Classify cdx component type file

[henrirosten]

Set the cdx component type based on the following heuristic:

• Set the default component type to 'library'
• Set the component type to 'file' if the drv version string is missing

Resolves: #140

[henrirosten]

Below is a quick test using wget as an example target. Following commands can be run from sbomnix devshell.

# Target: wget, include both buildtime and runtime dependencies:
❯ nix run github:tiiuae/sbomnix/584988e#sbomnix -- nixpkgs/58ff6e0#wget --buildtime
...
INFO     Wrote: sbom.cdx.json
INFO     Wrote: sbom.spdx.json
INFO     Wrote: sbom.csv

# How many unique packages (by name) there are in wget sbom?
❯ csvsql --verbose --query "select count(distinct name) from sbom" sbom.csv
count(distinct name)
337

# How many unique packages are missing the version string?
# After the changes from this PR, this many components would be
# classified with cdx component type 'file':
❯ csvsql --verbose --query "select count(distinct name) from sbom where version is null" sbom.csv
count(distinct name)
211

# Some examples of packages which would end-up classified as 'file' after
# the changes from this PR:
❯ csvsql --verbose --query "select distinct name from sbom where version is null" sbom.csv | csvlook | head
| name                                               |
| -------------------------------------------------- |
| 0001-Add-prototype-to-function-definitions.patch   |
| 06-initialize-the-symlink-flag.patch               |
| 07631601e6602bc49b8eac3aab9d2b35968d3e7a.patch     |
| 28-cve-2022-0529-and-cve-2022-0530.patch           |
| B-COW-0.007.tar.gz                                 |
| CPAN-Meta-Check-0.018.tar.gz                       |
| CVE-2019-13232-1.patch                             |
| CVE-2019-13232-2.patch                             |

All good so far.
However, it's easy to find cases where I think the classification seems to go wrong:

