[FEATURE]: Add support for conditional components

[stevespringett]

CycloneDX 2.0 should support a slot in a BOM that can be filled by one of several alternates, by all of a group taken together, or by an optionally populated part. This is a hard requirement for physical device manufacturing.

Why

BOMs for physical goods routinely express things software BOMs do not: approved alternates from multiple manufacturers, dual sourcing for supply chain resilience, last time buy substitutions, and build variants. None of these can be expressed faithfully today.

Proposed shape

A new component-choice wrapper carries an operator and a list of alternates.

{
  "$schema": "http://cyclonedx.org/schema/2.0/",
  "specFormat": "CycloneDX",
  "specVersion": "2.0",
  "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79",
  "version": 1,
  "metadata": {
    "component": {
      "bom-ref": "acme-product-rev-1",
      "type": "device",
      "name": "Acme Product",
      "version": "Revision 1"
    }
  },
  "components": [
    {
      "type": "device",
      "name": "Power Management Board"
    },
    {
      "type": "component-choice",
      "name": "2N2222 or PN2222A Transistor",
      "operator": "XOR",
      "components": [
        {
          "type": "device",
          "name": "NPN Transistor 2N2222",
          "supplier": { "name": "Company A" },
          "part-number": "2N2222A"
        },
        {
          "type": "device",
          "name": "NPN Transistor 2N2222",
          "supplier": { "name": "Company B" },
          "part-number": "2N2222A"
        },
        {
          "type": "device",
          "name": "NPN Transistor PN2222A",
          "supplier": { "name": "Company C" },
          "part-number": "PN2222A"
        }
      ]
    }
  ]
}

Operators

Operator	Meaning
OR	Any non empty subset may be installed.
XOR	Exactly one is installed per instance.
AND	All members installed together as a group.

Schema sketch

"component-choice": {
  "type": "object",
  "title": "Component Choice",
  "description": "A wrapper that expresses a conditional or alternate relationship between two or more components. Use to model approved alternates, multi sourced parts, build variants, optional populations, and required component groups in physical device BOMs.",
  "required": ["operator", "components"],
  "additionalProperties": false,
  "properties": {
    "bom-ref":     { "$ref": "#/$defs/refType" },
    "name":        { "type": "string", "title": "Name", "description": "Display name for the choice slot. Typically corresponds to a reference designator or design intent name." },
    "description": { "type": "string", "title": "Description" },
    "operator": {
      "type": "string",
      "title": "Operator",
      "enum": ["OR", "XOR", "AND"],
      "meta:enum": {
        "OR":       "Any non-empty subset of the contained components may be installed.",
        "XOR":      "Exactly one of the contained components is installed per instance.",
        "AND":      "All of the contained components are installed together as a group."
      }
    },
    "components": {
      "type": "array",
      "title": "Components",
      "minItems": 1,
      "items": { "$ref": "#/$defs/component" }
    }
  }
}

component-choice would be permitted in any field that already accepts an array of component, including the top level components array and the nested component.components array.