Revisit relationship naming / model

[kzantow]

What would you like to be added:
Align the terminology used to define relationships.

Today, in the Syft internal data model, relationships have the fields: From and To, but the Syft JSON has Parent and Child. These are all part of the public Syft 1.0 API at this point.

Additional context:
Recently, while adding dependency relationships, I found these confusing to follow due in part to this discrepancy in naming. From is mapped to Parent, so adding a dependency relationship is: From: PKG-A Dependency-Of To: PKG-B, to indicate PKG-B has a dependency of PKG-A, or PKG-A is a dependency of PKG-B depending on how you prefer to phrase the relationship. However this maps to Parent: PKG-A and Child: PKG-B, which seems backwards in terms of dependencies: I would consider the "parent" in a dependency relationship to be the one containing the other.

Additionally, if we are modifying relationships, I would strongly encourage considering using a one-to-many relationship model, similar to SPDX 3. I believe this would help to significantly reduce the size of SBOMs but would mean that we would have to invert Dependency-Of and only allow for relationship types of similar directionality.

Example from this pseudo-proposal:

"relationships": [
{
  "from": "PKG-B",
  "type": "dependencies",
  "to": [ "PKG-A" ]
}