❯ csvsql --verbose --query "select name,out,store_path from sbom where version is null group by name" sbom.csv | csvlook | grep -vP "(\.patch|\.tar\.|\.t?gz|\.zip|-bash52-|-readline82-)"
| name                                               | out                                                                                            | store_path                                                                                         |
| -------------------------------------------------- | ---------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------- |
| autoreconf-hook                                    | /nix/store/xmbb1knxj25q34iqp23aa28mlc7x26ch-autoreconf-hook                                    | /nix/store/2a0rsx8y0qa0hj27869dwa79fa7r09cy-autoreconf-hook.drv                                    |
| bootstrap-stage-xgcc-gcc-wrapper-                  | /nix/store/7avw5y6vx6h94hg749msibskkrzzq7kb-bootstrap-stage-xgcc-gcc-wrapper-                  | /nix/store/43lvdp28w1wmj7qvj4cp846rq3y84k5q-bootstrap-stage-xgcc-gcc-wrapper-.drv                  |
| bootstrap-stage-xgcc-stdenv-linux                  | /nix/store/0n27p9zy7rp12xfws3dl8i3wf9a8f1kd-bootstrap-stage-xgcc-stdenv-linux                  | /nix/store/7njndm5dmwlxkc80w9gk347nsmcy6wk9-bootstrap-stage-xgcc-stdenv-linux.drv                  |
| bootstrap-stage0-binutils-wrapper-                 | /nix/store/hk2p2ccpsn8wr1nnfbllnhcmgmaii9rj-bootstrap-stage0-binutils-wrapper-                 | /nix/store/72c838vcc1440hfh6zkl8mna1nsskslv-bootstrap-stage0-binutils-wrapper-.drv                 |
| bootstrap-stage0-glibc-iconv-bootstrapFiles        | /nix/store/l06g8zzvnmljvz18p108clwaxzcq30ym-bootstrap-stage0-glibc-iconv-bootstrapFiles        | /nix/store/9v9k2cnqw962ldwabkyp7calmvp63lyd-bootstrap-stage0-glibc-iconv-bootstrapFiles.drv        |
| bootstrap-stage0-stdenv-linux                      | /nix/store/mdqwssbvg5cr14xxqamj77qlmna9hcyz-bootstrap-stage0-stdenv-linux                      | /nix/store/jhnz6wx6p5h0pqykj1i7jdzj8ddqlgnf-bootstrap-stage0-stdenv-linux.drv                      |
| bootstrap-stage1-gcc-wrapper-                      | /nix/store/p9riy1zqs8gq8j6qg6rw857ks8m2ml95-bootstrap-stage1-gcc-wrapper-                      | /nix/store/01b514fgfw953n7q1vickfa7aq41zqq8-bootstrap-stage1-gcc-wrapper-.drv                      |
| bootstrap-stage1-stdenv-linux                      | /nix/store/qk8m8gzpjk4vna5spmbz1xlff2mb4d3p-bootstrap-stage1-stdenv-linux                      | /nix/store/45xpqvq383243s730wmaka92mikrdy43-bootstrap-stage1-stdenv-linux.drv                      |
| bootstrap-stage2-stdenv-linux                      | /nix/store/8c12hhc7aqr4gcy6n039kv43w8c9jwcq-bootstrap-stage2-stdenv-linux                      | /nix/store/ismkxxgzhnyd8zl90r53yxqkqs6l44kk-bootstrap-stage2-stdenv-linux.drv                      |
| bootstrap-stage3-stdenv-linux                      | /nix/store/mv3nd0nm9dahd1s3qhqszvsb4j84l4fj-bootstrap-stage3-stdenv-linux                      | /nix/store/gp38xzkcj0ijj3xzdxvnsmrky5fz4bzy-bootstrap-stage3-stdenv-linux.drv                      |
| bootstrap-stage4-stdenv-linux                      | /nix/store/c2mw51ncnnvaard4nq0riqilmhk07dj5-bootstrap-stage4-stdenv-linux                      | /nix/store/f8p2g1kx4j6vvil6sm5hrmaqa2nfdfwp-bootstrap-stage4-stdenv-linux.drv                      |
| bootstrap-tools                                    | /nix/store/razasrvdg7ckplfmvdxv4ia3wbayr94s-bootstrap-tools                                    | /nix/store/05q48dcd4lgk4vh7wyk330gr2fr082i2-bootstrap-tools.drv                                    |
| busybox                                            | /nix/store/p9wzypb84a60ymqnhqza17ws0dvlyprg-busybox                                            | /nix/store/0m4y3j4pnivlhhpr5yqdvlly86p93fwc-busybox.drv                                            |
| config.guess-948ae97                               | /nix/store/vq0j27nvpks679djbiykl8ikdyj6z5a9-config.guess-948ae97                               | /nix/store/bamwxswxacs3cjdcydv0z7bj22d7g2kc-config.guess-948ae97.drv                               |
| config.sub-948ae97                                 | /nix/store/1p61qjvlqmwrqab3zp5yh3z8rf3mvjmz-config.sub-948ae97                                 | /nix/store/17jjjz36g6svn6kryg89l87y571a44pn-config.sub-948ae97.drv                                 |
| die-hook                                           | /nix/store/q7yqwfpc8b56sn5drqyb0hscvmfpjgk2-die-hook                                           | /nix/store/61854fyyiyawkprq7zf4pvrq7ksy2hdf-die-hook.drv                                           |
