[ENHANCEMENT] Investigate OmniBOR (aka gitbom) integration

[sambhav]

gitbom is a minimal specification to generate an artifact tree and a unique identifier for an artifact that is metadata agnostic and only depends on the artifact byte contents. If adopted widely and integrated with build tools, it can potentially solve some interesting problems https://gitbom.dev/glossary/sbom/#gitbom-compliments-sbom

Should we consider adding fields in the 1.5 cyclonedx schema to support gitbom ids and documents?

Relevant links - https://gitbom.dev/

[stevespringett]

There are a lot of "if's" that are required in order to make gitbom semi-useful.

• Every artifact tree example detailed at https://gitbom.dev/glossary/artifact_tree/ can easily be represented in CDX, either inline in an SBOM, or externally in an independent evidence-based CDX BOM.
• Their goal of, An artifact should have precisely one artifact tree. All equivalent artifacts should have the same artifact tree, is reflective in the CDX assembly model which is specifically designed for this. Unlike SPDX which cannot achieve this through their flat list of relationships, CDX was designed with this use case in mind, as it mimics the reality of physical supply chains.
• Introduces yet another identifier, a "fingerprint", which is not currently in use by any source of vulnerability intelligence.
• There are a lot of gaps that the spec doesn't address.

With that said, CDX can already support it via the bom external reference type. https://cyclonedx.org/docs/1.4/json/#components_items_externalReferences_items_type