CM-59712: add --maven-settings-file to report sbom path command

[ronens88]

Summary

• Add --maven-settings-file option to report sbom path command so Maven projects can use a custom settings.xml when generating SBOM reports locally
• Update README to document the new option under the Local Project SBOM section

Why this works

The report sbom path command already runs the same local dependency restore pipeline as scan -t sca path via add_sca_dependencies_tree_documents_if_needed(). The Maven restore handler (RestoreMavenDependencies) reads ctx.obj.get('maven_settings_file') to append -s <path> to the mvn command — this change simply populates that key from a new CLI option.

Call chain:

1. app callback → ctx.ensure_object(dict) initializes ctx.obj
2. report_command callback → sets progress_bar
3. sbom_command callback → sets report_parameters, output_file
4. path_command → sets ctx.obj['maven_settings_file'] (this PR)
5. add_sca_dependencies_tree_documents_if_needed() → checks no_restore (defaults False), calls _add_dependencies_tree_documents()
6. RestoreMavenDependencies.get_commands() → reads self.ctx.obj.get('maven_settings_file'), appends -s <path> to mvn cyclonedx:makeAggregateBom
7. RestoreMavenDependencies.create_secondary_restore_commands() → same for fallback mvn dependency:tree

This is identical to how the scan command passes the option through — same dict key, same consumer.

Test plan

• Run cycode report sbom --format spdx-2.3 path --maven-settings-file /path/to/settings.xml /path/to/maven-project and verify the custom settings file is used during Maven dependency restore
• Run cycode report sbom --format spdx-2.3 path /path/to/maven-project without the flag and verify default behavior is unchanged
• Run cycode report sbom path --help and verify --maven-settings-file appears under "SCA options"