Add hierarchical dependency resolution from embedded POM files

[Miablo]

Description

• Adds a dependency graph built from embedded pom.xml files in Java archives, wiring auxiliary packages to their actual Maven parents rather than flat to the root archive
• Enriches dependency relationships with depth, scope, and direct/transitive metadata for Syft JSON output
• Deferred parent resolution via post-processor handles cross-archive dependencies
• Gated by java.use-embedded-pom-dependencies (default: false) — no behavior change unless opted in

Design decisions

• maven.ID as map key
• FindNodeByGA fallback to handle version-mismatch scenarios where dependency management resolves a different version than what the POM declares
• ID.Coordinate(): explicit, round-trippable serialization (groupId:artifactId:version) used for IntendedParentID in JSON
• Branch-scoped cycle detection: visited map is copied per branch so diamond dependencies are still resolved
• Post-processor 3-tier index: full coord → groupId:artifactId → artifactId fallback for cross-archive parent resolution
• Feature flag default off: zero behavioral change for existing users

Type of change

• New feature (non-breaking change which adds functionality)

Checklist

• I have added unit tests that cover changed behavior
• I have tested my code in common scenarios and confirmed there are no regressions
• I have added comments to my code, particularly in hard-to-understand sections

Issue references

This PR splits #4843 to focus on embedded POM graph only and incorporates all architectural feedback from @kzantow's review:

1. Relationship logic moved to pkg/cataloger/java
2. Java-specific config, UseEmbeddedPOMDependencies, moved from shared relationship options to ArchiveCatalogerConfig
3. Use maven.ID as map key with explicit serialization and maven_id.go wrapper removed
4. Version-agnostic graph lookup fallback by added FindNodeByGA(groupID, artifactID string) as a fallback when exact maven.ID match (including version) fails. This handles the scenario where Maven dependency management resolves a different version than what the POM declares and the graph still finds the correct node by groupId:artifactId.
5. Depth is computed, not stored. The depth value in DependencyRelationshipData is output enrichment for SBOM consumers, not structural redundancy on the graph.
6. Lookup maps extracted into helper where inline map construction in archive_parser.go was replaced with a buildPkgIndex() method. Relationship creation split into clearly named createAuxPkgRelationship and createMainPkgRelationship methods.