Use information from the package's existing SBOM

[bact]

There can be a case that in the project's path, there's already an SBOM.

(For example, https://github.com/bact/sentimentdemo provides one at root, named bom.spdx3.json).

That SBOM could be used as another information source.

However, for the SBOM that generating during build process (via Hatchling plugin, for example), the information from the build tool should be of priority as it is from the actual build process.

There can also be an option to take the package's existing SBOM creation info (like createdBy Agent) and use it in the generated SBOM.

Minimal SBOM fragments that record relationships between components that may not be used during traditional build (thus cannot be extract during build time) may be provided in the package SBOM.