Add support for determining supplier of packages

[kzantow]

What would you like to be added:
The supplier field to SBOMs, in order to conform to the NITA minimum SBOM requirements.

Why is this needed:
Syft should generate SBOMs that include the NTIA minimum requirements. The supplier field is one aspect of the NITA minimum SBOM requirements which Syft is not currently populating.

Additional context:
This is an aspect of #632

[spiffcs]

Part of the next step of this work after #1980 goes in is keying off of the example of when the originator and the supplier are different and how to read that into documents that are not handcrafted - what package manager fields/data exist to allow us to make this distinction across ecosystems on document generation

The SPDX document identifies the package as [glibc](https://www.gnu.org/software/libc/) 
and the Package Supplier as [Red Hat](https://www.redhat.com/), 
but the [Free Software Foundation](http://www.fsf.org/) is the Package Originator.

[kzantow]

We also need to be able to provide a supplier to the "source", which ends up as root elements in SPDX and CycloneDX. One possibility is to add something like --source-name and --source-version, which could be --source-supplier, but we don't have this element in the Syft data model yet, so it would need to be added. It is possible this supplier information should then be used for packages as well (e.g. who should a user contact when they need something done to the software to correct an issue/vulnerability/etc.). It might also be important to add something to a "hints" file to be able to be more specific about overriding/specifying information for specific packages.

[spiffcs]

Dev Note: When implementing this feature the resulting SBOM should pass this validator:
https://github.com/CycloneDX/cyclonedx-cli