feat: Add support for TLP marking in metadata (fixes #595)

[anthonyharrison]

As discussed in ticket #595 this PR adds TLP marking to the metadata to indicate the sharing and distribution constraints for the BOM.

fixes #595

[jkowalleck]

thanks for the implementation, @anthonyharrison

Could you port these changes to schema 1.7 based on branch 1.7-dev?
Could I ask you to add some test data? they wold to into the folder tools/src/test/resources/1.7.

thank you in advance.

PS: i am sorry that i did not communicate these things earlier. Please bear with me.

[jkowalleck]

I'll set this PR to "draft", until the proposed changes were ported to the "next" version.

[jkowalleck]

please port to "next" version.
v1.6 will not get any new features, but upcoming v1.7 will.

[prabhu]

This is resulting in a string attribute called "distribution" under metadata and the phrase "tlp" is no where to be found.

{
 "metadata": {
    "timestamp": "2025-06-14T10:45:57Z",
    "tools": {
      "components": [
        {
          "group": "@cyclonedx",
          "name": "cdxgen",
          "version": "11.4.0",
          "purl": "pkg:npm/%40cyclonedx/[email protected]",
          "type": "application",
          "bom-ref": "pkg:npm/@cyclonedx/[email protected]",
          "publisher": "OWASP Foundation",
          "authors": [
            {
              "name": "OWASP Foundation"
            }
          ]
        }
      ]
    },
    "authors": [
      {
        "name": "OWASP Foundation"
      }
    ],
    "lifecycles": [
      {
        "phase": "build"
      }
    ],
    "distribution": "AMBER"
 }
}

Can we make distribution an object with an attribute tlpClassification, since the string attribute is confusing especially with externalReferences.type = distribution (Direct or repository download location).

[jkowalleck]

@CycloneDX/core-team, what do you think about #603 (comment) ?

[jkowalleck]

re: #603 (comment)
I'll draft a PR to showcase this.

PS: see the draft: #653