Add country of origin to HBOM spec

[ddillard]

Motivation

We have a number of customers that want HBOM like data from us (i.e. a list of components), but they want to also know the country of origin of the component and currently the CDX HBOM does not appear to provide this information.

Proposal

Here's what I have in mind:

• Add an optional property to the component with a "name" of "cdx:device:countryOfOrigin" (at least that's what it would be in SPDX JSON format).
• What constitutes the country of origin is defined in International Certificate of Origin Guidelines: Facilitating trade through global origin procedures provided by the International Chamber of Commerce. This is commonly used in international trade to provide a Certificate of Origin for an item.
• The country of origin would be noted in the corresponding "value" field using ISO-3166-1 alpha-2.

Example:

{
// ...
"properties": [
        {
          "name": "cdx:device:countryOfOrigin",
          "value": "TW"
        },
        // ...
],
}

[jkowalleck]

@ddillard would you prepare a pullrequest with the needed changes? see
https://github.com/CycloneDX/cyclonedx-property-taxonomy/blob/main/cdx/device.md