sbom: add multiple pkgbase if they match

We have multiple packages with the same CPE, and since we now have
multiple components with the same name they get merged by grype into
one, which means each SBOM component can point to multiple pkgbase
values.

Author: lazka

msys2_devtools/sbom.py

@@ -176,8 +176,12 @@ def get_component_key(component: Component) -> str:
         return (component.name, component.version, component.purl, cpe_key)
 
     for component in src_bom.components:
+        assert isinstance(component, Component)
         key = get_component_key(component)
-        properties[key] = component.properties
+        if key not in properties:
+            properties[key] = component.properties
+        else:
+            properties[key].update(component.properties)
 
     with open(args.target_sbom, "r", encoding="utf-8") as h:
         target_bom: Bom = Bom.from_json(json.loads(h.read()))