feat: mark dev-dependencies component.scope as "excluded"

[jkowalleck]

Is your feature request related to a problem? Please describe.

Per CycloneDX specification, the components' scope means (see docs)

• "required": The component is required for runtime
• "optional": The component is optional at runtime. Optional components are components that are not capable of being called due to them not be installed or otherwise accessible by any means. Components that are installed but due to configuration or other restrictions are prohibited from being called must be scoped as 'required'.
• "excluded": Components that are excluded provide the ability to document component usage for test and other non-runtime purposes. Excluded components are not reachable within a call graph at runtime.

Current implementation does not set any scope, meaning the fallback to "required".
for dev-dependencies this would be wrong.

Describe the solution you'd like

mark all components, that are dev-dependencies only, as "excluded" in the resulting SBOM.

Describe alternatives you've considered

none

Additional context

for poetry

poetry knowns the "dev" group/category - things that are in there only (not in any other) are dev-dependencies

for pipenv

pipenv knowns a group/category called "dev-packages" - things that are in there only (not in any other) are dev-dependencies

for pyproject.toml

pyproject knows optional-dependency groups. see also PEP735 (draft)
there is no accepted PEP for that matter (or is there?), but commonly, people use "dev" or
"devel", "development" group to tell development-dependencies. - things that are in there, but not in any other, are dev-dependencies
Since there is no consensus here, the pyproject SHOULD have no effect on the component.scope, for now