Encode dependency capability map in SBOM

What

We currently provide a dependency list to our ingestion pipeline via Dependency scanning by using SBOM but it can be challenging to track the specific support for a given package manager.

It would be ideal if we could include in the SBOM some data describing the expected capabilities. E.g.:

• direct vs transitive
• dependencies available
• dependency graph available

So for gradle/nebula we would get 011, for npm lockfile v1 we would get 100. see this epic for full mapping of current direct/indirect support

This could be used to better surface known limitations or errors in the UI programmatically; E.g.:

• "warning: we've reached max depth of 20, so we stopped traversing paths"
• "warning: these paths may be incomplete because you're using package manager XYZ"