Add `pkg-manager` to the anaysis request headers

[ruromero]

What did you have in mind?

When possible we should record which package manager generated an invalid or problematic SBOM so that we can narrow down the issue.

Are you trying to fix a problem?

when the sbom has packages like maven it is not possible to distinguish if the problem was caused by maven, gradle-kotlin or gradle-groovy. The same happens for npm packages and npm, pnpm, yarn-berry or yarn-classic

Any lead on how this feature can be implemented?

No response