Better Multiarch support for SecObserve and CSAF

[dervoeti]

Currently, we first report x86 and then ARM vulnerabilities. The vulnerabilities are deduplicated, which means vulnerabiltities in ARM images that are also present in x86 won't get reported twice. Both vulnerabilities get reported to the same branch in SecObserve, e.g. airflow-operator 24.7.0. That way, we don't miss any vulnerabilities. Vulnerabilities present only in ARM images will just be appended to the list of x86 vulnerabilities.

But:

• We can't determine which vulnerabilities are present only in x86
• We can't make different assessments per architecture for a vulnerability
• Branches in SecObserve don't match with our image versions: In SecObserve, we have a branch like airflow-operator 24.7.0, while we have two image versions (24.7.0-amd64 and 24.7.0-arm64). In SecObserve, we want branches to have a PURL, because this PURL is later used for the published assessments in CSAF ("we made this assessment for [PURL for airflow-operator 24.7.0]"). We could generate a PURL for the manifest list, but it's better to be specific and provide the architecture as well, since that way we can reference the image (instead of a manifest list), which is what's actually running in a cluster.

To do:

• [x] Fix versions in SBOMs of operator images (they currently don't include architecture)
• [x] Verify the PURLs of product and operator images (check https://github.com/package-url/purl-spec)
• [x] Modify stack_scanner and create separate branches in SecObserve for the different architectures
• [x] Modify csaf_publisher to include architectures in the product branches

[dervoeti]

PURLs and versions fixed, stack_scanner and SecObserve are adapted to multiarch, csaf_publisher as well. The CSAF product tree now looks like this: