feat: set devDependencies component.scope to excluded

[jkowalleck]

Is your feature request related to a problem? Please describe.

Per CycloneDX specification, the components' scope means (see docs)

• "required": The component is required for runtime
• "optional": The component is optional at runtime. Optional components are components that are not capable of being called due to them not be installed or otherwise accessible by any means. Components that are installed but due to configuration or other restrictions are prohibited from being called must be scoped as 'required'.
• "excluded": Components that are excluded provide the ability to document component usage for test and other non-runtime purposes. Excluded components are not reachable within a call graph at runtime.

Current implementation does not set any scope, meaning the fallback to "required".
for dev-dependencies this would be wrong.

Describe the solution you'd like

mark all components, that are dev-dependencies only, as "excluded" in the resulting SBOM.

Describe alternatives you've considered

none

Additional context

Add any other context or screenshots about the feature request here.