feat: File-type components and hashes

[jkowalleck]

currently, SBOM "components" are detected based an a package.json file.
thats cool for most situatons.

but what if there is just no package.json? or it is untrusted for reasons?

Let's add file-based (sub-)components, that have a proper hash to them.
-> the feature is disabled by default, can be enabled by a new config option. name to be defined.

Note

since this PR will add properties of the BSI, ask @mschusterbsi for a review. a review of the code might not be nessessarry, a review of some example SBOMs should be enough.

expected outcome

• update the README, tell that this tools includes properties of the BSI.
• components that represent "packages" have sub-components, one for each file that us used.
  • each of the file-based sub-components has a computed set of hashes on them.
  • each of the file-based sub-components name is the relative path of the file. relative to the root component.
  • each of the file-based sub-components, if file ends with .js, then set property bsi:component:executable = executable
  • each of the file-based sub-componentshasproperty bsi:component:archive = no archive
  • each of the file-based sub-components has the property bsi:component:filename filled - see https://github.com/BSI-Bund/tr-03183-cyclonedx-property-taxonomy
  • the component that represents the package has the property bsi:component:archive = archive and bsi:component:structured = structured. reason: it is a package, and BSI TR-03183-2 v2.0.0 section 8.1.5 calls out that packages are structured archives
• if no package.json can be found (other than the projects own one), then the file used by webpack should be resulting in a SBOM component of type "file",
  • each of the file-based components has a computed set of hashes on them.
  • each of the file-based components name is the relative path of the file. relative to the root component.
  • each of the file-based sub-components, if file ends with .js then set property bsi:component:executable = executable
  • each of the file-based sub-components has the property bsi:component:filename filled - see https://github.com/BSI-Bund/tr-03183-cyclonedx-property-taxonomy
  • the component that represents the package has the property bsi:component:archive set, and bsi:component:structured not set (reason: we did not find clear inidications weather this is a (structured) archive, but we cannot be sure at this point.)

BSI taxonomy: https://github.com/BSI-Bund/tr-03183-cyclonedx-property-taxonomy
May need an extra property taxonomy cdx:webpack according to https://github.com/CycloneDX/cyclonedx-property-taxonomy - but for now the one from BSI is sufficient

followup

• write a small news/announcement article about how this now is BSI complete
• tell BSI (email) about it

[jkowalleck]

as soon as this is implemented, publish example files here: CycloneDX/bom-examples#38