Fix dependencies concealed during BOM creation, aligning more closely with the dependency graph

[knrc]

This PR addresses the issues discussed in this article, I'm opening this as a forum for discussion.

[stevespringett]

@knrc I'm testing with WebGoat 8.0.0 and noticed that, with this PR, I'm missing some components. The components that's I'm missing are:

{
      "group" : "com.google.guava",
      "name" : "guava",
      "version" : "25.0-jre",
      "description" : "Guava is a suite of core and expanded libraries that include utility classes, google's collections, io classes, and much much more.",
      "hashes" : [...],
      "licenses" : [...],
      "purl" : "pkg:maven/com.google.guava/guava@25.0-jre?type=jar",
      "externalReferences" : [...],
      "type" : "library",
      "bom-ref" : "pkg:maven/com.google.guava/guava@25.0-jre?type=jar"
    },
    {
      "group" : "com.google.code.findbugs",
      "name" : "jsr305",
      "version" : "1.3.9",
      "description" : "JSR305 Annotations for Findbugs",
      "hashes" : [...],
      "licenses" : [...],
      "purl" : "pkg:maven/com.google.code.findbugs/jsr305@1.3.9?type=jar",
      "externalReferences" : [...],
      "type" : "library",
      "bom-ref" : "pkg:maven/com.google.code.findbugs/jsr305@1.3.9?type=jar"
    },
    {
      "group" : "org.checkerframework",
      "name" : "checker-compat-qual",
      "version" : "2.0.0",
      "description" : "Checker Qual is the set of annotations (qualifiers) and supporting classes used by the Checker Framework to type check Java source code. Please see artifact: org.checkerframework:checker",
      "hashes" : [...],
      "licenses" : [...],
      "purl" : "pkg:maven/org.checkerframework/checker-compat-qual@2.0.0?type=jar",
      "externalReferences" : [...],
      "type" : "library",
      "bom-ref" : "pkg:maven/org.checkerframework/checker-compat-qual@2.0.0?type=jar"
    },
    {
      "group" : "com.google.errorprone",
      "name" : "error_prone_annotations",
      "version" : "2.1.3",
      "description" : "Sonatype helps open source projects to set up Maven repositories on https://oss.sonatype.org/",
      "hashes" : [...],
      "licenses" : [...],
      "purl" : "pkg:maven/com.google.errorprone/error_prone_annotations@2.1.3?type=jar",
      "externalReferences" : [...],
      "type" : "library",
      "bom-ref" : "pkg:maven/com.google.errorprone/error_prone_annotations@2.1.3?type=jar"
    },
    {
      "group" : "com.google.j2objc",
      "name" : "j2objc-annotations",
      "version" : "1.1",
      "description" : "A set of annotations that provide additional information to the J2ObjC translator to modify the result of translation.",
      "hashes" : [...],
      "licenses" : [...],
      "purl" : "pkg:maven/com.google.j2objc/j2objc-annotations@1.1?type=jar",
      "externalReferences" : [...],
      "type" : "library",
      "bom-ref" : "pkg:maven/com.google.j2objc/j2objc-annotations@1.1?type=jar"
    },
    {
      "publisher" : "Codehaus",
      "group" : "org.codehaus.mojo",
      "name" : "animal-sniffer-annotations",
      "version" : "1.14",
      "description" : "Animal Sniffer Parent project.",
      "hashes" : [...],
      "licenses" : [...],
      "purl" : "pkg:maven/org.codehaus.mojo/animal-sniffer-annotations@1.14?type=jar",
      "externalReferences" : [...],
      "type" : "library",
      "bom-ref" : "pkg:maven/org.codehaus.mojo/animal-sniffer-annotations@1.14?type=jar"
    },
    {
      "publisher" : "The Apache Software Foundation",
      "group" : "commons-io",
      "name" : "commons-io",
      "version" : "2.8.0",
      "description" : "The Apache Commons IO library contains utility classes, stream implementations, file filters, file comparators, endian transformation classes, and much more.",
      "hashes" : [...],
      "licenses" : [...],
      "purl" : "pkg:maven/commons-io/commons-io@2.8.0?type=jar",
      "externalReferences" : [...],
      "type" : "library",
      "bom-ref" : "pkg:maven/commons-io/commons-io@2.8.0?type=jar"
    }

Some of these make sense, but its interesting that commons-io and guava have been removed. I'm not sure if that's accurate or not. Will need to investigate.

[knrc]

@knrc I'm testing with WebGoat 8.0.0 and noticed that, with this PR, I'm missing some components. The components that's I'm missing are:

...

Some of these make sense, but its interesting that commons-io and guava have been removed. I'm not sure if that's accurate or not. Will need to investigate.

I will take a look today, I can hazard a guess as to why but will verify.

[hboutemy]

IIUC, it is not about a component being missed from the resulting BOM components list = https://cyclonedx.org/docs/1.4/json/#components
But it is about the BOM dependencies description missing one reference = https://cyclonedx.org/docs/1.4/json/#dependencies

And this is because Maven overriding rules during dependencies resolution only tries to catch what effective version of a library will be kept (then intentionally omit versions that are overridden), while SBOM dependencies try to catch all relations to the library, even in case of version overriding

nice subtle difference between Maven dependency tree (focused on resolution) and SBOM dependency relationships on cases like:

A
├── B
│   └── D 2.0
└── D 1.0

I think this will impact the terms we should use in code and messages to describe the situation, to match terms used by dependency:tree (like "omitted for duplicate"), to have a chance to keep an understanding of the CycloneDX dependencies algorithm vs the Maven dependency tree resolution

[knrc]

@hboutemy There are a couple of issues, but the largest is definitely dependencies which are missing from the graph.
It is also possible for components to be missing, especially given the way that the current codebase chooses which scopes are included, and this PR aligns the behaviour with the maven understanding of scopes.

[hboutemy]

LGTM