feat: report unknowns in sbom

[kzantow]

This PR adds information to the file model which allows surfacing "unknowns". Previously, when scanning a source, Syft runs a number of catalogers which create packages from the files found. If an error happens, packages simply would not be created, and some logging about the error would occur. With this change, many of these errors are returned and added as context to the files output in the SBOM. Examples of "unknowns" included by this PR:

• executable files which did not result in identified packages
• archives which were not scanned, or did not result in packages identified
• errors when reading information such as invalid JSON, or corrupted binary ELF data
• ...

This PR has a set of post-cataloging steps that perform the following:

• identify archives in the scan target which do not have packages reported, and label them as unknowns
• remove all unknowns from files which have locations present in packages (in other words: only leave files labeled as unknowns which have no packages)

NOTE: if you would like to experiment with this, you can select the locations and unknowns from the Syft JSON like this:

go run ./cmd/syft maven:latest -o json | jq '.files.[]|select(.unknowns)|{location,unknowns}'

TODO:

• configuration
• assess if the unknowns in this PR are useful (e.g. python unable to parse lines in requirements.txt; and should these be retained even though packages were identified?)
• add test coverage

Fixes: #518