Add support for luarocks spec

[shusriva]

Hello Scancode Team,

I wanted to generate SBOM for my kong source code using scancode tool. But the output generated from the tool contains very few component (may be just 2 or 3). while the jsonpp output contains so many entries(it also scans all the lua file).

URL of the source code: https://github.com/Kong/kong/tree/3.3.0 Command which I used to scan the souce code and generate sbom:

scancode -n 12 -ip kong/ --json-pp kong-3.3.0.json --cyclonedx kong-3.3.0_cdxSBOM.json --classify --summary --consolidate  --full-root --mark-source

For the reference, I am attaching the SBOM as well as the jsonpp output.

kong-3.3.0.txt kong-3.3.0_cdxSBOM.txt

Can you please have a look on this issue.

[pombredanne]

Note: we need to add support for Lua rock specs https://luarocks.org/ including specfiles as https://github.com/Kong/kong/blob/master/kong-3.5.0-0.rockspec See also https://github.com/nexB/scancode-toolkit/issues/3249#issuecomment-1738940171

[pombredanne]

The balance between too many file details vs. just the packages is not trivial to achieve. based on the JSON output what would you like to see in the CycloneDX output?

[shusriva]

The balance between too many file details vs. just the packages is not trivial to achieve. based on the JSON output what would you like to see in the CycloneDX output?

Our objective is to get the lua components entries and its transit dependencies in cycloneDX output