feat: add support for spec v1.5

[nscuro]

This PR implements support for version 1.5 of the CycloneDX specification.

Coverage

See https://github.com/CycloneDX/specification/milestone/6

• Added firstIssued and lastUpdated timestamps to vulnerability analysis specification#176 (861c438)
• Add licensing support and unit tests specification#175 (dcb7270)
• Added property support to license along with unit tests specification#177 (56f6336)
• Add annotations support and valid test cases specification#169 (b038935)
• Adding support for security contact specification#180 (b7a6c14)
• Adding support vulnerability rejected timestamp along with unit tests specification#181 (b23bd53)
• Added additional external references specification#189 (781a647)
• Added device driver component type specification#190 (9ee6ffd)
• Extend service dataflow support specification#194
  • Decoupled to Implement extended data flow support #130
• Added support for CVSSv4 specification#195 (7be18ae)
• Deprecated tool in favor of components and services used as tools specification#198
• Added identity and occurrences to evidence. Updated test cases. specification#199 (07a5e86)
• Add proof of concept support to vulnerability specification#200 (9f77462)
• Added support for ML specification#209 (bcf4b6f)
• Add SSVC to existing rating methods specification#224 (5fcf21c)
• Added formulation support and test cases specification#222 (8c9798c)
• Adding external reference support for adversary model and risk assessment specification#215 (cb23c44)
• Added lifecycle support specification#213 (d7e68f3)
• Added additional compositions and identity specification#212 (637efcd)

Note
More changes are to come as the spec approaches the v1.5 release.

Closes #109
Closes #115

[wagoodman]

It looks like all tasks on this PR are completed (merged), does that mean that full support for 1.5 is complete? or is there more work needed?

[nscuro]

Hey @wagoodman apologies for the delayed response. You are correct that most features are implemented, however the majority is not merged to main yet. The PRs I linked in the description above are from the upstream specification repository (to help me keep track of which features need implementation).

There are some more or less minor tasks outstanding (see #115). Depending on which features of v1.5 you need, perhaps v0.7.2 is sufficient for you already. If you need something that has not been released yet, let me know and I'll see if I can expedite.

[chris-rock]

If I see this right, EvidenceOccurrences is missing from 1.5 spec in the implementation.

[bluesentinelsec]

@nscuro Hello, I just wanted to raise a demand signal regarding support for the updated Tools object.

Do you have an ETA for this at this time?

I know you're habitually busy and don't mean to pile on.

The deprecated Tools array is causing one of our services to throw spec-compliance errors, i.e., (array found, object expected), so I am just weighing options right now.

[nscuro]

Hey @bluesentinelsec thanks for reaching out. Actually I'll have a go at this on the weekend. I am annoyed myself that I haven't yet managed to get this done. I will not promise anything but I'll make an effort to ship at least what has been done so far in this PR, as well as a solution to the tools situation.

[nscuro]

@chris-rock EvidenceOccurrence is already there:

cyclonedx-go/cyclonedx.go

Lines 358 to 361 in 64eb0c8

	type EvidenceOccurrence struct {
	BOMRef string `json:"bom-ref,omitempty" xml:"bom-ref,attr,omitempty"`
	Location string `json:"location,omitempty" xml:"location,omitempty"`
	}

[nscuro]

Decoupled the last remaining task into #130 to get this PR merged.