Extend the dependency schema

[eddie-knight]

This is part of #26

Currently, the dependency example is:

dependencies:
  third-party-packages: true
  dependencies-lists: [list]
  sbom: [nested schema]

In order to streamline analysis of project security, the following values may be beneficial:

• sca-tools: [list]
  • List of any SCA tools used by this project, such as dependabot and others
• consumption-strategy: | Lorum ipsum...
  • Description of the policy this project implements when selecting dependencies.
• upgrade-strategy: | Lorum ipsum
  • Description of the policy this project follows to ensure dependencies are upgraded responsibly.

[luigigubello]

I really love this proposal, especially the upgrade-strategy, even if I would use another name like dependency-upgrade-policy, what do you think?

[luigigubello]

@eddie-knight about sca-tools, we have the section security-testing with some keys dedicated to scanners and other tools (SAST, fuzzer, etc), can we add SCA tools here in your opinion? I think it could work

                    tool-type:
                        $id: '#/properties/security-testing/items/anyOf/0/properties/tool-type'
                        description: 'Type of security test: `sast`, `dast`, `iast` or `fuzzer`.'
                        type: string
                        enum: ['sast', 'dast', 'iast', 'fuzzer']