Add support for ingesting CycloneDX v1.6

Why are we doing this work

CycloneDX specification Version 1.6 has been available since 2024-04-09.

We'd like to be able to use it in our SBOMs.

Trivy 0.53.0 produces CycloneDX 1.6 SBOMs: https://github.com/aquasecurity/trivy/blob/main/CHANGELOG.md#0530-2024-07-01 Since GitLab doesn't yet support CycloneDX 1.6, GitLab cannot inject SBOMs produced by the latest version of Trivy. This will block Trivy upgrades in GitLab Container Scanning. This issue is the same as what was reported when Trivy started producing CycloneDX 1.5 and GitLab didn't support that version, see #431406 (closed)

Relevant links

The issue which added support for CycloneDX 1.5 is #431435 (closed)

Proposal

Cyclonedx sbom ingestion needs to be updated to support specVersion 1.6 in addition to 1.5.

Implementation plan

• Copy over official JSON schema
• Add inline definitions for the signature and license types
• Add 1.6 to list of supported versions and ensure tests pass