This commit teaches Chains to create SBOM attestations based on type
hinting results from TaskRuns.

The general idea is that a Task generates the SBOM, then uploads it as a
blob to an OCI registry. Chains then downloads the blob and uses it as
the payload when creating the SBOM in-toto attestation.

Multiple SBOMs per image are allowed. They may be of different formats.

Signed-off-by: Luiz Carvalho <lucarval@redhat.com>

The IMAGES type-hinting result allows a TaskRun to provide a dynamically
sized list of images to be processed by Chains. In the case of SLSA
Provenance, one statement is created which contains in its list of
subjects all the images from the result. This makes sense as these
images do share provenance.

The SBOMS type-hinting result was meant to add support for SBOM when
the IMAGES result is used. However, unlike SLSA Provenance, an SBOM is
usually descriptive of a single image. This means that the order of the
items in the SBOMS result must match the order of the images in the
IMAGES result. This can be problematic.

This commit drops support for the SBOMS type-hinting result, and the
corresponding SBOMS_FORMAT, to avoid confusion. If we want to
re-introduce it, let's make sure that Chains can provide some sort of
assurance regarding the order of the SBOMs matching the order of the
images.

Signed-off-by: Luiz Carvalho <lucarval@redhat.com>

Signed-off-by: Luiz Carvalho <lucarval@redhat.com>