feat(sbom-attestor): add SBOM attestor for SPDX and CycloneDX formats

[colek42]

This adds a SBOM attestor, and a check for those MIME types. It supports both SPDX and Cyclone DX in json format.

[colek42]

This allows us to do links like query for SBOMs and generate vuln reports.

➜  go-witness git:(feat/sbom-attestor) ✗ curl https://archivista.testifysec.io/download/b0accc787c8c45c1d90f52575f5ab2b672a7b5bd71948525f6e1c930f2362fc1 | jq -r '.payload' | base64 -d | jq -r '.predicate.attestations[] | select(.type == "https://witness.dev/attestations/sbom/v0.1").attestation.sbomDocument' | grype   

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 3371k    0 3371k    0     0  4641k      0 --:--:-- --:--:-- --:--:-- 4637k
NAME                      INSTALLED  FIXED-IN  TYPE       VULNERABILITY        SEVERITY 
github.com/gin-gonic/gin  v1.7.7     1.9.0     go-module  GHSA-3vp4-m3rf-835h  Medium    
github.com/gin-gonic/gin  v1.7.7     1.9.1     go-module  GHSA-2c4m-59x9-fr2g  Medium

[jkjell]

Continuing work on this attestor this week. I'll close this PR for now until the changes are ready for review.