RFC: Add per component and per BOM key/value pairs

[stevespringett]

There are times when adopters and implementors of CycloneDX need to specify data that falls outside of what the spec provides. Vendor specific schema extensions are one way to accomplish that, however, it also leads to vendor lock-in.

Therefore, it is desirable to support per component and per bom key/value stores.

For example:

<component type="library">
    <name>Acme Component</name>
    <version>1.0.0</version>
    <properties>
        <property name="myprop" value="myvalue"/>
    </properties>
</component>

This allows a certain degree of customization without having to use vendor-specific extensions. Support for properties inside of other objects (e.g. supplier and license) may also be desirable.

[coderpatros]

I really like this addition.

It supports use cases like internal (semi-)automated workflows. I propose this is also included at the BOM level. (Just re-read that and realised you have it for both)

[wrgoff]

I really like this. This is exactly what we need. When can we expect this?

[stevespringett]

@wrgoff This is still being designed. Once complete, if the RFC is approved, then it will be incorporated into the next version of the CycloneDX specification (v1.3). Historically, there has been a new release of CycloneDX in Q1/Q2 every year for the past three years.

[brianf]

I'm +1 to this addition as well.