v4 features (#250)

* BREAKING changes
  * Removed support for PHP `<8.0` ([#91] via [#250])
  * Removed support for PHP `<8.1` (via [#250])
  * Removed support for Composer `<2.3` ([#153] via [#250])
  * CLI
    * Removed deprecated composer command `make-bom`, call `composer CycloneDX:make-sbom` instead ([#293] via [#309])
    * Changed option `output-file` to default to `-` now, which causes to print to STDOUT (via [#250])
    * Removed option `exclude-dev` in favour of new option `omit` (via [#250])
    * Removed option `exclude-plugins` in favour of new option `omit` (via [#250])
    * Removed option `no-version-normalization` ([#102] via [#250])
  * SBOM results
    * Components' version is no longer artificially normalized ([#102] via [#250])
  * Dependencies
    * Requires `cyclonedx/cyclonedx-library:^2.0`, was `:^1.4.2` ([#128] via [#250])
* Changed
  * Evidence analysis prefers actually installed packages over lock file ([#122] via [#250])
  * Root component's versions is unset, if version detection fails ([#154] via [#250])
  * Composer packages of type "composer-installer" are treated as composer plugins (via [#250])
* Added
  * Evidence collection knows actually installed packages ([#122] via [#250])
  * SBOM results
    * Support for CycloneDX Spec v1.4 (via [#250])
    * might have `serialnumber` populated ([#279] via [#250])
    * might have `metadata.timestamp` populated ([#112] via [#250])
    * might have `metadata.tools[].tool.externalReferences` populated ([#171] via [#250])
    * might have `components[].component.author` populated ([#261] via [#250])
    * might have `components[].component.properties` populated according to [`cdx:composer` Namespace Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy/blob/main/cdx/composer.md) (via [#250])
  * CLI
    * New option `omit` (via [#250])
    * New switch `validate` to override `no-validate` (via [#250])
    * New switches `output-reproducible` and `no-output-reproducible` (via [#250])
* Misc
  * Added demo and reproducible continuous integration test "devReq" that is dedicated to composer's `require-dev` feature (via [#250])
  * Reworked demo setups to be more global-install like (via [#250])

[#91]:  #91
[#102]: #102
[#112]: #112
[#122]: #122
[#128]: #128
[#153]: #153
[#154]: #154
[#171]: #171
[#250]: #250
[#261]: #261
[#279]: #279
[#293]: #293
[#309]: #309
[#313]: #313

---------

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>

Author: jkowalleck

.gitattributes

@@ -1,34 +1,33 @@
-* text=auto
+* text=auto eol=lf
 
-*.txt         text eol=lf
-*.md          text eol=lf diff=markdown
-*.php         text eol=lf diff=php
-*.json        text eol=lf diff=json
-*.xml         text eol=lf diff=xml
-*.xml.dist    text eol=lf diff=xml
-*.xsd         text eol=lf diff=xml
-*.neon        text eol=lf diff=yaml
-*.neon.dist   text eol=lf diff=yaml
-composer.lock text eol=lf diff=json
+*.txt           text eol=lf
+*.md            text eol=lf diff=markdown
+*.php           text eol=lf diff=php
+*.json          text eol=lf diff=json
+*.xml           text eol=lf diff=xml
+*.xml.dist      text eol=lf diff=xml
+*.xsd           text eol=lf diff=xml
+*.neon          text eol=lf diff=yaml
+*.neon.dist     text eol=lf diff=yaml
+composer.lock   text eol=lf diff=json
 
 # files that are not bundled into the "dist" release are marked `export-ignore`
-.gitattributes          export-ignore
-.gitignore              export-ignore
-.editorconfig           export-ignore
-/.github                export-ignore
-/tests                  export-ignore
-/tools                  export-ignore
-/.php-cs-fixer.dist.php export-ignore
-/phpunit.xml.dist       export-ignore
-/psalm.xml.dist         export-ignore
-/.psalm                 export-ignore
-/HISTORY.md             export-ignore
-/CODEOWNERS             export-ignore
-/CONTRIBUTING.md        export-ignore
-/demo                   export-ignore
-/docs/dev               export-ignore
+/CODEOWNERS                     export-ignore
+/CONTRIBUTING.md                export-ignore
+.gitattributes                  export-ignore
+.gitignore                      export-ignore
+.editorconfig                   export-ignore
+/.*                             export-ignore
+/demo                           export-ignore
+/docs/dev                       export-ignore
+/tests                          export-ignore
+/tools                          export-ignore
+/composer-require-checker.json  export-ignore
+/phpunit.dist.xml               export-ignore
+/psalm.xml.dist                 export-ignore
 
-# files that are forced to be exported in "dist" releaes
-/NOTICE                 -export-ignore
-/LICENSE                -export-ignore
-/semver.txt             -export-ignore
+# files that are forced to be exported in "dist" releases
+/README.*       -export-ignore
+/NOTICE         -export-ignore
+/LICENSE        -export-ignore
+/semver.txt     -export-ignore

.github/FUNDING.yml

@@ -0,0 +1,10 @@
+# https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/displaying-a-sponsor-button-in-your-repository
+
+## copied from https://github.com/CycloneDX/.github/blob/master/FUNDING.yml
+custom:
+  - "https://owasp.org/donate/?reponame=www-project-cyclonedx&title=OWASP+CycloneDX"
+
+## project extras
+github:
+  - jkowalleck
+