Support pedigree

[vetsin]

Is your feature request related to a problem? Please describe.

There are cases wherein a npm-based builds (e.g. something with a package.json) are in actuality independently released forks, for whatever reason. One should, according to cyclonedx spec, declare such pedigree.

Describe the solution you'd like

One could:

• define the supplier distinctly different than the manufacture
• define at least one ancestor, preferably by purl?
• allow externalReferences to include both the 'upstream' and the 'origin'
• 'know', by some means, the common base between origin and upstream as to populate commits
  • this would likely need vcs supports within the module itself
  • are there standards to enforce here? always have a upstream remote? only git for now? if the upstream is not git do we just specify the start of our changes manually?

Or maybe one just has a seed-bom.json manually filled out that we automatically merge in?

Describe alternatives you've considered

I'm wondering if this should be done in a 'post build step' as singing is done. Either every dx plugin (maven, npm, groovy, etc.) does this or maybe cyclonedx-cli/ does it instead?

Additional context

This is probably most common in enterprise envs or dead libs people took over. See the same request for cyclonedx-maven-plugin

[jkowalleck]

well, your issue is a general one, and seams to be not NPM-centric, or is it?
how would you note all the "pedigree" information down, does NPM have capabilities for that?