Improve Release Process

[msymons]

I would like to see an improved release process...

• Releases populated with release notes. This will help repo watchers who configure customise events for "Releases" only.

• CHANGELOG.md updated for every release (or replaced by the usage of release notes?)

• Improved uses of semantic versioning. Should not the additions to license mapping in 7.1.4 have warranted a minor release (7.2.0) instead of a patch release?

All of the above are used by dependabot PRs that update cyclonedx-core-java in downstream projects. Thus, addressing release notes (and/or changelog) should make a dependabot PR easier to review and approve. A difference in patch vs minor version can change the way that dependabot itself works.

As an additional justification, a wee story....

The release of cyclonedx-core-java-7.1.4 caused problems for me when it was included in cyclonedx-maven-plugin 2.7.0 and then BOMs generated using that release of the plugin resulted in displayed "License" in Dependency-Track to change for some components

Affected components were ones that use dual licensing and where one of the licenses now started to succesfully map to an SPDX license ID. Dependency-Track 4.5.0 does not support dual licences in the UI and prefers the ID over name. Hence the change of what license gets displayed. This caused me to spend a couple of hours investigating why things had changed. Bear in mind that the changes might have resulted in a policy violation.