Verify that imported boms do not contain unwanted dependency management

[wilkinsona]

spring-boot-dependencies currently contains some dependency management from an imported bom that, ideally, wouldn't be there (#42522). I'd like to detect this sort of problem up front and fail the build when it occurs. We can then either decide to use the bom anyway or manage dependencies individually instead.

[cachescrubber]

Hi @wilkinsona , I stumbled upon similar issues pretty much now and then. Often not directly related to spring boot, but very similar. For example,

• Provide a joinfaces bom without spring-boot-dependencies joinfaces/joinfaces#1974
• Add camunda-only-bom which doesn't include any third-party libraries camunda/camunda-bpm-platform#3795

Usually maintainers are open to change their pom structure, but sometimes it is difficult and tedious to explain the issue. Do you know of any Documentation about naming-conventions and best practices related to publishing dependencies using the bom import mechanism? Ideally the maven project should offer a corresponding page. Also, It would be great to have a "official" Spring Boot documentation for maintainers who publish a bom to be consumed by spring boot.