feat: mobster enrich

[gdozortsev]

Documentation for the enrich feature lives in docs/sboms/enrich.md, and a comprehensive architecture explanation lives in docs/sboms/enrich_architecture.md.

This is an updated PR for the mobster enrich feature.
Main updates from last commit

• This feature only consumes/ produces CDX SBOMs/ AIBOMs. All SPDX workflows have been removed, and documentation & testing has been updated to reflect this.
• this feature uses/ makes an update to the CycloneDX1BomWrapper class. The update adds an array of modelCards into the class
• PURL comparison now compares versions (ignored versions before). However, OWASP AIBOM generator cuts off versions after 8 characters, so the version comparison is only done on the first 8 characters of the version.
• Implemented fixes from comments on last commit

[qodo-code-review]

ⓘ You've reached your Qodo monthly free-tier limit. Reviews pause until next month — upgrade your plan to continue now, or link your paid account if you already have one.

[BorekZnovustvoritel]

I mainly have minor things for discussion. However the test coverage decreased below 95 %, which fails the CI job. Some unit tests for all the new code should be added.

[codecov-commenter]

Codecov Report

❌ Patch coverage is 98.96907% with 2 lines in your changes missing coverage. Please review.
✅ Project coverage is 95.12%. Comparing base (216209a) to head (2eca9fe).
⚠️ Report is 13 commits behind head on main.

Files with missing lines	Patch %	Lines
src/mobster/cmd/cyclonedx_wrapper.py	94.73%	1 Missing ⚠️
src/mobster/cmd/enrich/merge_utils.py	91.66%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #377      +/-   ##
==========================================
+ Coverage   94.94%   95.12%   +0.18%     
==========================================
  Files          58       61       +3     
  Lines        3895     4082     +187     
==========================================
+ Hits         3698     3883     +185     
- Misses        197      199       +2     

Flag	Coverage Δ
unit-tests	95.12% <98.96%> (+0.18%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[BorekZnovustvoritel]

Thank you for addressing my comments. I have spoted some other minor things.

Also as you can see in the CI run I approved, Mobster enforces Conventional Commit messages for all commits in a PR. So the latest commit will have to be amended to change its description with fix: prefix.

Also if some of the code was assisted by AI, make sure to state that by adding a blank line and Assisted-by: <tool> to your commit messages.

Those are quite minor things, but we should get them addressed. Thank you for your work!

[BorekZnovustvoritel]

CI failed, fix with ruff format and ruff check --fix. Otherwise this looks good to me. We should also wait for Aleš to return from PTO to also take a look.

[BorekZnovustvoritel]

Just a note: this is only used in examples, not tests.

However it isn't a large file, so I have no problem with keeping it this way.

[BorekZnovustvoritel]

Now the CI failure is not an issue stemming from your PR. I have created a fix PR to the main branch here. After it is merged, we need to rebase this PR on top of main.