feat: new commands: bom componentcheck and project componentcheck

[tngraf]

No description provided.

[gernot-h]

Thanks for the review request! I didn't have time yet to test it locally and review the changes in each detail, but the implementation looks good for me. I especially like the idea of support for downloading the list from a custom URL.

However, I think this definitely needs more documentation, so the user knows what the different messages mean. E.g. which components shall not be in the product's SBOM (I think it's about excluding them from the product, not from license checks, right?), because normal end users don't need them. Also mention that SDKs someone ships will be an exception.

And, I think the Python binary checks are somehow contrary because they are no hint for superfluous checks but they need extra in-depth checks, right?

Also, we need to mention that the bundled lists are only starting points and we try to provide hints, not provide a final check.

[gernot-h]

Ah, and I think we should provide some "your ecosystem is not covered in our lists" warning, either in the code (if SBOM contains a PURL type which is not in component_checks.json) or at least a list in the README which ecosystems are covered. As an example, for most PURLs listed there, there are Linux distribution packages, certainly with different names per distribution, which are currently not covered, so many ready-to-use Docker images will not produce any result, I guess.