The SPDX presentation was great. We can definitely borrow a lot, at the very least, and there seems to be strong overlap of interests.
I updated the draft specification. I made cpes an array because there are multiple versions of this specification as well. Score should be an array, as there could be many of them, and I added scoring metrics.
One thing that's a bit awkward about this design is that vulns will often reference CVEs which reference CPEs, but we're putting CPE above vulns in our model. I think it makes sense, because while CVEs can relate to many products (CPEs), an entry in the BoM is by definition only part of one.