Add support for dependencies and purl for Native Image SBOMs

[rudsberg]

Description

This PR adds support for the "dependencies" and "purl" fields in SBOMs embedded in Native Images. These fields will be included in SBOMs starting from GraalVM for JDK 24.

Other fixes:

• Resolves empty package ID warnings by setting the package ID. For example, warnings like the one below were previously emitted for valid SBOM components.

[0000]  WARN found package with empty ID while adding to the collection: Pkg(name="commons-validator" version="1.9.0" type="graalvm-native-image" id="")

• Added support for including the component listed under metadata/component in "components".
  Note: While such a component ideally belong under metadata/component, the Cataloger interface ([]pkg.Package, []artifact.Relationship, error) does not allow specifying that.

Type of change

• New feature (non-breaking change which adds functionality)

Checklist:

• Added unit tests for new behavior
• Tested common scenarios to prevent regressions
• Added code comments for complex sections

[kzantow]

Thanks for the contribution, @rudsberg -- overall this looks great, I'm debating whether it's important enough to centralize the CycloneDX -> Syft data model using the format package. I think that would be the only hold up, though

[kzantow]

🎉