Update scan-logic stage to replace ORAS

Details

Need to update the scan-logic stage to reflect the replacement of ORAS artifacts with Cosign attestations.

Once #669 (closed) is complete...

• Update scan-logic to use new Cosign module
• Implement attestation parsing to obtain sbom & access log
• Simplify/refactor as necessary (take a look at Tim's notes below)
• Remove ORASArtifact class from Artifacts module

Cosign attestation parsing command

count=0; 
for att in $(cosign download attestation harbor-ib-zelda.staging.dso.mil/ironbank/opensource/thanos/thanos@sha256:a742c6d48a539163d7ccc7ee53ac114cd70cd92cedeb88956f7462dabb704bb4 | jq .payload -r); do 
  count=$((count+1)); 
  echo $att | base64 --decode | jq > "att-$count.json" ; 
done

Additional notes from Tim:

So Cosign does throw an error if you try to upload an empty file as a predicate, but since the predicate that the access_log is in is the hardening_manifest.json we're creating, there will be an "access_log" key in the attestation JSON, it may just be empty. So however we rewrite the rescan logic will need to take that into consideration.

Really for resiliency sake we should probably have checks in place for the existence of keys in the rescan logic so if at some point we decide to stop including access_log if it's empty, we don't wind up breaking rescan.