Stereoscope shouldn't generate its own OCI manifests

[luhring]

What happened:

Stereoscope generates OCI manifests for images from the Docker "tarball provider", for which stereoscope doesn't have access to OCI manifests. See: https://github.com/anchore/stereoscope/blob/main/pkg/image/docker/tarball_provider.go#L69

What you expected to happen:

Stereoscope should not attempt to generate OCI manifests — it should capture and surface an image's OCI manifest if it already exists, or it should accept that there is no OCI manifest available.

Generated manifests (and the resulting manifest digests) are non-authoritative, and they don't fulfill all of a user's expectations for consuming an OCI manifest, such as using the manifest's digest to identify and retrieve OCI images. It's not clear what value generated OCI manifests add to users, and we're finding that they can even be confusing and problematic for users (see anchore/grype#435).

How to reproduce it (as minimally and precisely as possible):

I've created an example that calls stereoscope's stereoscope.GetImage function and prints out the manifest data:

https://github.com/luhring/stereoscope/blob/show-manifest-info-for-image-from-docker/examples/manifest_info.go

Steps:

1. Ensure that the Docker daemon is available on your local machine.
2. Check out luhring/stereoscope to the branch show-manifest-info-for-image-from-docker.
3. Run go run ./examples/manifest_info.go <image>, for an image reference like ubuntu:latest.
4. Try to use the reported manifest digest to find or retrieve the image you just analyzed. (E.g. the digest I get is sha256:aac1b1ac3ff329b251d567fba305a8212d1159a706ce038f24f0adc2b996680f.)
5. Observe that no image can be found for this digest.