Inconsistent publishing of CyloneDX Documents for buildpack layers

[xyloman]

In order to attribute which buildpack layer contributed a vulnerable package, the cnb-sboms layer should include CylconeDX documents as well as Syft to allow users to use either Grype or Trivy to scan the SBOM. Some layers (e.g. paketo-buildpacks_ca-certificates, paketo-buildpacks_spring-boot). Some layers do include a CDX document for instance paketo-buildpacks_bellsoft-liberica.

[dmikusa]

For libpak based buildpacks, there is a feature request to add this. You can 👍 to vote for that if it is needed.