feat: support hatch ecosystem

[jkowalleck]

"Hatch is a modern, extensible Python project manager."
see https://hatch.pypa.io

PREREQUISITE: evaluate whether hatch is able to artifact analyzable data.
see pyproject.toml, hatch.toml, any lock files? -- https://hatch.pypa.io/1.9/intro/

---

TODO: write a roadmap and requirements...

[jkowalleck]

Why not bring the wish/need/topic for CycloneDX SBOM to the @pypa/hatch team themselves, so they could implement it as a CLI tool feature and maintain it as needed.
Nowadays, package managers know that SBOM is a thing, they are waiting for a community request, to justify the effort of implementation ;-)
We, the CycloneDX team, had already good experience with this approach: community members did the first request to the ecosystems, and then we successfully supported the package manager developers and ecosystem maintainers on their way of getting CycloneDX SBOM as a first party feature.
(see npm and conan2)

If the @pypa/hatch people don't see a need for this topic or don't want to provide the feature themselves, then sure come back, so we can discuss a possible solution implemented in clonedx-python/cyclonedx-bom.

PS: the CycloneDX community is proud of their own solutions and implementations to get ecosystems enabled to do proper supply chain assessment, and we will continue doing so. We also love to see ecosystems adopting the topic. 🚀