This is a testcase/example Maven project using the maven-shade-plugin and showing how this is currently (not) embedded into the SBOMs generated by the various SBOM generation plugins.
AFAIK there is no convention on how to express the difference between 'regular' and shaded/embedded dependencies in CycloneDX. Likely it would make sense to make use of the assembly concept in CycloneDX?
Tracking in cyclonedx-maven-plugin#472
In SPDX it looks like the relationshipType for shaded/embedded
artifacts should be CONTAINS instead of DYNAMIC_LINK.
Tracking in spdx-maven-plugin#159
When building a final SBOM for a project using this library, 'regular' dependencies will be visible (and can have been overridden) to the project, so the 'regular' dependencies from the SBOM from the library can be ignored. However, the shaded dependencies are not visible in the dependency tree, so they need to be taken from the published SBOM.