Clarify Document artifacts attribute semantics

[goneall]

Clarify the semantics of the artifacts/documentDescribes in the Document as to whether this association is just for the artifacts described by the document or ALL artifacts contained within the SBOM.

SPDX uses the similar documentDescribes to describe the Artifacts the document is describing. The documentDescribes does not include all artifacts included in the document (e.g. if the Document is describing a package and that package contains files, the files will be included in the document but would not be part of the documentDescribes attribute).

Propose artifacts/documentDescribes having the same semantics as SPDX.

[CASTResearchLabs]

in the current proposition, the "artifacts" were the pieces of software the "Document" is providing visibility about, even if limited (e.g., limited to the fields from the "Artifact" class alone) and the "referencedArtifacts" from the "Document" were only references to pieces of software that are useful in the context of the "Document" to define relationships, activities, etc. but they are outside the perimeter of the "Document". to reuse the example from previous comment, if the Document is describing a package and that package contains files, the files will also be included in the document but would not be part of the artifacts attribute, they would be part of the files attribute of the Artifacts from the artifacts attribute of the Document.

[goneall]

@CASTResearchLabs thanks for the additional explanation.