feat: introduce --show-enrichment semantic diff to highlight attestation value

[corepacket]

Title:

Closes #25
feat: introduce --show-enrichment semantic diff to highlight attestation value

Description:

Problem:
Currently, when SBOMit executes its attestation-driven pipeline, it quietly merges dynamically discovered data (from witnesses) with a base cataloger's SBOM (Trivy/Syft). This lack of visibility makes it difficult for developers and security teams to quantify exactly what value SBOMit provided over running the static cataloger alone.

Solution:
This PR implements a deep semantic diffing engine (pkg/diff) and exposes it to the CLI via a new --show-enrichment flag. It mathematically proves SBOMit’s impact by taking the pre-fusion Base SBOM and calculating what exact packages and identifiers were added or updated by the parsed attestations.

Key Additions:

• pkg/diff Module: Isolated diffing logic with strict unit test coverage that compares two protobom/sbom.Document structs.
• Intelligent PURL Identification: Normalizes and parses PURL identities to accurately differentiate between a completely Added package and an Enriched package (e.g., when an attestation captures a network query string ?url=... that shouldn't break the identity matching).
• Precise Enrichment Calculations: Evaluates differential data at a granular level, correctly reporting Updated packages only when newly discovered build Hashes or PURL Qualifiers are genuinely unique compared to the base scanner.
• CLI UX: Integrates into cmd/generate.go, intercepting the generation pipeline in pkg/generator/generator.go right before the final merge, outputting a clear metric summary to stderr.

Example Output:

$ sbomit generate build-trace.json -c syft --show-enrichment

SBOMit Enrichment Summary:
  • Base Packages: 88
  • Added by Attestation: 5
  • Enriched Packages (Hashes, URLs, etc): 12

SBOM written to sbom.json

[absol27]

I think you can reuse internal state for the diff, we add SBOMit data to the syft generated SBOM. So the delta is the diff except for those already in the syft SBOM. This filtering again is something we already do when adding entries from attestations imo.

[corepacket]

@absol27 Thanks, that makes sense.

I see that the delta is already determined during the enrichment step while filtering against the Syft SBOM. I’ll refactor this to reuse that logic and track added / enriched packages directly during the merge instead of using a separate diff module.

I’ll update the PR accordingly.

[absol27]

Thanks!