Utilize --source-name and --source-version in syft

[nettrino]

Description

Syft offers the following two flags which could be useful for populating metadata on how an SBOM was generated

      --source-name string                        set the name of the target being analyzed
      --source-version string                     set the version of the target being analyzed

When running syft without the above flags, a warning is emitted:

[0000]  WARN no explicit name and version provided for directory source, deriving artifact ID from the given path (which is not ideal)

It seems the flags are not really critical, but they append respective entires under "name" and "version " in the metadata>component section of the SBOM. For instance, without passing --source-name, the component name is a file path, whereas with --source-name it is whatever we pass.

Chalk could make use of that to keep the git remote uri and hash in version potentially, so as to know both the on-host path where the command run, as well as have an authoritative entry for the exact version of the repo (with whatever additional metadata we possibly could care about, like the chalk METADATA_ID, stored directly inside the SBOM).

[miki725]

sounds like a good idea although will require exposing external tools con4m functions to be able to access already collected metadata