SBOM components found by Trivy have their source attributes at the
component level instead of the root level. This makes sense in the
context of container scanning because there are certain properties that
you cannot share when scanning a container image. For example, you
cannot declare a file path at the root level, because OS components can
live in various directories like /usr/local/lib/, /usr/bin/, and many
others. Therefore, we'll source the `package_manager` and the `input_file_path`
attributes from either the components' `properties` or the components'
`source` instead of strictly only checking the `source`. The `properties`
field takes precedence over the `source` field as they are deemed to be
more specific.

Changelog: changed
EE: true