[IDEA] feat: bundled (phantom) dependencies

based on https://sethmlarson.dev/early-promising-results-with-sboms-and-python-packages contact @sethmlarson
PEP: to be written
goal

gather the declaration of bundled dependencies of a package, by reading its SBOM.
[!WARNING] the re is no PEP yet, so it is unclear how declared shipped SBOMs may be detected ...
expected outcome:

bundled dependencies are listed as sub-components of their component in the SBOM result
each declared bundled dependency is present in the dependency graph-
dependency graph, if present, of such bundled dependencies is carried over into the SBOM result
example result

JSON based on a demo-SBOM for Pillow==11.1.0 https://gist.github.com/sethmlarson/9b87245c99147815e8e18901f4a10444
{
    "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
    "bomFormat": "CycloneDX",
    "specVersion": "1.4",
    "metadata": {
        "component": {
            "type": "application",
            "name": "my-app",
            "version": "0.13.37",
            "bom-ref": "my-app"
        }
    },
    "components": [
        {
            "type": "library",
            "bom-ref": "pillow==11.1.0",
            "name": "Pillow",
            "version": "11.1.0",
            "components": [
                {
                    "type": "library",
                    "bom-ref": "pillow==11.1.0|pkg:rpm/almalinux/libXau@1.0.9-3.el8?distro=almalinux-8",
                    "name": "libXau",
                    "version": "1.0.9-3.el8",
                    "purl": "pkg:rpm/almalinux/libXau@1.0.9-3.el8?distro=almalinux-8"
                },
                {
                    "type": "library",
                    "bom-ref": "pillow==11.1.0|pkg:rpm/almalinux/jbigkit-libs@2.1-14.el8?distro=almalinux-8",
                    "name": "jbigkit-libs",
                    "version": "2.1-14.el8",
                    "purl": "pkg:rpm/almalinux/jbigkit-libs@2.1-14.el8?distro=almalinux-8"
                },
                {
                    "type": "library",
                    "bom-ref": "pillow==11.1.0|pkg:rpm/almalinux/libtiff@4.0.9-33.el8_10?distro=almalinux-8",
                    "name": "libtiff",
                    "version": "4.0.9-33.el8_10",
                    "purl": "pkg:rpm/almalinux/libtiff@4.0.9-33.el8_10?distro=almalinux-8"
                },
                {
                    "type": "library",
                    "bom-ref": "pillow==11.1.0|pkg:rpm/almalinux/libxcb@1.13.1-1.el8?distro=almalinux-8",
                    "name": "libxcb",
                    "version": "1.13.1-1.el8",
                    "purl": "pkg:rpm/almalinux/libxcb@1.13.1-1.el8?distro=almalinux-8"
                },
                {
                    "type": "library",
                    "bom-ref": "pillow==11.1.0|pkg:rpm/almalinux/openjpeg2@2.4.0-5.el8?distro=almalinux-8",
                    "name": "openjpeg2",
                    "version": "2.4.0-5.el8",
                    "purl": "pkg:rpm/almalinux/openjpeg2@2.4.0-5.el8?distro=almalinux-8"
                },
                {
                    "type": "library",
                    "bom-ref": "pillow==11.1.0|pkg:rpm/almalinux/libjpeg-turbo@1.5.3-12.el8?distro=almalinux-8",
                    "name": "libjpeg-turbo",
                    "version": "1.5.3-12.el8",
                    "purl": "pkg:rpm/almalinux/libjpeg-turbo@1.5.3-12.el8?distro=almalinux-8"
                },
                {
                    "type": "library",
                    "bom-ref": "pillow==11.1.0|pkg:rpm/almalinux/lcms2@2.9-2.el8?distro=almalinux-8",
                    "name": "lcms2",
                    "version": "2.9-2.el8",
                    "purl": "pkg:rpm/almalinux/lcms2@2.9-2.el8?distro=almalinux-8"
                },
                {
                    "type": "library",
                    "bom-ref": "pillow==11.1.0|pkg:rpm/almalinux/bzip2-libs@1.0.6-26.el8?distro=almalinux-8",
                    "name": "bzip2-libs",
                    "version": "1.0.6-26.el8",
                    "purl": "pkg:rpm/almalinux/bzip2-libs@1.0.6-26.el8?distro=almalinux-8"
                },
                {
                    "type": "library",
                    "bom-ref": "pillow==11.1.0|pkg:rpm/almalinux/libpng@1.6.34-5.el8?distro=almalinux-8",
                    "name": "libpng",
                    "version": "1.6.34-5.el8",
                    "purl": "pkg:rpm/almalinux/libpng@1.6.34-5.el8?distro=almalinux-8"
                },
                {
                    "type": "library",
