Follow-up on Nokia's SBOM-QA findings for ORT

[sschuberth]

See https://github.com/nokia/SBOM-QA, thanks to @willebra for making me aware of this.

• Clarify on the wrong option syntax for creating SPDX-2.3 documents.
  Done: Fix ORT option to specify the SPDX version nokia/SBOM-QA#17
• Investigate "which necessitated modifications in the pom.xml file as described below" statement.
• Investigate why the generated ORT-Java-Maven.json was reported as invalid.
• Consider adding support for the PDM package manager.
• Improve supplier information in SBOMs.
  See: Improve the "supplier" information for SBOM formats #7449
• Review "CreatorComment and Organization fields in CreationInfo missing" statements.
• Review differences to reference SBOMs.

Thanks @CsatariGergely and team for your work here!

[elhamrasti]

appreciate your thorough review of our report and results, as well as the follow-up issue.
@Mostafa4043, could you please review and provide your input?

[sschuberth]

Consider adding support for the PDM package manager.

Actually, now that Python has an official lock file format specification, and "PDM has already been updated to allow users to opt into using pylock.toml over pdm.lock", we should probably straight add pylock.toml instead of pdm.lock support.

[sschuberth]

BTW, OpenSSF folks like @joshbressers also draft an SOM QA document over here.