proposal: merge 14.2.4 and 14.2.5 and move to V1.14

[elarlang]

Spin-off from #2088

Current requirement:

#	Description	L1	L2	L3	CWE
14.2.4	Verify that third party components come from pre-defined, trusted and continually maintained repositories.		✓	✓	829
14.2.5	Verify that a Software Bill of Materials (SBOM) is maintained of all third party libraries in use.		✓	✓

Some comments to keep ind mind:

• Are parts of 14.2.x section out of scope for ASVS? #2088 (comment)
  • 14.2.4 to check, that the source for third party solution is trusted and continually maintained you check from 3rd party documentations, based on information from 14.2.5. So I think it can be and should be merged to 14.2.5.

V14.2.4 is something you need to define, check from repositories and document. So this requirement does not belong to V14.2 but is more current V1.14 material as a "documentation requirement".

V14.2.5 is documentation requirement as well, although it can be handled technically.

In #2088 (comment) I recommended.

From that "getting stuck into the SBOM declaration", I would say, that SBOM is just one, but not the only, option to handle inventory of 3rd party libraries in use and I propose to turn back to the requirement version we had in v4.0.2

V14.2.5 Verify that an inventory catalog is maintained of all third party libraries in use.

My proposal:

#	Description	L1	L2	L3	CWE
1.14.?	[MODIFIED, MOVED FROM 14.2.5, MERGED FROM 14.2.4] Verify that an inventory catalog, such as software bill of materials (SBOM), is maintained of all third-party libraries in use, including verifying that components come from pre-defined, trusted, and continually maintained repositories.		✓	✓