Create SBOM using Syft

[Brend-Smits]

The SBOM is created using tooling from Anchore, called Syft. Syft was chosen because of the ease of use and the good integration with our tech stack.
I think this could have been a separate step in the workflow, but in the end, I chose not to go this route. The reason being is that it will be a lot of repeating the same code and will raise a new problem that we have to upload a temporary artifact or pass along a different output (which may have issues being passed around since the SBOM's can be relatively large in size).

This PR also removes the filter sbom spdx.

[codecov]

Codecov Report

Merging #134 (30cbe62) into main (91684f3) will not change coverage.
The diff coverage is n/a.

@@           Coverage Diff           @@
##             main     #134   +/-   ##
=======================================
  Coverage   77.54%   77.54%           
=======================================
  Files          15       15           
  Lines         610      610           
=======================================
  Hits          473      473           
  Misses         97       97           
  Partials       40       40           

Flag	Coverage Δ
unittests	77.54% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 91684f3...30cbe62. Read the comment docs.

[marcofranssen]

Looks good, still would like to check using crane and local commandline from a created draft release using the current state of the PR all this sboms and things are accordingly released to ensure also the goreleaser configs are accurate.

[Brend-Smits]

https://github.com/philips-labs/slsa-provenance-action/runs/5235719140?check_suite_focus=true
Feel free to test with Crane @marcofranssen
It's ready for merge. On merge, please Squash the commits.