Raising containers as packages in the final SBOM

[spiffcs]

What would you like to be added:
Syft currently inspects and surfaces a number of different packages inside a container given specific cataloger rules.

Some current vulnerability datasets mark the container itself as vulnerable with identifying purls going only as far as the metadata that's found in a docker inspect or skopeo inspect command:

data/rhel/input/csaf/2020/cve-2020-7793.json
218:                "purl": "pkg:oci/distributed-tracing/jaeger-all-in-one-rhel7"
229:                "purl": "pkg:oci/distributed-tracing/jaeger-query-rhel7"

Syft should start surfacing the scanned container as it's own package type in the final SBOM to help with matching against these kinds of vulnerability records.

Why is this needed:
Better cataloging of the actual images being scanned as the "root" or vulnerable node in an SBOM.

[nycnewman]

I would be interested in having the base images as separate components within the SBOM as well. This might allow vuln mgt tools to distinguish from what came with the base image from what was added later. Suspect this really needs to come from the build tools unless Syft can identify the base layers.