Add CycloneDX examples of real manifests

[mprpic]

Couple items still to-do:

• Fill in checksums in RPM example
• Mandrel example is limited to just two components, not the full thing
• Script all of this out
• Release manifests for RPM is missing multiple purls for all but one component (to show as an example)
• Container image example is only done for one arch
• Docs need to be updated with CDX descriptions
• Update RPM relationship of SRPM to binary RPMs to use provides instead of dependsOn:

"dependencies": [
  {
  	"ref": "pkg:rpm/redhat/[email protected]_2?arch=src",
    "provides": [
      "pkg:rpm/redhat/[email protected]_2?arch=aarch64",
...

This also bumps CycloneDX to 1.6 so we can use multiple purls and CPEs for one component.

Checksums for RPM in SPDX have been changed to:

• include the SHA256 checksum in the main hashes object
• include sigmd5 and sha256 of the header in annotations
  Docs have been updated to explain the values.

[kgrant-rh]

Looks good!