Include language package manager (e.g. cargo, npm, go modules) information in SBOMs

[carlocab]

Verification

• This issue's title and/or description do not reference a single formula e.g. brew install wget. If they do, open an issue at https://github.com/Homebrew/homebrew-core/issues/new/choose instead.

Provide a detailed description of the proposed feature

The sbom.spdx.json contains dependency information for dependencies managed by brew. We should include dependency information for those not managed by brew as well.

What is the motivation for the feature?

More complete SBOMs. It will also improve our ability to track CVEs that affect formulae.

How will the feature be relevant to at least 90% of Homebrew users?

It probably won't be.

What alternatives to the feature have been considered?

• the status quo
• another mechanism for tracking non-Homebrew dependencies

[MikeMcQuaid]

Good idea, thanks @carlocab!

[SMillerDev]

@carlocab do you have an example of some data you would like to see included?