Add support for component modification

[stevespringett]

One of the benefits of an SBOM first approach in a build pipeline is to be able to correct component identity and other data during a build.

Examples:

• Correcting the group, name, version, and PURL due incorrect identity information in a organizational repo (nexus, artifactory, etc).
• Correcting license data in the event of dual licenses (choice of open source and commercial license)
• Specifying a component is derived from another component (an org forks and modifies a library) so that accurate Pedigree information can be applied
• Applying CPEs and/or SWIDs to components in the event an org knows what they are in advance
• etc, etc, etc

Currently, organizations can opt to do this, but they have to roll their own solution to achieve it. The goal of this enhancement is to make this functionality accessible to all, thus lowering the maturity and investment required to produce the most accurate inventory possible.

[coderpatros]

I would go further, that we should support modifying any element within the SBOM.

I can see it being quite handy for organizations creating SBOMs with one of the ecosystem specific tools. Then using this tool to add additional SBOM metadata like organization, etc.

Maybe something like jq? https://stedolan.github.io/jq/ Although it has bit of a learning curve.

[oej]

I would like to create a metadata file when creating a container or a VM with input for any scanners to enhance the SBOM. Apart from stuff like names, PURL and so, I would like to add metadata to affect CVSS calculation. I know at that time - when creating Dockerfile or Ansible scripts - why I install certain components and the significance of them in this particular system.