Minor SBOM output updates

[AyanSinhaMahapatra]

Some suggestions that came up in a discussion with @pombredanne, please correct me if I got it wrong:

SPDX:

1. SPDX license list version

We have the SPDX license list version declared here: https://github.com/nexB/scancode.io/blob/main/scanpipe/pipes/spdx.py#L33 and it is 3.18, but in the latest version we have scancode-toolkit 32.0.4 and the spdx license list version is 3.20 and soon 3.21 with aboutcode-org/scancode-toolkit#3437

Ideally we should import this license list version number from this here: https://github.com/nexB/scancode-toolkit/blob/develop/src/scancode_config.py#L147 and not set this in scancode.io

2. SPDX output size

SPDX output includes file details for all resources and this makes the output file really large. We should probably add a settings option in the menu to not add the file details in the SPDX output?

Cyclonedx:

3. CycloneDX BOM name:

See https://cyclonedx.org/specification/overview/#recognized-file-patterns

We currently have the filename as *.bom.json but this should be *.cdx.json (or just bom.json, but we want the project details in the filename too)

[tdruez]

Ideally we should import this license list version number from this here: https://github.com/nexB/scancode-toolkit/blob/develop/src/scancode_config.py#L147 and not set this in scancode.io

We can, but keep in mind this module does not have any external dependencies on purpose for re-usability. I'm not sure introducing a toolkit dependency is the best way to handle this. Ideally, this library should be common to the toolkit and SCIO so we only import from one place that would have the proper version.

We should probably add a settings option in the menu to not add the file details in the SPDX output?

We could, but we should start by not including the resources in the short term.

We currently have the filename as *.bom.json but this should be *.cdx.json (or just bom.json, but we want the project details in the filename too)

Can you clarify "project details"? Also please provide examples of the expected filenames.

[AyanSinhaMahapatra]

Ideally, this library should be common to the toolkit and SCIO so we only import from one place that would have the proper version.

Yeah, that would be best. In the short term we can just make this version correct then.

We could, but we should start by not including the resources in the short term.

Yeah that could be default too, in the short term.

Can you clarify "project details"? Also please provide examples of the expected filenames.

For examples we have the filename as scancodeio_xstream-d2d_results-2023-06-26-12-17-07.bom.json when we get a CycloneDx output from a project. This should be scancodeio_xstream-d2d_results-2023-06-26-12-17-07.cdx.json
Basically just updating https://github.com/nexB/scancode.io/blob/main/scanpipe/pipes/output.py#L625 "bom.json" -> "cdx.json"