Suggestion: Add support for tracking licensed components smaller than a library

[JamesDawson]

A component may consume 3rd party licensed elements at a more granular level than a package or library, it would be useful to be able to represent these smaller-scale dependencies in the generated SBOM.

For example, a given code file may re-use or derive its own implementation from another source. Whilst this use can be acknowledged via a comment in the affected code file and other higher level documentation, this doesn't offer a structured way to record the dependency and any licensing requirements attached to its use.

Approaches like the debian/copyright file provide a means of recording licensing requirements on a per-file basis.

Adding support to Covenant so it can understand such conventions would enable it to include the license details of these 'sub-library' dependencies.

The SPDX specification includes support for recording information at the file level which seems like it would cater for this type of scenario.