feat: "language" parsers for Linux packages

[terriko]

Currently, cve-bin-tool has a few types of support for common Linux packaging formats such as .rpm and .deb:

• we support extracting their contents (for use with the binary scanner)
• we have some tools for getting information about security fixes from some vendors

But what we don't do is treat them the way we treat language packages, where we could be opening and reading the metadata from the package directly and reporting that without requiring a deeper scan or in conjunction with a scan. I'm not sure off the top of my head what's in the metadata of linux packages nowadays, but I'd expect we could at least get versions, product names, license, source urls, and more that might be useful.

So it would be interesting to add "language parser" style support for linux packages, and potentially integrate that support with our existing tools. So for example, you could compare the stated version with what we're finding form the binaries and make sure you don't report both or print warnings if they appear to be mis-matched, or use the vendor fix information to reduce false positives or provide additional information in reports. It also might be interesting to integrate this with the helper script to make more checkers if we can read the metadata but don't have a binary checker that works for that product.