[extension/bdba] - improve support for OCI-Image-Index-Artefacts

[ccwienk]

Context / Motivation

OCM-Gear-extension BDBA (or rather underlying code in cc-utils-repo) currently takes a shortcut for OCI-Image-Index-Artefacts (aka multi-arch-images). I.e. only first sub-image will be processed (ref). Considering thus-grouped images typically contain equal contents (albeit in different flavours, e.g. linux/amd64 + linux/adm64), this should be "good-enough". However, there is always the risk of missing relevant payload.

Corner Cases / Implementation Considerations

Technically-speaking, we might concatenate the layer-TARs from all corresponding sub-images and upload them as a single (TAR-)archive to BDBA. However, we will have to ensure we can discriminate findings later. This might be achieved by adding a prefix for each sub-image. This, however, might lead BDBA to reporting redundant findings for each uploaded flavour.

Therefore, prior to choosing how to upload, we need to test BDBA's behaviour, in particular whether it will implicitly group corresponding package-versions of different flavours into just one. Depending on this, we could either delegate grouping to BDBA, or should aggregate ourselves (note: we should retain information about different flavours).