Fix segfault when no attestations are found

[steiza]

Summary

Fixes #4468.

Not that this does not implement cosign save with the new attestations (as described in #4470), but at least it won't segfault.

Release Note

• Fixed segfault with subcommands verify and verify-attestation when called with --local-image=true and no attestations were found

Documentation

N/A

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 35.38%. Comparing base (2ef6022) to head (40ee4d2).
⚠️ Report is 561 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #4472      +/-   ##
==========================================
- Coverage   40.10%   35.38%   -4.72%     
==========================================
  Files         155      220      +65     
  Lines       10044    15163    +5119     
==========================================
+ Hits         4028     5366    +1338     
- Misses       5530     9109    +3579     
- Partials      486      688     +202     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[cmurphy]

Can you add a test?

[steiza]

Can you add a test?

Unit tests here are going to be tricky, as the functions we're modifying are expecting an OCI registry to interact with. The end-to-end tests did catch a bug in my initial implementation! I believe the existing end-to-end tests have some coverage of this version of the changes with things like

cosign/test/e2e_test.go

Line 1385 in ae3eecb

mustErr(verifyAttestation.Exec(ctx, []string{imgName}), t)

.