Update sbom comparison job to validate multiple sboms

Overview

This MR:

1. updates the sbom-comparison job to validate SBOMs across multiple directories instead of the single root path.

• The existing validation only checked the root-level SBOM file, which contains no components. This made the test ineffective - it was passing without actually validating any reachability analysis results.

2. updates expectations - there is a bug in the DS analyzer that caused partial results here in the past (more context here).

Related issue: DS: Fix java reachability E2E tests (gitlab-org/gitlab#577752) • Orin Naaman • 18.6