Currently, there's parallelism between advisory and sbom in terms of labels, hashes, etc.

Looking forward, I see a couple of reasons to pull that commonality into a document table.

1. avoid any skew between hashes we keep for one type of document vs another.
2. support (future) plans to scrobble SigStore for information about all documents (not caring if they're sboms or advisories or...)
3. support rows within the SBOM and Advisory table that are not hooked to a specific document. e.g., if someone is using Trustify to author or augment existing data bits, using human-derived and inputted knowledge.