Track Dependency Types in CycloneDX SBOMs

Proposal

Continuing the discussion from Types of dependencies, we need the ability to track dependency types in CycloneDX SBOMs.

We can leverage the properties of the SBOM component to collect all the scopes/groups in which a component is used. We would flatten the graph in a way.

We can reuse the same properties multiple times to track all the dependency scopes/groups. See https://cyclonedx.org/use-cases/#properties--name-value-store, for example:

{
  "components": [
    {
      "name": "antlr/antlr",
      "version": "2.7.7",
      "purl": "pkg:gradle/antlr/antlr@2.7.7",
      "type": "library",
      "bom-ref": "pkg:gradle/antlr/antlr@2.7.7"
      "properties": [
        {
          "name": "gitlab:dependency_scanning:category",
          "value": "compile"
        },
        {
          "name": "gitlab:dependency_scanning:category",
          "value": "testCompile"
        }
      ]
    }
  ]
}

Please see the GitLab CycloneDX Property Taxonomy for the official structure of the properties keys.

This issue is necessary in order to support Add variable to ignore development, test depend... (&2743).

Edited Jul 21, 2022 by Adam Cohen