Add `tea-collection` external reference type

[ppkarwasz]

Adds a new type to reference a TEA Collection object. A Transparency Exchange API Collection for the most part is a replacement of the externalReferences object, but provides a versioned and modifiable view of all security-related documents for a given CycloneDX Component.

The easiest way to integrate a TEA Collection into CycloneDX is to introduce a new type of externalReference that points:

• either to the TEA Collection object itself (this is what this PR proposes)
• or to the TEA Component Release object

Closes #633

Note: This PR is a draft until beta1 of the Transparency Exchange API is published.

[oej]

Why not a TEI ?

[ppkarwasz]

Why not a TEI ?

Using the TEI doesn't seem very practical in this context:

• If we provide the URL to the (latest) TEA Collection (https://example.com/tea/v1/release/3f92c28c-13c9-4e32-8d5b-5f8ae77ef265/collection) only one TEA API call is required to see all documents.
• If we provide the URL to the TEA Component Release (https://example.com/tea/v1/release/3f92c28c-13c9-4e32-8d5b-5f8ae77ef265) a client can easily retrieve the TEA Collection by appending /collection.
• If we use the TEI some complex logic must be used to find the right TEA Collection object, since a client will need to find:
  1. The appropriate TEA Component. For a software package this can be done by comparing PURLs, for a hardware device I don't know.
  2. The appropriate TEA Component Release. Again, it is not very clear how to find the appropriate one.

Certainly using TEI would be more stable if the URL of the TEA Service changes, but the logic to implement its usage seems quite complex.

[stevespringett]

Do we have a final decision on if this should be a TEI or TEA collection? Is it too early to include in CycloneDX v1.7?

[ppkarwasz]

Yes, I think we can postpone this PR until we smooth out some details about the TEI.