As part of #21, we can add support for the parsing of SBOMs on the
command-line through a new `import sbom` subcommand.

Because the SBOM may not reliably tell us where it's come from
(platform/org/repo-wise) we can require this on the command-line.

Although it'd be good to use github.com/anchore/syft for the managing of
parsing types of SBOMs, it's unfortunately blocked by [0], and is a
fairly heavyweight library due to other functionality within it, which
would bloat the project.

Instead we can perform a lightweight version of the `formats.Identify`
functionality to produce a consistent way to expand supported types of
SBOMs.

To start with, we can add support for SPDX-2.3 SBOMs.

[0]: https://github.com/anchore/syft/issues/2112