Ability to produce accurate VEX data for non-latest versions of packages

[luhring]

Today, the wolfictl vex ... commands can create VEX data for the latest version of any given Wolfi package.

But we need the ability in wolfictl to produce VEX data for non-latest versions of packages, too. This could be because we've pinned to a fixed version of a package, or because we need to get the latest VEX data for a downstream artifact that already has a particular version of a Wolfi package (perhaps it was the latest version at the time, but time has passed since the downstream artifact was built).

wolfictl vex package should have the option (e.g. a flag) to specify a particular version of the package in question, and it should be able to assemble a correct VEX document (and statement history within) to describe that version of the package.

And wolfictl vex sbom should be able to follow the same approach, but taking into account the version of the package documented in the SBOM, which may not be the latest version of the Wolfi package.

Note: This almost certainly means we need to evolve the advisory data structure somehow to describe how statements relate to versions more precisely.