Describe the feature

Since the TEA Collection provides a versioned and mutable set of external references related to a given CycloneDX Component (more precisely a TEA Component), it would be useful to reference it from an SBOM document.

SBOM documents are inherently immutable and the only possible sources of mutability are:

• changes in the end-of-support policies (see [FEATURE]: Add external reference type for support policy/lifecycle metadata #591).
• changes in VDR-s/VEX-es and other security-related documents (TEA Artifacts).

While in version 1.6 of CycloneDX we can already include external reference of type threat-model, vulnerability-assertion, exploitability-statement and so on, these URLs must necessarily point to the "live/current" version of those documents and there is no audit trail of their modifications.

The TEA Collection object solves that problem.

Possible solutions

The easiest solution would be to add a tea-collection or tea-component external reference type that points to the appropriate OpenAPI endpoint on a TEA Server.

Alternatives

An alternative solution would be to add tea-component as first class property of the CycloneDX Component element, since a TEA Collection can replace many external references at the same time.

Note: In the future it should be possible to infer the location of the TEA Server from a component's purl or other property. However, the current auto-discovery protocol does not provide such a possibility.