Update Dependency-Track BOM to Support CycloneDX 1.5

[msymons]

Current Behavior

The latest release of DT is v4.10.1 and the BOM is published as a release asset.

The BOM is generated using CycloneDX v2.7.9 which only supports CDX 1.4.

Proposed Behavior

• Upgrade plugin from 2.7.9 to 2.8.0 (or later)
• Ensure that specVersion = 1.5
• Plugin v2.8.0 automatically adds 'build' lifecycle phase when BOM is CDX 1.5. But is this phase correct for our release BOM?
• Add additional External Reference of type documentation (via plugin config) to link to DT documentation website.
• Ditto for chat (link to Slack)
• The 4.10.1 BOM contains the following External Reference:

        {
          "url": "https://oss.sonatype.org/service/local/staging/deploy/maven2/",
          "type": "distribution"
        },
  

  ...which the plugin v2.8.0 will change to distribution-intake. Thus, distribution should be defined in plugin configuration to point to the actual download location.
• Add additional External References that are deemed to be useful.. security-contact? release-notes? The list of possibilities is big

The intention of this enhancement is to provide additional value in the BOM, but also to use the BOM as a reference implementation (which will also apply once the BOM is uploaded to a DT instance for analysis).

Checklist

• I have read and understand the contributing guidelines
• I have checked the existing issues for whether this enhancement was already requested

[nscuro]

Should also update https://github.com/DependencyTrack/dependency-track/blob/master/src/main/resources/services.bom.json

And ensure the merging of the BOM generated during the build, and the services BOM linked above still works. For reference, this command is executed in CI to achieve this:

dependency-track/.github/workflows/_meta-build.yaml

Line 47 in 757a966

mvn package -Dmaven.test.skip=true -P enhance -P embedded-jetty -Dservices.bom.merge.skip=false -Dlogback.configuration.file=src/main/docker/logback.xml

The merge is performed using the CycloneDX CLI:

dependency-track/pom.xml

Lines 516 to 540 in 757a966

	<plugin>
	<groupId>org.codehaus.mojo</groupId>
	<artifactId>exec-maven-plugin</artifactId>
	<executions>
	<execution>
	<id>merge-services-bom</id>
	<phase>prepare-package</phase>
	<goals>
	<goal>exec</goal>
	</goals>
	<configuration>
	<executable>${cyclonedx-cli.path}</executable>
	<arguments>
	<argument>merge</argument>
	<argument>--input-files</argument>
	<argument>${project.build.directory}/bom.json</argument>
	<argument>${project.basedir}/src/main/resources/services.bom.json</argument>
	<argument>--output-file</argument>
	<argument>${project.build.directory}/bom.json</argument>
	</arguments>
	<skip>${services.bom.merge.skip}</skip>
	</configuration>
	</execution>
	</executions>
	</plugin>

It may be necessary to update the CLI in order to support CDX v1.5. In that case, this step in CI must be changed accordingly:

dependency-track/.github/workflows/_meta-build.yaml

Lines 36 to 42 in 757a966

	- name: Setup CycloneDX CLI
	run: |
	mkdir -p "$HOME/.local/bin"
	echo "$HOME/.local/bin" >> $GITHUB_PATH
	wget -O "$HOME/.local/bin/cyclonedx" https://github.com/CycloneDX/cyclonedx-cli/releases/download/v0.24.2/cyclonedx-linux-x64
	echo "ef0d3b31d176e02bc594f83e19cfcea053c6bc5b197351f71696e189390f851d $HOME/.local/bin/cyclonedx" | sha256sum -c
	chmod +x "$HOME/.local/bin/cyclonedx"