sbom: add initial CycloneDX format support for attestation layer

[echeng3805]

Initial PR for issue #6665: "BuildKit + CycloneDX SBOM Integration"

This PR extends the SBOM scanner protocol to support CycloneDX JSON alongside SPDX. Previously, HasSBOM and CreateSBOMScanner hardcoded intoto.PredicateSPDX, which meant CycloneDX output from a scanner would result in an error: "ERROR: failed to build: failed to solve: bundle entry https://cyclonedx.org/bom does not match required predicate type https://spdx.dev/Document"

The PredicateType in CreateSBOMScanner is now left empty so the unbundler can detect the format from the predicateType field in the scanner's JSON output and attach the attestation with the correct predicate type (https://spdx.dev/Document or
https://cyclonedx.org/bom). HasSBOM is updated via a new IsSBOMPredicateType helper to recognize both formats.

Scanners may write .cdx.json files to $BUILDKIT_SCAN_DESTINATION; the existing .spdx.json convention is unchanged.

Note: This PR doesn't create parity with SPDX within BuildKit, since there's additional actions BuildKit performs to enhance the SPDX SBOM. However, this PR is meant to be a first "pass-through" step to integrating CycloneDX SBOMs.

Example

1. Build with SBOM scanning; scanner (can be custom scanner) should generate CycloneDX SBOM.

  docker buildx build \
      --builder custom-buildkit \
      --sbom=generator=[ScannerDockerImage] \
      --build-arg BUILDKIT_SBOM_SCAN_CONTEXT=true \
      --output type=image,name=host.docker.internal:5001/test:sbom,push=true \
     [SampleRepo]

2. Inspect using imagetools

$ docker buildx imagetools inspect localhost:5001/test:sbom   

Name:      localhost:5001/test:sbom
MediaType: application/vnd.oci.image.index.v1+json
Digest:    sha256:01fce5a7dcbeda2fb135a071a5b146dd1c87480aca09405d2b25e0470d5ca449
           
Manifests: 
  Name:        localhost:5001/test:sbom@sha256:840f4796abf11546307bbc3d22e433d1fad85b1f0a3f1934d9a432d7563c9ba8
  MediaType:   application/vnd.oci.image.manifest.v1+json
  Platform:    linux/arm64
               
  Name:        localhost:5001/test:sbom@sha256:d7b037748e6d25a94d1d2d5146fc105db1b8809b8438ac3760d999aedb3dc32f
  MediaType:   application/vnd.oci.image.manifest.v1+json
  Platform:    unknown/unknown
  Annotations: 
    vnd.docker.reference.type:   attestation-manifest
    vnd.docker.reference.digest: sha256:840f4796abf11546307bbc3d22e433d1fad85b1f0a3f1934d9a432d7563c9ba8

3. Inspect using curl

curl -s -H "Accept: application/vnd.oci.image.manifest.v1+json" "http://localhost:5001/v2/test/manifests/sha256:d7b037748e6d25a94d1d2d5146fc105db1b8809b8438ac3760d999aedb3dc32f" | jq .

{
  "schemaVersion": 2,
  "mediaType": "application/vnd.oci.image.manifest.v1+json",
  "config": {
      "mediaType": "application/vnd.oci.image.config.v1+json",
      "digest": "sha256:c8e03515df34e77c8efe510c04db1ee2b354093ad1e7662af915d381efb50999",
      "size": 315
  },
  "layers": [
    {
      "mediaType": "application/vnd.in-toto+json",
      "digest": "sha256:a320d745453d0ced56440b38ecd0ef25becc8c84f2837557f2ee6a17d01f44ea",
      "size": 5935194,
      "annotations": {
        "in-toto.io/predicate-type": "https://cyclonedx.org/bom"
      }
    },
    {
      "mediaType": "application/vnd.in-toto+json",
      "digest": "sha256:a320d745453d0ced56440b38ecd0ef25becc8c84f2837557f2ee6a17d01f44ea",
      "size": 5935194,
      "annotations": {
        "in-toto.io/predicate-type": "https://cyclonedx.org/bom"
      }
    },
    {
      "mediaType": "application/vnd.in-toto+json",
      "digest": "sha256:c7bd9af483756387a7e7e66d4a0130614f71413d9e1daafd8ea690d9344fed9e",
      "size": 1729,
      "annotations": {
        "in-toto.io/predicate-type": "https://slsa.dev/provenance/v1"
      }
    }
  ]
}

Note: in-toto.io/predicate-type is https://cyclonedx.org/bom, not https://spdx.dev/Document

4. Compare with SPDX SBOM; a curl on an image that has a SPDX SBOM attestation layer looks like this

$ curl -s -H "Accept: application/vnd.oci.image.manifest.v1+json" "http://localhost:5001/v2/test/manifests/sha256:89209cf7b7b11ce8cb106037d4704b2f5d1f622c740e3f256c930f597c4f9e8a" | jq .

{
  "schemaVersion": 2,
  "mediaType": "application/vnd.oci.image.manifest.v1+json",
  "config": {
    "mediaType": "application/vnd.oci.image.config.v1+json",
    "digest": "sha256:5f893ec2bf87fe48524dc373048ce9ddb0f965ce7714e8039d06c42dbc258b04",
    "size": 315
  },
  "layers": [
    {
      "mediaType": "application/vnd.in-toto+json",
      "digest": "sha256:8e1c807efbe9f679bb81bb7d071f1b9c78f14dd99d84a2a9aeecbe4de4ab17e8",
      "size": 12519811,
      "annotations": {
        "in-toto.io/predicate-type": "https://spdx.dev/Document"
      }
    },
    {
      "mediaType": "application/vnd.in-toto+json",
      "digest": "sha256:8e1c807efbe9f679bb81bb7d071f1b9c78f14dd99d84a2a9aeecbe4de4ab17e8",
      "size": 12519811,
      "annotations": {
        "in-toto.io/predicate-type": "https://spdx.dev/Document"
      }
    },
    {
      "mediaType": "application/vnd.in-toto+json",
      "digest": "sha256:7e58ce181478a6e37bb936e870369d06702c3cac02b2359f5e45aaacbef7c32a",
      "size": 2022,
      "annotations": {
        "in-toto.io/predicate-type": "https://slsa.dev/provenance/v1"
      }
    }
  ]
}