Add support for cyclonedx 1.4 and VEX

[sambhav]

What would you like to be added: CycloneDX 1.4 was released with added support for a common vulnerability exchange format.

It would be great if grype could output its vulnerability reports in this format. This could also be helpful down the road as a standardized format to attach vulnerability data as intoto attestations.

Why is this needed: This provides a well defined standard to output and parse vulnerability information. syft already supports Cyclonedx SBOMs and this could be a great counterpart for grype.

Additional context:

More details at

https://cyclonedx.org/capabilities/vex/

https://github.com/CycloneDX/sbom-examples/blob/master/VEX/vex.json

[nwl]

Syft ticket here: anchore/syft#744

[sambhav]

Now that syft support for cyclonedx 1.4 is out, I believe this is unblocked. I might be able to get around to a draft PR this week.

[luhring]

That would be amazing! I'm very excited about this one.

[hectorj2f]

@luhring Are there any plans to support CycloneDX 1.4 in the incoming releases ? Do you have an idea when that could happen ? Thanks :).