Incorrect using of AttributionText in SPDX output

[knqyf263]

Description

We should use annotations for scan metadata instead of attributionTexts.

"annotations" : [ {
    "annotationDate" : "2024-10-29T18:30:22Z",
    "annotationType" : "OTHER",
    "annotator" : "Tool: Trivy ()",
    "comment" : "Class: lang-pkgs"
  },
  {
    "annotationDate" : "2024-10-29T18:30:22Z",
    "annotationType" : "OTHER",
    "annotator" : "Tool: Trivy ()",
    "comment" : "Type: npm"
  },

trivy/pkg/sbom/spdx/marshal.go

Lines 369 to 378 in c8c14d3

	func (m *Marshaler) spdxAttributionTexts(c *core.Component) []string {
	var texts []string
	for _, p := range c.Properties {
	// Add properties that are not in other fields.
	if !slices.Contains(duplicateProperties, p.Name) {
	texts = m.appendAttributionText(texts, p.Name, p.Value)
	}
	}
	return texts
	}

Discussed in #7715

[knqyf263]

@DmitriyLewen Do you think we can fix it for v0.57.0? If this task takes some time, I'll put it into v0.58.0.

[DmitriyLewen]

I will take a look today and write to you

[DmitriyLewen]

@knqyf263 while I was checking - I created #7811 😄

[DmitriyLewen]

fixed in #7811