SBOM - Add CycloneDX Component Fields: Dependency Relationship and Author

When generating an SBOM, NTIA recommends a minimum set of data elements: Supplier Name, Component Name, Version of the Component, Other Unique Identifiers, Dependency Relationship, Author of SBOM Data, and Timestamp. Source. Search 2.2 "Baseline Component Information". Currently, we support the following CycloneDX fields:

• "name"
• "version"
• "purl"
• "type"
• "library"
• "bom-ref"

Request

For the GitLab Analyzers that generate a CycloneDX SBOM:

1. Add author object to the components array.
2. Add dependencies array. Include ref and dependsOn objects. Relationship definition from NTIA:

Relationship is inherent in the design of the SBOM. The default relationship type is includes​. To provide a more clear and consistent representation of relationships, this document inverts the direction of the relationship to be included in​. The choice of direction is not important as long as one direction is chosen and used consistently.

Completing these fields in the CDX output satisfies foundation capabilities for GitLab the Product as outlined in the SBOM Plan.