extract vendor from generic report formats #1997
Description
Chainloop supports some generic formats like SARIF, CycloneDX, SPDX, CSAF, supported by several tools. Since most of those tools have their own interpretation of some fields (for example, SARIF vulnerability severity might differ between Trivy and Grype, or some custom properties like image layer information is only present in Trivy CDX reports).
The idea is to extract the vendor (and potentially version) during the crafting stage. This will be useful to policy writers, to create conditional logic in their Rego scripts, mostly ATTESTATION policies that otherwise would need to access the material content.
Eventually, we could enhance the policy selectors to query these additional fields to enable or disable the policy for the given material.