Support CycloneDX spec version 1.5 and 1.6 when exporting SBOM

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Close this issue

Why are we doing this work

We allow users to export the list of components in CycloneDX format by using the API (see Tutorial: Export dependency list in SBOM format) though we can only generate a CycloneDX 1.4 document.

• CycloneDX specification Version 1.5 has been released on 2023-06-25.
• CycloneDX specification Version 1.6 has been released on 2024-04-09.

So we should provide these options too (or just 1.6, to be further refined).

⚠️ We can't simply change the current spec version as it would be a breaking change of the existing API. Instead, we should provide a parameter to select a different version. We can deprecate and change the default version on the next major release.

NB: this issue is only about the export feature. The spec version we support on the ingestion process is a separate logic and as of 2024-07-30, we support 1.4 and 1.5 and looking to add 1.6 with #472837 (closed).

Relevant links

Non-functional requirements

• Documentation:
• Feature flag:
• Performance:
• Testing:

Implementation plan

Verification steps