Feature: detect shipped vs non shipped dependency => generate version-less component when not shipped

[hboutemy]

based on multiple issues reported by users with SBOMs generated at build time by cyclonedx-maven-plugin until now vs what is really used at runtime (#472 #588 #357 ),

opened a draft proposal https://github.com/CycloneDX/specification/pull/578

that led to a 2-sided conclusion:

• no need to update the CycloneDX spec
• but need for build-time generators to detect if dependency is really shipped (as in Maven shade or assembly or war or fat jar or executable jar...) or not (as in classical library dependencies, or provided when building a Maven plugin or Jenkins plugin or ...): if not shipped, it's more accurate to generate a version-less CycloneDX component

version-less CycloneDX components will let SBOM users know that they'll get an effective version decided by build tool when they consume the library, as Maven (or Gradle or SBT) will resolve all dependencies and when solving conflicts, will choose the effective consume-time version

version-less CycloneDX components will avoid reporting vulnerabilities from dependencies to library or plugins OSS projects that do not affect them per-se but only consumers if they did not get updated version at runtime

Now that this logic has been established, we need to implement: how to detect shipped vs non-shipped dependencies in a Maven build (eventually multi-modules)?