feat(cyclonedx): add file checksums to CycloneDX reports

[Churro]

Description

When creating SBOMs from JAR archives, the CycloneDX currently doesn't include file checksums, although they're available internally. For SPDX, checksums are included since #3888. This PR supplements file checksums for CycloneDX SBOMs.

I'm not aware how this could be tested but I have verified that there are marshalling tests for CycloneDX that ensure hashes are correctly encoded.

To provide a before / after example setup:

$ wget https://repo1.maven.org/maven2/com/google/guava/guava/33.3.0-jre/guava-33.3.0-jre.jar
$ trivy rootfs guava-33.3.0-jre.jar --format cyclonedx

Before this PR, the components section of this SBOM looked like this:

  "components": [
    {
      "bom-ref": "pkg:maven/com.google.guava/guava@33.3.0-jre",
      "type": "library",
      "group": "com.google.guava",
      "name": "guava",
      "version": "33.3.0-jre",
      "purl": "pkg:maven/com.google.guava/guava@33.3.0-jre",
      "properties": [
        {
          "name": "aquasecurity:trivy:FilePath",
          "value": "guava-33.3.0-jre.jar"
        },
        {
          "name": "aquasecurity:trivy:PkgType",
          "value": "jar"
        }
      ]
    }
  ]

After this PR, the output also includes a hashes section with the SHA-1 digest of the guava JAR:

  "components": [
    {
      "bom-ref": "pkg:maven/com.google.guava/guava@33.3.0-jre",
      "type": "library",
      "group": "com.google.guava",
      "name": "guava",
      "version": "33.3.0-jre",
      "hashes": [
        {
          "alg": "SHA-1",
          "content": "13b4d0924e6023eda04b4c7aa83b32dfedf735a7"
        }
      ],
      "purl": "pkg:maven/com.google.guava/guava@33.3.0-jre",
      "properties": [
        {
          "name": "aquasecurity:trivy:FilePath",
          "value": "guava-33.3.0-jre.jar"
        },
        {
          "name": "aquasecurity:trivy:PkgType",
          "value": "jar"
        }
      ]
    }
  ]

Related issues

None

Related PRs

• fix(sbom): add checksum to files #3888

Checklist

• I've read the guidelines for contributing to this repository.
• I've followed the conventions in the PR title.
• I've added tests that prove my fix is effective or that my feature works.
• I've updated the documentation with the relevant information (if needed).
• I've added usage information (if the PR introduces new options)
• I've included a "before" and "after" example to the description (if the PR is a user interface change).

[Churro]

@knqyf263 or @DmitriyLewen, I understand that this PR came unrequested but it would be highly appreciated if you could dedicate some time to review it 😊

[knqyf263]

Thanks for your contribution. I've merged the main branch to resolve flaky tests due to GHCR rate limits. The test is failing now.