Document how cran_pkg_sbom() works

[sneumann]

Hi, currently it is a bit unclear, how cran_pkg_sbom() works. Does it statically describe a package's dependencies and the versions available on CRAN at one point in time ? Or does it evaluate the installed dependencies ? The distinction is also important because installed versions of dependencies can change afterwards, and as neither src packages nor the platform specific binary packages include the dependencies. Hence, please also document the recommended practice to use it, i.e. should it be used in a Dockerfile, where it can nicely document the SBOM at built time. Yours, Steffen