Provide option to include vcs url in the output bom file

[prabhu]

Discussed in https://github.com/CycloneDX/cdxgen/discussions/290

^{Originally posted by **minato7** April 11, 2023} Hi @prabhu, thank you for providing a great tool which supports generating SBOM for multiple languages which is helping us a lot. Normally for a Golang project, `cdxgen` produces following information for a single component: ``` github.com/fsnotify fsnotify v1.6.0 required b25dedd6d0962455a8473f51f162426d08a128ac26a2b8c06d20a5727c4a006c BSD-3-Clause https://pkg.go.dev/github.com/fsnotify/fsnotify?tab=licenses pkg:golang/github.com/fsnotify/fsnotify@v1.6.0 ``` But additionally, it would be helpful for the user to have url of source repository for the package similar to [cyclonedx-gomod](https://github.com/CycloneDX/cyclonedx-gomod) Sample output from `cyclonedx-gomod` for the same component: ``` github.com/fsnotify/fsnotify v1.6.0 required 9fee56aae1b47dc5a85a9eb13d67c775bb2430241a1671ba3df06b8752b2e076 pkg:golang/github.com/fsnotify/fsnotify@v1.6.0?type=module https://github.com/fsnotify/fsnotify ``` Is there a way to provide vcs url in `cdxgen` for multiple projects (Debian packages, golang, .NET)?

[prabhu]

For golang, the code only extracts the license from the HTML. We must figure out a better API or page to get multiple pieces of information. I will check for Debian packages, which are due for a revisit since the parsing performance could be improved.

[prabhu]

Is there a way to determine the vcs url for golang packages? Need some help here.