Go module parser includes too many dependencies

[dlorenc]

The command here returns too many modules, including some that never make it into the compiled code: https://github.com/spdx/spdx-sbom-generator/blob/master/internal/modules/gomod/handler.go#L86

You can see it for this repo itself:

##### Package representing the rsc.io/pdf

PackageName: rsc.io/pdf
SPDXID: SPDXRef-Package-rsc.io/pdf
PackageVersion: v0.1.1
PackageSupplier: NOASSERTION
PackageDownloadLocation: pkg:golang/rsc.io/[email protected]
FilesAnalyzed: false
PackageChecksum: TEST: SHA-1 dac232c78e91cce5aa2489507b1c7a4737b24b42
PackageHomePage: pkg:golang/rsc.io/[email protected]
PackageLicenseConcluded: BSD-3-Clause
PackageLicenseDeclared: BSD-3-Clause
PackageCopyrightText: NOASSERTION
PackageLicenseComments: NOASSERTION
PackageComment: NOASSERTION

rsc.io/pdf never shows up in the actual import graph for this repo:

$ go mod why rsc.io/pdf
# rsc.io/pdf
(main module does not need package rsc.io/pdf)

It is used during module version resolution, which is why it shows up the go mod graph output. I don't think these types of "resolution only" packages should show up in an SBOM. It's difficult to do this right, so I want to first discuss here before starting on any code.