We should have a new command `bom check`. It should * warn about components that are most probably development dependencies * optionally do a granularity check * allow custom rules/policies like shown [here](https://sbom-insights.dev/posts/sbomqs-and-sbom-policies-turning-transparency-into-action/)
