Add support for dependency graph introduced in v1.2 of the spec

[coderpatros]

see https://cyclonedx.org/use-cases/#dependency-graph

[stevespringett]

The Laravel SBOM example will need to be updated to spec v1.2 once this ticket is complete.

[jkowalleck]

@coderpatros

i am not too famliar wth the 1.2 specs. could you help me find the "dependency graph" element in the XSD and JSON SCHEMA ?

[coderpatros]

@jkowalleck it’s at the BOM level https://cyclonedx.org/docs/1.2/#type_dependenciesType

[jkowalleck]

The Laravel SBOM example will need to be updated to spec v1.2 once this ticket is complete.

see https://github.com/CycloneDX/sbom-examples/tree/master/laravel-7.12.0 (related: #58 )

[jkowalleck]

based on https://cyclonedx.org/use-cases/#dependency-graph

---

[DRAFT]

the following might be wrong, need to read SPEC details.... some notes:

• concept
  • the dependencies must not include dev-dependencies of any php-package
• data modelling
  1. the generator fills all known dependencies as A
  2. for each B in A:
     for each dependency C of B:
     add item D from A that represents C as a dependency of B.
• writing the dependencies to XML: for each B in A: write B's bom-ref for each C in B's dependencies:
  write C's bom-ref as a dependency to B's dependencies

this might lead to non-reproducible outputs, if bom-ref change on each runtime... maybe leverage the packageURL as a constant value? or generate a constant hash somehow?

[jkowalleck]

attention. keep alias packages in mind and how they should be handled.

[jkowalleck]

implementation aids: composer why might have a dep tree implemented composer show --locked --tree displays a dep tree - so it must utilize some tree maker somehow. see if composer's tree makers are public(non-internal) and can me used as a library.