Improve SBOM in future releases for laptops

[macpijan]

The problem you're addressing (if any)

The SBOM information is limited to coreobot / edk2 revisions

Describe the solution you'd like

For some platforms, the SBOM information we provide is more extensive
Such as:
https://docs.dasharo.com/variants/protectli_vp46xx/releases/#v120-2024-03-25

Where is the value to a user, and who might that user be?

No response

Describe alternatives you've considered

No response

Additional context

No response

[BeataZdunczyk]

@macpijan We are already addressing this as part of #955

Feature request: We provided links to all components' licenses at some point. I think that information should be included in SBOM's release notes. It has already happened a couple of times when someone asked about licenses for all components included. Maybe Opness Score should also account for that somehow.

[pietrushnic]

We should publish SBOMs in the Dasharo SBOM release section; those SBOMs should comply with the state of the art in a given project. The key question is how hard it would be to introduce that:

• SBOM coreboot
• SBOM edk2

Maybe we should have a label for SBOM since we have more issues directly or indirectly related:

• SBOM for Dasharo firmware based on SWID tags and RIMs #129
• Introduce documentation versioning #568
• [NVC] NovaCustom V540TU 14th Gen Dasharo Release v0.9.0 issues #955

[krystian-hebel]

Not limited to laptops, but otherwise fits this issue: AFAICT none of the SBOMs list edk2-platforms, even though it is used by most of the platforms supported by Dasharo.

[mkopec]

Tried to make some improvements for the upcoming release:

[mkopec]

New release notes are now live: https://docs.dasharo.com/variants/novacustom_v540tnx/releases/#v091-2024-11-07

FSP and GOP are missing because they're not public, this needs to be fixed by publishing the blobs, then we can link to them in SBoM.