test: verify that cyclonedx outputs the VCS URL for git repositories

also remove the TODO comment about these URLs, they are now included

nxdbom/__init__.py

@@ -550,8 +550,6 @@ def fmt_bom_cyclonedx_json(bom, software_path):
 
     # possible future extensions:
     # - describe patches applied to components (using components[*].pedigree.patches )
-    # - describe components download URL (using components[*].externalReferences[*].url
-    #    and components[*].hashes )
     # - for egg components, include metadata (licence, author, description) by reading
     #   EGG-INFO/PKG-INFO
     cfgparser = configparser.ConfigParser()

nxdbom/nxdbom_test.py

@@ -762,6 +762,11 @@ def test_bom_cyclonedx_json(tmpdir):
 recipe = slapos.recipe.cmmi
 url = http://download.sourceforge.net/libpng/libpng-1.6.37.tar.xz
 
+[erp5]
+recipe = slapos.recipe.build:gitclone
+repository = https://lab.nexedi.com/nexedi/erp5
+revision = 1234abcd
+
 [eggs]
 recipe = zc.recipe.egg
 _d = /ROOT/develop-eggs
@@ -799,6 +804,16 @@ eggs =
              'type': 'library',
              'version': '1.2.3',
          },
+         {
+             'name': 'erp5',
+             'purl': 'pkg:generic/erp5@1234abcd',
+             'type': 'library',
+             'version': '1234abcd',
+             'cpe': 'cpe:2.3:*:*:erp5:1234abcd:*:*:*:*:*:*:*',
+             'externalReferences': [
+                 {'url': 'https://lab.nexedi.com/nexedi/erp5', 'type': 'vcs'}
+             ],
+         },
          {
              'cpe': 'cpe:2.3:*:*:libpng:1.6.37:*:*:*:*:*:*:*',
              'externalReferences': [