Infer repositories from SBOM

[ribbybibby]

In some cases we can figure out the repository for a package just by looking at the SBOM, without the deps.dev dataset.

For instance:

• Golang package names are often github repository paths
• The CycloneDX spec supports a vcs type in the externalReferences of a component, which typically contains the github repository

This would be useful when the package isn't in deps.dev but its repository is in the scorecard dataset. Or, when the package is internal.