Adding creationInfo details for each sbom being processed

[surendrapathak]

when --reportFormat is JSON, we want to improve certain parts:

1. In case of any error, wrap the error in JSON and set score to 0
2. Include the "tool creator information with each file to help eliminate second parsing for downstream tools. e.g for Syft-0.73.0

      "file_name": "/Users/spathak/Downloads/bomber.cyclonedx.json",
      "spec": "spdx",
      "spec_version": "SPDX-2.3",
      "file_format": "json",
      "avg_score": 7.945727482678983,
      "creation_info": {
        "name": "syft",
        "version": "v0.73.0"
      }

[surendrapathak]

Capturing key points from the discussion today:

1. Generators need consistency in creation info. For example, bom and trivy SPDX is missing the tool's version information. syft has it but stuffed with a name.
2. sbomqs will report inconsistency as a quality rule (#77)).
3. Score and JSON formatting is to be filed as a separate issue. (#76)