Stabilize package identifier based on contents

[wagoodman]

From a conversation with @luhring ; today we have a Package.ID which is a random UUID which is helpful for uniquely identifying a package within a single report. We should explore the possibility of selecting "vital" elements from a package and its metadata that uniquely identifies the package and create an ID that is stable across multiple runs, as long as the key information that makes up the identity of the package is common across both documents.

Fields that should be considered when making a fingerprint:

• type (rpm, npm, etc)
• name
• version
• all evidence locations (file path + layer ID)

[wagoodman]

Consider potential use of https://github.com/mitchellh/hashstructure to selectively produce hash values consistently for complex types.

[wagoodman]

Here is a prototype branch (needs cleanup / rearranging commits) for adding package fingerprinting and how that fits into #32 . What's left is:

• should we add a new fingerprint field? or replace ID with the fingerprint value? (or something else)
• update cyclone DX and other presenters to reference packages with the stable fingerprint value

[wagoodman]

Note there are consequences here that impact #556