Added configurable reference generation between the components of a multi-language SBOM

[malice00]

When generating a multi-language SBOM, the first generated sub-BOM's parentComponent is used as the parent for the mixed SBOM -- but there are no references between the different sub-BOMs.
This fix adds references to all remaining sub-BOMs as a 'provides'-entries. It is also possible to add them as 'dependsOn', so that tools can actually show all components in the dependency-tree -- I noticed that eg Dependency-Track doesn't show references in 'provides'.

Small included change: GRADLE_XXX EnvVars in documentation grouped together, a duplicate EnvVar removed from docs.

[prabhu]

Cool idea!

[prabhu]

Does this work with our configuration files? .cdxgenrc etc?

[malice00]

Don't know, I didn't know there are config files! 😄 I'll try it and let you know what I find/try to fix it if it doen't.

[malice00]

@prabhu Is it currently possible to put EnvVars in the config files? I can't seem to find any documentation on that, or in yargs for that matter... Or is this a feature that needs to be added?

[prabhu]

Good point. I think only command line arguments can be passed via config files. Do we need this variable or can we just assume dependsOn ?

[malice00]

There's already lots of EnvVar-configs, so we could maybe leave it like that? Or add it as a cli argument.
Maybe it would be good to clean that up a bit at some point and have both support all current args and EnvVars?

[prabhu]

I meant, do we need this new variable MULTI_BOM_COMPONENT_REF at all?

[malice00]

Not necessarily, I just thought it would be good the have the option to choose. I initially didn't have it, then decided to change the default to provides, since this made more sense to me.
I'll remove it and set it to dependsOn; We can always add something if a request is made. 😄

[prabhu]

provides is only useful for CBOMs at this point. We can use default of dependsOn?

[malice00]

I didn't realize that. I figured that logically it should not be a 'dependsOn' relation, my personal use however will be that every time because of the dependency-tree in Dependency-Track. So yeah, I don't mind turning the default around!

[prabhu]

Should we handle the case, where this could match the child of the parent component?

[malice00]

I'm not quite sure if I follow you here... bom-refs should be unique, right? So in what case would this match a child component?

[prabhu]

parentComponent could have a list of components.

[malice00]

That is actually already handled in 31c082d!

[prabhu]

Is it possible to add a repo test to demonstrate this useful feature? I will fix the current repo tests failures in a different branch.

[malice00]

Is it possible to add a repo test to demonstrate this useful feature? I will fix the current repo tests failures in a different branch.

That should definitely be possible, my testing-project is already part of the repotests anyway. I'll add some tests in later today.

[prabhu]

Can you also rebase. The repotests are fixed now.

[malice00]

All discussed issues should be included, now let's hope all tests work... 😉

[malice00]

Darn, more commits were added. after I last pulled! Another rebase was done... 😄

[prabhu]

Thank you for your patience and support!