Mark components from test scope

[skhokhlov]

CycloneDX npm plugin adds properties for components in SBOM which are dev dependencies of the project.

"properties": [
        {
          "name": "cdx:npm:package:development",
          "value": "true"
        }
]

https://github.com/CycloneDX/cyclonedx-node-npm/blob/main/demo/dev-dependencies/example-results/bare/bom.1.6.json#L187-L188

This data is crucial for risk analysis of vulnerabilities. It would be perfect to add similar property to be able to identify test dependencies in SBOMs collected with maven plugin.

[FloJit]

It could be interesting to add the maven scope (not only test) in each component object.
I'll try to check it how to do that.

[FloJit]

Well, one way could be to add maven scopes in the Component.Scope enum and store the Artifact#getScope instead of to check the Artifact#isOptional.
But that means to modify the core ...

Or maybe one day change the type of the scope as String to let the possibility to set any scope of any plugin (I don't know how Gradle scopes work).