Test_predicateType (0.00s)
    --- PASS: Test_predicateType/cyclonedx-json (0.00s)
    --- PASS: Test_predicateType/spdx-tag-value (0.00s)
    --- PASS: Test_predicateType/spdx-tv (0.00s)
    --- PASS: Test_predicateType/spdx-json (0.00s)
    --- PASS: Test_predicateType/json (0.00s)
    --- PASS: Test_predicateType/syft-json (0.00s)
=== RUN   Test_attestCLIWiring
=== RUN   Test_attestCLIWiring/key_flag_is_accepted
[0000]  INFO syft version: testing
=== RUN   Test_attestCLIWiring/key_password_is_read_from_env
[0000]  INFO syft version: testing
--- PASS: Test_attestCLIWiring (0.01s)
    --- PASS: Test_attestCLIWiring/key_flag_is_accepted (0.00s)
    --- PASS: Test_attestCLIWiring/key_password_is_read_from_env (0.00s)
PASS
ok    github.com/anchore/syft/cmd/syft/internal/commands      1.155s

Manual test against a local registry:

$ syft attest --key cosign.key localhost:5050/test-image:latest -o spdx-json -o cyclonedx-json
Attestation(s) created, please check your registry for the output or use the cosign command:
cosign download attestation localhost:5050/test-image:latest

$ cosign verify-attestation --key cosign.pub --type spdxjson localhost:5050/test-image:latest
Verification for localhost:5050/test-image:latest --
The following checks were performed on each of these signatures:
  - The cosign claims were validated
  - Existence of the claims in the transparency log was verified offline
  - The signatures were verified against the specified public key

$ cosign verify-attestation --key cosign.pub --type cyclonedx localhost:5050/test-image:latest
Verification for localhost:5050/test-image:latest --
The following checks were performed on each of these signatures:
  - The cosign claims were validated
  - Existence of the claims in the transparency log was verified offline
  - The signatures were verified against the specified public key