Add support for generating JSON output

[matlaj]

This (admittedly pretty hefty) PR adds support for generating an SBoM in JSON format.
This is achieved by introducing an internal SBoM format based on Erlang records, and then converting that to either XML or JSON.
Old SBoM files are also parsed into the record-based format to check their version and contents.

Existing user-facing behavior is not changed; JSON can be generated by passing the -F json argument.

Additionally, two fixes have been made to ensure the generated SBoM files are valid (against both the schema and the CycloneDX CLI):

• The serialNumber field now contains the required urn:uuid: prefix.
• Child elements under the <component> XML elements are now ordered as the CycloneDX XML spec expects.

[GalaxyGorilla]

@voltone is this an interesting addition? We (Stritzinger) want to add more enhancements to this repo, and getting some feedback for this one is highly appreciated :).

[voltone]

Yes, I'm definitely interested in adding JSON support, and in general moving this project forward. But I'm pretty sure the best way to do that is to extract the CycloneDX support into a package that can be used by any tool that wants to support it (including the Elixir/Mix sibling of this project). If someone were to create a SPDX package we could add support for that too.

I've made a few false starts creating such a package and reworking the Rebar3 plugin and Mix task, but unfortunately I've never had a chance to wrap up that work due to other priorities. Do you think a first shot at a CycloneDX Erlang Hex package could be extracted from this PR?

[GalaxyGorilla]

Hi @voltone!

I think this is definitely a cool idea which we could follow along with. I will get back to you about this when we have more brain capacity to think about this :)

[voltone]

I think this is definitely a cool idea which we could follow along with. I will get back to you about this when we have more brain capacity to think about this :)

I started taking another shot at a generic Erlang/Elixir CycloneDX library the other day. I have a pretty good idea how I can create a package with support for both languages: the core would be implemented in Erlang, built using Rebar3, but the package would also include a Mix file and a bunch of Elixir module that wrap the Erlang modules in idiomatic Elixir APIs.

But, I found myself wondering whether the Erlang core should use records or maps to represent the SBOM before serialization to JSON/XML, and whether "strings" should be represented using Erlang strings or binaries. I think Elixir users would prefer maps and binaries, but I really want the core data structures to be the same for both. So I'm wondering whether Erlang users would insist on records and strings instead. Any thoughts...?

[matlaj]

I, for one, don't have the impression that Erlang developers have a strong preference towards any of these (maps vs records or binaries vs strings).
Each has advantages... and problems too, and I think you should use what fits best from a technical point of view.
Baseless strong opinions be damned :)