Feat/multiple equivalent images SBOM poc

[robert-cronin]

Description of the PR

Partial fix for #2387

The main idea in this PR is to detect if an image being ingested has a SBOM that describes the same digest but has a different image uri and then create an IsOccurrence edge between them in a hub and spoke pattern (hub being the Artifact node and spokes being the Package nodes).

Note: this is just a POC, presumably we would want the reference attestations to be pre-created and therefore simply ingested instead of being created in a certifier-like way. That is my current best thinking, but I am open to alternate ways to achieve this.

PR Checklist

• All commits have a Developer Certificate of Origin (DCO) -- they are generated using -s flag to git commit.
• All new changes are covered by tests
• If GraphQL schema is changed, make generate has been run
• If GraphQL schema is changed, GraphQL client updates/additions have been made
• If OpenAPI spec is changed, make generate has been run
• If ent schema is changed, make generate has been run
• If collectsub protobuf has been changed, make proto has been run
• All CI checks are passing (tests and formatting)
• All dependent PRs have already been merged

[robert-cronin]

Here is a rough diagram showing the logic I am trying to model with this approach: