Allow for ingestion of SPDX SBOM documents as input

[wagoodman]

Today we allow for the syft JSON document as an SBOM input. It would be ideal to additionally interop with tools that produce SPDX documents and allow that as input into grype for vulnerability scanning.

[wagoodman]

Could be closely related to anchore/syft#400 and may have architectural changes/concerns. (we should try and tackle SBOM ingestion for syft and grype together)

[luhring]

Implementation idea (RFC): In addition to ingesting SPDX in general, we've mentioned the notion of piping SPDX into Grype (or Syft, per #395 (comment)). This could get tricky if we accept multiple formats (e.g. Syft + SPDX) and have to try to detect what we're receiving in the byte stream (not impossible, though).

Many tools have a convention of using - to refer to a command's stdin. We could use this in combination with our "schemes" system to allow the user to instruct the tool explicitly on how to interpret the inbound bytes.

E.g.: cat my-sbom.spdx | grype spdx:- ...

[luhring]

This will be unblocked once anchore/syft#556 is closed