Support for CycloneDX 1.5 or 1.6

[flemminglau]

I am a bit unsure as it is not very well defined in the sources but it seems we are linking w. cyclonedx.core.java 7.3.2 which is from Feb 2023.

I guess this means that we are at CycloneDX 1.4 level?

I have the issue right now that my SBOMs contain an components.externalReferences[].type="distribution-intake". Which I believe is new in 1.5.

That fails. In a quite in-elegant way.

[goneall]

@flemminglau you are correct, this library has not been updated for later CDX libraries or versions after 1.4.

In addition updating the libraries, we'll also need to re-look at any mappings of the values.

Once we have the Java libraries for SPDX 3.0, I can update both CDX and SPDX to the latest - likely 2-3 weeks.

[jlplenio]

I am also interested in converting from CycloneDX 1.5 to SPDX.

[goneall]

Thanks @jlplenio for your interest - Just a quick update, I'm still working on the SPDX 3.0 libraries - taking longer than expected. Once that is done, I'll update this library with the latest SPDX and CDX versions.