| expand-response-params                             | /nix/store/a6y72yfm7mxjnbgjm56l23i9k5mszkib-expand-response-params                             | /nix/store/082q12iqbm8i0s9jjkn6mqn3s08sddbw-expand-response-params.drv                             |
| find-xml-catalogs-hook                             | /nix/store/wx5nzqd94wxp3a2mcacragk4dixzfgy5-find-xml-catalogs-hook                             | /nix/store/9yq1167s48cv7hn8bnf8bn4gfd25lxi1-find-xml-catalogs-hook.drv                             |
| glibc-iconv-2.40                                   | /nix/store/nrymrxaqn1hcwgjycn3dzyl9i0lylifw-glibc-iconv-2.40                                   | /nix/store/dsnv5c2qx03mlw9ssrz4lfcdy4mpnqkr-glibc-iconv-2.40.drv                                   |
| install-shell-files                                | /nix/store/zrz201kl2cnx2i9vg253266fw653sxcj-install-shell-files                                | /nix/store/fwr3vgdizyxz7cjv8xczq7mcrflbkmaa-install-shell-files.drv                                |
| libidn2-2.3.7                                      | /nix/store/ma08vfhb5yipb31n2fymf2isk0gyb9ki-libidn2-2.3.7                                      | /nix/store/02piwsci6jgiipk0in2lj41aj6p6vln5-libidn2-2.3.7.drv                                      |
| locales-setup-hook.sh                              | /nix/store/1jjd4gpbr42b3bscsknm8ji91vwp21li-locales-setup-hook.sh                              | /nix/store/v8gdyjfapcis75cvxpdfw8zlx38alq1l-locales-setup-hook.sh.drv                              |
| make-binary-wrapper-hook                           | /nix/store/gqjd4bvd683s55r0jcgc9q67rvjnmfc6-make-binary-wrapper-hook                           | /nix/store/s35vnmn2y124xa6iw1kcqalixmca1s8m-make-binary-wrapper-hook.drv                           |
| make-shell-wrapper-hook                            | /nix/store/5iwa7fcljsi4ahj9znxfqfj0pbm54cd2-make-shell-wrapper-hook                            | /nix/store/2p8j0pjf4m63iksncbq9qsz3zms845cf-make-shell-wrapper-hook.drv                            |
| mirrors-list                                       | /nix/store/fvd90pv9l7bzgszciv0adhivysb95jnh-mirrors-list                                       | /nix/store/avk7dy1fdyrf7d4z0ad62db7bx2ccppv-mirrors-list.drv                                       |
| nuke-references                                    | /nix/store/yjfk0fn7smh88kd0xqvfhhy1gfxc1w4l-nuke-references                                    | /nix/store/17yimdihwq1lzr8man6mwd2gq94zb5vz-nuke-references.drv                                    |
| python-setup-hook.sh                               | /nix/store/lizjckh3h9wjaylafsma2v1wwyckmd4i-python-setup-hook.sh                               | /nix/store/a3ighs21cmgqhbfpv6bx9f5pcaxirj4c-python-setup-hook.sh.drv                               |
| raw                                                | /nix/store/d1xybymfx4ad0hy6zv97walg9v1dyzn6-raw                                                | /nix/store/dhjhlihqj08f3fs1cvsja0fims0dqnlw-raw.drv                                                |
| source                                             | /nix/store/hhinz3k4nh50l93k6r3617nrf9pnb975-source                                             | /nix/store/1vjg4z2rm4kaiglkmc6vkkp3wv30xd73-source.drv                                             |
| stdenv-linux                                       | /nix/store/m1p78gqlc0pw3sdbz3rdhklzm0g26g96-stdenv-linux                                       | /nix/store/vxckchzd4ny3dni980qf570fmfc3q5m6-stdenv-linux.drv                                       |
| tcl-package-hook                                   | /nix/store/59dmq1m6n4hcpqikr78sr3z5jk06120z-tcl-package-hook                                   | /nix/store/vkhapph94vhy5wd9g28xi7fp3vcn2lyn-tcl-package-hook.drv                                   |
| update-autotools-gnu-config-scripts-hook           | /nix/store/ljlah5wqcbix5wg8rvm3g8rc7k9zn1qg-update-autotools-gnu-config-scripts-hook           | /nix/store/bfv1sg2nvdk6g7c2hl4rcdsrlc8j8d58-update-autotools-gnu-config-scripts-hook.drv           |
| wrap-python-hook                                   | /nix/store/ywn3i812qicw2cqx4biillriqf2nhr8z-wrap-python-hook                                   | /nix/store/h18pfjrnqql4xf45s6n621m3i1k4ljwq-wrap-python-hook.drv                                   |

In the above example, I think the following would be clearly classified incorrectly:

/nix/store/0m4y3j4pnivlhhpr5yqdvlly86p93fwc-busybox.drv
/nix/store/dsnv5c2qx03mlw9ssrz4lfcdy4mpnqkr-glibc-iconv-2.40.drv
/nix/store/02piwsci6jgiipk0in2lj41aj6p6vln5-libidn2-2.3.7.drv
/nix/store/05q48dcd4lgk4vh7wyk330gr2fr082i2-bootstrap-tools.drv

Not sure which is worse: that we just classify everything as library or that we try to guess the classification and risk incorrectly classifying cdx components as file when they are really something else.