Write out the "supplier" to SBOM formats

[sschuberth]

Originating from this comment (and a later update), the NTIA minimum elements calls out for supplier information, and both CycloneDX and SPDX provide according fields. However, there is no strict definition of that the "supplier" of an Open Source package should be. In particular, the "supplier" should not be the hosting website of a package.

That said, I'm proposing the following logic to deduce the supplier (try in order, first match wins):

• For package managers that support it, use the organization name or similar (see e.g. Maven).
• Use the namespace of a package if it contains "com" or "org" and is not a recognized VcsHost.
• Use the author / developer if there's only a single one; prefer its organization (if supported by the package manager, see e.g. Maven) over its name.

Implementing this probably requires to introduce a dedicated "organization" field to the Package model; currently, e.g. the Maven-provided organization is simply added to the set of authors.

[tsteenbe]

As discussed in ORT development meeting of September 4th, let make it possible to curate the organization field.

[tsteenbe]

For reference below an example of SPDX with supplier info generated with Syft

{
 "spdxVersion": "SPDX-2.3",
 "dataLicense": "CC0-1.0",
 "SPDXID": "SPDXRef-DOCUMENT",
 "name": "/opt/python",
 "documentNamespace": "https://anchore.com/syft/dir/opt/python-2e170c31-f61e-4077-aeb5-e6ec88ef974e",
 "creationInfo": {
  "licenseListVersion": "3.21",
  "creators": [
   "Organization: Anchore, Inc",
   "Tool: syft-0.89.0"
  ],
  "created": "2023-09-03T14:15:13Z"
 },
"packages": [
  {
   "name": "CacheControl",
   "SPDXID": "SPDXRef-Package-python-CacheControl-b45cb057d32f67f5",
   "versionInfo": "0.13.1",
   "supplier": "Person: Eric Larson \u003cericlarson@ionrock.com\u003e, Frost Ming \u003cme@frostming.com\u003e, William Woodruff \u003cwilliam@yossarian.net\u003e",
   "originator": "Person: Eric Larson \u003cericlarson@ionrock.com\u003e, Frost Ming \u003cme@frostming.com\u003e, William Woodruff \u003cwilliam@yossarian.net\u003e",
   "downloadLocation": "NOASSERTION",
   "filesAnalyzed": false,
   "sourceInfo": "acquired package info from installed python package manifest file: /versions/3.10.13/lib/python3.10/site-packages/cachecontrol-0.13.1.dist-info/METADATA, /versions/3.10.13/lib/python3.10/site-packages/cachecontrol-0.13.1.dist-info/RECORD",
   "licenseConcluded": "NOASSERTION",
   "licenseDeclared": "NOASSERTION",
   "copyrightText": "NOASSERTION",
   "externalRefs": [
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:eric_larson_\\\u003cericlarson_project:python-CacheControl:0.13.1:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:eric_larson_\\\u003cericlarson_project:python_CacheControl:0.13.1:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:eric_larson_\\\u003cericlarsonproject:python-CacheControl:0.13.1:*:*:*:*:*:*:*"
    },