package_info should have a field for the vendor sbom

[aiuto]

Some packages include an SBOM produced by publisher. We should be able to represent that in package_info

[billie-alsup]

Has there been any thought given to a design here? Should it be part of package_info, or a new rule? I was thinking of a new package_sbom rule for example, and it could take sbom filename(s), and perhaps an optional format specifier (for example, the various syft output formats perhaps?). These could then be used like package_info, in that they are applied to a set of targets via either package rule's default_applicable_licenses, or through an explicit entry in a target's applicable_license attribute. This could then be gathered when traversing the targets and then somehow (tbd) integrated into the final output. If that final output is spdx, then perhaps an spdx input would be an externalRefs. Or perhaps it could be integrated directly into the final output as an option.