EPIC: Integrate handling of SBOMs into OCM CLI

[morri-son]

Since SBOMs become more and more important and prominent to describe what exactly has been used to build the software and was finally packaged into the software product, it should be possible to handle SBOMs with the OCM CLI. The Zarf project has a similar functionality for their packages: https://docs.zarf.dev/ref/sboms/. The tool to be used for creation of the SBOM should be https://github.com/anchore/syft. It is able to create SBOMs in various formats and for various sources, e.g. container images, files or folders.

Required features:

• [ ] Add an SBOM for the resources of an OCM component (to be discussed: follow component references to be able to create an SBOM for e.g. a product component that only contains references and no own resources)
• [ ] Show an existing SBOM of an OCM component version (that should also work if the SBOM has not been created with the OCM CLI) in an "SBOM Viewer"
• [ ] Compare SBOMs between two different component versions. This should be done based on the json Syft generates.

[hilmarf]

https://openssf.org/projects/protobom/

[ThormaehlenFred]

GCP manages SBOMs and provides surrounding tooling. It might be sufficient to only generate SBOMs (primarily), which lateron can be viewed and compared with GCP tooling or other means.