Update org.cyclonedx.bom version in docs to 2.2.0

[abelsromero]

Silly update to docs.
If I understand the code correctly, cyclonedx's maven plugin is managed and updated automatically.
But SB does nothing for Gradle, so without any automatic bump, the docs still mentioned an old version.
I did some local tests and all seems to work fine. The only thing is that the default cyclonedx's version is 1.6 now, instead of 1.5.

[abelsromero]

I assume this will need to be backported to other branches, let me know which ones.

[wilkinsona]

Arguably, the docs are correct at the moment as they're aligned with the version of the plugin that we test against. We can update the docs for 3.5 but we should update the tested version at the same time. Can you please update this PR to do that?

[abelsromero]

Updated but...again, and it's highly likely I am missing it.
But I don't think there are tests for the JAR/WAR integration, there are plenty for the BOM actuator endpoint. But I suspect JAR test should be in JarIntegrationTests and WarIntegrationTests, and I don't see anything. Plus the commit to add the feature does not include any.

[wilkinsona]

I don't recall the details (perhaps @mhalbritter does), but a key thing is that with these changes we'll be compiling against the version that we're recommending in the docs.

[mhalbritter]

We have some tests for the Packager itself, which is used by jar/war packaging:

spring-boot/spring-boot-project/spring-boot-tools/spring-boot-loader-tools/src/test/java/org/springframework/boot/loader/tools/AbstractPackagerTests.java

Line 660 in 4047c00

void sbomManifestEntriesAreWritten() throws IOException {

But yeah, we don't have any in JarIntegrationTests / WarIntegrationTests.

[abelsromero]

I am not familiar enough with the tests (yet). But it seems something could be improved, let me have a look.

[wilkinsona]

Thanks very much, @abelsromero.

[abelsromero]

I wanted to look into the test, but I can still do that later 😅 Thanks for accepting.