SbomExtractor improvements

[lhns]

This PR adds the following attributes to sboms:

• plugin information (name, version)
• bom ref
• hashes (fixes include component hashes #51)
• license id

It also fixes an error caused by modules that are reported multiple times (cross builds, complex dependsOn structure and such)

[raboof]

looks good, a few optional comments to consider, and you'll have to update the scripted test expectations to match the new behavior.

[raboof]

code is looking good, just needs the default value for 'include bom hashes' in the plugin and updated test expectations in the scripted tests

[lhns]

oh no why are the hashes different in ci...

[lhns]

ohh they are selected based on the java version in org.cyclonedx.util.BomUtils:

        try {
            digests.add(DigestUtils.getSha3_256Digest());
        } catch (Exception | NoSuchMethodError e) { /* Not available in Java 8 and only available in later versions of DigestUtils */ }

[raboof]

One final tweak, then looks great to me!

[raboof]

I wonder if we should default this to false, to be more reproducible by default...

[lhns]

I also thought about this but java 8 is mostly end of life anyway and the sha3 family will be pretty important in the future and should probably be enabled by default sooner than later. The gradle cyclonedx plugin also does not filter out hashes.

[raboof]

Great improvement!