Description
Allow custom properties for externalReferences
CycloneDX already allows a rich set of https://cyclonedx.org/docs/1.6/json/#components_items_externalReferences_items_type to specify artefacts for a given component.
Such artefacts however usually have connected metadata like author, timestamps etc. Often, it would be very helpful to specify such metadata directly in the SBOM, e.g. to allow for filtering of references by metadata in postprocessing steps.
In my case, an internal component analysis tool enriches SBOMs of a (large) OS image with externalReferences to per-component analysis reports. This SBOM is then archived for later reference.
Now I want to take such an SBOM and download a subset of reports, e.g. filtered by author or date of creation. I could easily extend the analysis tool to store the reports' metadata in the SBOM if I had a way to express it. First, I tried to store the metadata with some syntax in the comment field, but decided that's not the way to go. So as of today, I need to either query the component analysis tool for metadata of all externalReferences in later processing steps or create a proprietary file along with the SBOM to hold this metadata.
Possible solutions
I think an easy solution could be to just allow custom properties in externalReferences as CycloneDX already has for components.
Alternatives
I also thought about create a 2nd SBOM listing the component analysis reports as components, using dependencies to connect them to the SBOM listing the actual components, but this doesn't really seem to be along the idea of SBOMs.