Add ALPM Metadata to CYCLONEDX and SPDX output formats

[spiffcs]

What would you like to be added:
ALPM package parsing/identification has been added to Syft as of #943.

The next step is getting the metadata for those packages output into both SPDX and CycloneDX. Currently, the package metadata is only available within the SYFT-JSON format.

Why is this needed:
Information parity across formats.

Additional context:
See #943 for details on how the metadata was constructed for SYFT-JSON

[wagoodman]

The specific struct in question is https://github.com/anchore/syft/pull/943/files#diff-11846c0455726b6119b5b2e0fb893a6a56af1ed0fd2549e97ab65b0322c05cbbR15

[tgerla]

If anyone's interested in tackling this issue, you can start by looking at the structure here: https://github.com/anchore/syft/blob/main/syft/pkg/alpm_metadata.go#L17-L29

Notice that right now there is only one item with a CycloneDX tag in it: Size. Any properties that you expect to be exported to the CycloneDX output will need to have a CycloneDX tag added, like Size.

[shanedell]

@wagoodman @tgerla I would like work on this item. One question, I understand how to add the CycloneDX tag to the ALPM Metadata, however how is this done with SPDX? Does it just pick up based on CycloneDX tag? Wondering this as I didn't seem to find a spdx tag like I did for cyclonedx

[shanedell]

Would it be something like

Size         int              `mapstructure:"size" json:"size" cyclonedx:"size" spdx: "size"`

or

Size         int              `mapstructure:"size" json:"size" cyclonedx:"size" spdxjson:"size"`

?

[kzantow]

@shanedell the cyclonedx tags define which fields are output as CycloneDX properties. SPDX does not have arbitrary properties, hence does not have any tags. Each property in SPDX needs to map to a specific field in the SPDX spec, it's quite possible much of these do not.