feat: improved support for unknown version matches

[sw-sdiepold]

The code from this pull request will add matched packages to the SBOM and for later CVE checking where no specific version could be found. This is important information for finding vulnerabilities since all contained packages even the ones with no easy to match version string can be vulnerable.

[terriko]

github's diff is making this annoying to read, but I think this is a good change.

Can you add something to the docs explaining what an "unknown" in the sbom will look like and what it means? I suspect it's the sort of thing people will find confusing when it comes up. Probably needs go to in MANUAL.md or in the SBOM how-to once it's written.

We could also use a test to make sure we don't accidentally revert this (a big risk, I suspect, since everyone wants different things out of their SBOMs). That could be a separate PR or I can just open a new issue after this is merged if you don't have time to work on that part.

[terriko]

Okay, it's been some months so clearly we're not going to get around to writing a test. I'll file a separate issue for that and get this merged as-is. Hopefully one of the GSo:C candidates will be interested in looking at improving the test situation.