Support embedding file hashes directly within components in CycloneDX-JSON SBOM output

[narasimhathejarao]

What happened:
When generating a CycloneDX SBOM (cyclonedx-json) using Syft v1.22.0, the file hashes (enabled using SYFT_FILE_METADATA_DIGESTS=sha256) are included only in a separate "files" section at the bottom of the SBOM. These hashes are not embedded within the corresponding "components" themselves.

This causes issues for consumers expecting file-level hashes to be part of the individual component definitions — especially in enterprise workflows and for tools doing direct validation or enrichment on component data.

What you expected to happen:
Expected file hashes (e.g., SHA256) to be embedded directly within each component object in the SBOM where applicable — ideally under a hashes field inside components[*].

This behavior would align better with other SBOM standards and consumer tools that expect hash data to be coupled with the component/package metadata.

Steps to reproduce the issue:

1. Set the environment variable:
   export SYFT_FILE_METADATA_DIGESTS=sha256

2. Run Syft against any image:
   syft -o cyclonedx-json

3. Inspect the output SBOM:

• Notice that hashes appear under the "files" section
• The corresponding "components" lack the hashes field

Anything else we need to know?:
Hashes do get calculated and included, but only as separate file entries — not within the actual components that refer to those files.
This causes disconnects in our tooling, which relies on hashes for component-level validation, and results in extra post-processing effort.

Would be helpful if this behavior could be toggled via a CLI flag or a new env var — e.g., SYFT_EMBED_HASHES_IN_COMPONENTS=true.

Environment:

1. Output of syft version:
   syft 1.22.0

2. OS:
   Windows Server 2019 (via PowerShell)