[CDX1.7] guide for "component.isExternal"

[jkowalleck]

based on CycloneDX/specification#321

enhance the SBOM guide on when to mark compoennts as "isExternal".

• use cases are in the ticket
• section followup in the ticket
• additional questions are in [DRAFT] extraneous components and version range constraints specification#326 & feat: support for external components with version-ranges specification#586

also discuss the following:

• transitive dependencies and hashes still make sense for external components -- as they may be version-pinned -> may also hash-pinned
• dont use component's "isExternal"/"versionRange" in VEX/VDR -- in this case we require specificversions
• dont use component's "isExternal"/"versionRange" in OBOM -- in this case all belongs to the system(universe)
  make it clear in the OBOM guide, that there must not be any runtime components with a version range - it just makes no sense
• dont use component's "isExternal"/"versionRange" in MBOM -- in this case all belongs to the build system(universe)
  make it clear in the MBOM guide, that there must not be any build-components with a version range - it just makes no sense