Include top-level externalReferences (SBOM metadata)

[msymons]

Testing using schemaVersion 1.2 and 1.3, cyclonedx-maven-plugin 2.5.2 will generate an SBOM that includes externalReferences for components in the SBOM. They should be included for the BOM itself, as allowed for by the spec:

External references provide a way to document systems, sites, and information that may be relevant but which are not included with the BOM. External references can be applied to individual components, services, or to the BOM itself.

The external references would thus, for me, incorporate elements that are supposed to be found in all our project POMs. To illustrate a few (apart from the obvious vcs and distribution):

• issue-tracker (issueManagement in POM) would reference not only our JIRA, but the project in JIRA.
• website (url in POM) would reference not only our Confluence server, but a project-specific page in Confluence.
• build-system (ciManagement in POM) would reference Jenkins server plus project... expecially useful when there are multiple build servers and people often create projects whose names can deviate from what might be sensibly expected.

Using Dependency-Track as an example (although the external references could be used by anything):

• Clickable links to build system (useful when, say, a BOM has not been uploaded recently)
• Clickable links to issue tracker to create issues based on what one sees in DT
• etc

Additionally, the planned implementation of customisable notification templates in DT would (hopefully) open up the possibility of using external references in alerts. Or maybe a webhook could allow integration with GitHub PRs?