[FEATURE] library mode

[jkowalleck]

Is your feature request related to a problem? Please describe.

if i build a SBOM for a library, i do not want to have non-bundled component listed as if they were concrete. These dependencies are extraneous/"external" and the version of them is not clear - it is resolved on install-time . Also, transitive dependencies of those are not clear until install-time.

This should be reflected in the SBOM.

Describe the solution you'd like

Spec: https://github.com/CycloneDX/specification/issues/321

add a n option to have

• only the bundled dependencies and the direct dependencies as components in the SBOM result.
• non-bundled' components must have no version.
• non-bundled's components must have a version range - specification#321
• non-bundled are marked as "external" - specification#321
• the dependency composition completeness is set to "incomplete_first_party_only" - see https://cyclonedx.org/guides/OWASP_CycloneDX-Authoritative-Guide-to-SBOM-en.pdf page 59

option could be called (list of ideas)

• --library-mode
• --mark-extraneous/--mark-externals
• --bundled-only
• add your idea in the comments

new option MUST imply --omit dev

new option MUST be disabled bu default new option MUST be marked as experimental in help page new option might set `--mc-type=library'

Describe alternatives you've considered

• we could make it, so that the existing option `--mc-type=library' causes this behaviour by default, but that would be a breaking change

Additional context

for libraries, non-bundled components are "external" - this is discussed in specification#321

package.json knows the concept of

• platdform-depenedncies -- #435
• direct-dependencies
• dev-dependencies - no intention to be shipped. might shadow all of the above on build-time

Contribution

• [ ] I am willing to provide an implementation
• [x] I will wait until somebody else implements it