                    "bom-ref": "pillow==11.1.0|pkg:rpm/almalinux/freetype@2.9.1-9.el8?distro=almalinux-8",
                    "name": "freetype",
                    "version": "2.9.1-9.el8",
                    "purl": "pkg:rpm/almalinux/freetype@2.9.1-9.el8?distro=almalinux-8"
                },
                {
                    "type": "library",
                    "bom-ref": "pillow==11.1.0|pkg:rpm/almalinux/libwebp@1.0.0-9.el8_9.1?distro=almalinux-8",
                    "name": "libwebp",
                    "version": "1.0.0-9.el8_9.1",
                    "purl": "pkg:rpm/almalinux/libwebp@1.0.0-9.el8_9.1?distro=almalinux-8"
                },
                {
                    "type": "library",
                    "bom-ref": "pillow==11.1.0|pkg:rpm/almalinux/libwebp@1.0.0-9.el8_9.1?distro=almalinux-8",
                    "name": "libwebp",
                    "version": "1.0.0-9.el8_9.1",
                    "purl": "pkg:rpm/almalinux/libwebp@1.0.0-9.el8_9.1?distro=almalinux-8"
                },
                {
                    "type": "library",
                    "bom-ref": "pillow==11.1.0|pkg:rpm/almalinux/libwebp@1.0.0-9.el8_9.1?distro=almalinux-8",
                    "name": "libwebp",
                    "version": "1.0.0-9.el8_9.1",
                    "purl": "pkg:rpm/almalinux/libwebp@1.0.0-9.el8_9.1?distro=almalinux-8"
                }
            ],
        }
    ],
    "dependencies": [
        {
            "ref": "my-app",
            "dependsOn": [
                "pillow==11.1.0"
            ]
        },
        {
            "ref": "pillow==11.1.0",
            "dependsOn": [
                "pillow==11.1.0|pkg:rpm/almalinux/libXau@1.0.9-3.el8?distro=almalinux-8",
                "pillow==11.1.0|pkg:rpm/almalinux/jbigkit-libs@2.1-14.el8?distro=almalinux-8",
                "pillow==11.1.0|pkg:rpm/almalinux/libtiff@4.0.9-33.el8_10?distro=almalinux-8",
                "pillow==11.1.0|pkg:rpm/almalinux/libxcb@1.13.1-1.el8?distro=almalinux-8",
                "pillow==11.1.0|pkg:rpm/almalinux/openjpeg2@2.4.0-5.el8?distro=almalinux-8",
                "pillow==11.1.0|pkg:rpm/almalinux/libjpeg-turbo@1.5.3-12.el8?distro=almalinux-8",
                "pillow==11.1.0|pkg:rpm/almalinux/lcms2@2.9-2.el8?distro=almalinux-8",
                "pillow==11.1.0|pkg:rpm/almalinux/bzip2-libs@1.0.6-26.el8?distro=almalinux-8",
                "pillow==11.1.0|pkg:rpm/almalinux/libpng@1.6.34-5.el8?distro=almalinux-8",
                "pillow==11.1.0|pkg:rpm/almalinux/freetype@2.9.1-9.el8?distro=almalinux-8",
                "pillow==11.1.0|pkg:rpm/almalinux/libwebp@1.0.0-9.el8_9.1?distro=almalinux-8",
                "pillow==11.1.0|pkg:rpm/almalinux/libwebp@1.0.0-9.el8_9.1?distro=almalinux-8",
                "pillow==11.1.0|pkg:rpm/almalinux/libwebp@1.0.0-9.el8_9.1?distro=almalinux-8"
            ]
        },
        {
            "ref": "pillow==11.1.0|pkg:rpm/almalinux/libXau@1.0.9-3.el8?distro=almalinux-8"
        },
        {
            "ref": "pillow==11.1.0|pkg:rpm/almalinux/jbigkit-libs@2.1-14.el8?distro=almalinux-8"
        },
        {
            "ref": "pillow==11.1.0|pkg:rpm/almalinux/libtiff@4.0.9-33.el8_10?distro=almalinux-8"
        },
        {
            "ref": "pillow==11.1.0|pkg:rpm/almalinux/libxcb@1.13.1-1.el8?distro=almalinux-8"
        },
        {
            "ref": "pillow==11.1.0|pkg:rpm/almalinux/openjpeg2@2.4.0-5.el8?distro=almalinux-8"
        },
        {
            "ref": "pillow==11.1.0|pkg:rpm/almalinux/libjpeg-turbo@1.5.3-12.el8?distro=almalinux-8"
        },
        {
            "ref": "pillow==11.1.0|pkg:rpm/almalinux/lcms2@2.9-2.el8?distro=almalinux-8"
        },
        {
            "ref": "pillow==11.1.0|pkg:rpm/almalinux/bzip2-libs@1.0.6-26.el8?distro=almalinux-8"
        },
        {
            "ref": "pillow==11.1.0|pkg:rpm/almalinux/libpng@1.6.34-5.el8?distro=almalinux-8"
        },
        {
            "ref": "pillow==11.1.0|pkg:rpm/almalinux/freetype@2.9.1-9.el8?distro=almalinux-8"
        },
        {
            "ref": "pillow==11.1.0|pkg:rpm/almalinux/libwebp@1.0.0-9.el8_9.1?distro=almalinux-8"
        },
        {
            "ref": "pillow==11.1.0|pkg:rpm/almalinux/libwebp@1.0.0-9.el8_9.1?distro=almalinux-8"
        },
        {
            "ref": "pillow==11.1.0|pkg:rpm/almalinux/libwebp@1.0.0-9.el8_9.1?distro=almalinux-8"
        }
    ]
}
CycloneDX / cyclonedx-python

[IDEA] feat: bundled (phantom) dependencies #831

goal

expected outcome:

example result
