feat: mark Poetry's dev-dependencies component.scope as "excluded"

[jkowalleck]

Is your feature request related to a problem? Please describe.

Per CycloneDX specification, the components' scope means

• "required": The component is required for runtime
• "optional": The component is optional at runtime. Optional components are components that are not capable of being called due to them not be installed or otherwise accessible by any means. Components that are installed but due to configuration or other restrictions are prohibited from being called must be scoped as 'required'.
• "excluded": Components that are excluded provide the ability to document component usage for test and other non-runtime purposes. Excluded components are not reachable within a call graph at runtime.

Current implementation does not set any scope, meaning the fallback to "required".
for dev-dependencies this would be wrong.

From a Poetry lock file, it is possible to determine whether a component is a runtime-dependency.

Describe the solution you'd like

for Poetry lock file analysis results:
mark all components, that are dev-dependencies only, as "excluded" in the resulting SBOM.

Describe alternatives you've considered

none

Additional context

Add any other context or screenshots about the feature request here.