fix(report): tidy dependencies for multiple repo on integration with GSA (#1593)

* initialize dependencyGraphManifests out of loop

* remove GitHubSecurityAlert.PackageName

* tidy dependency map for multi repo

* set repo name into SBOM components & purl for multi repo

models/github.go

@@ -1,21 +1,28 @@
 package models
 
 import (
+	"fmt"
 	"strings"
 
 	ftypes "github.com/aquasecurity/trivy/pkg/fanal/types"
 )
 
 // DependencyGraphManifests has a map of DependencyGraphManifest
-// key: Filename
+// key: BlobPath
 type DependencyGraphManifests map[string]DependencyGraphManifest
 
 type DependencyGraphManifest struct {
+	BlobPath     string       `json:"blobPath"`
 	Filename     string       `json:"filename"`
 	Repository   string       `json:"repository"`
 	Dependencies []Dependency `json:"dependencies"`
 }
 
+// RepoURLFilename should be same format with GitHubSecurityAlert.RepoURLManifestPath()
+func (m DependencyGraphManifest) RepoURLFilename() string {
+	return fmt.Sprintf("%s/%s", m.Repository, m.Filename)
+}
+
 // Ecosystem returns a name of ecosystem(or package manager) of manifest(lock) file in trivy way
 // https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph#supported-package-ecosystems
 func (m DependencyGraphManifest) Ecosystem() string {