Generate and publish sbom on release

[mmorel-35]

Signed-off-by: Matthieu MOREL matthieu.morel35@gmail.com

Which problem is this PR solving?

• Fixes [Feature]: Implementations for 100% Security Compliance for CLOmonitor  #3943

Short description of the changes

• Generate a sbom as a bom.json file and publish it on release

[codecov]

Codecov Report

Base: 97.14% // Head: 97.12% // Decreases project coverage by -0.02% ⚠️

Coverage data is based on head (f705e40) compared to base (b4c88dd).
Patch has no changes to coverable lines.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #3956      +/-   ##
==========================================
- Coverage   97.14%   97.12%   -0.03%     
==========================================
  Files         295      295              
  Lines       17389    17389              
==========================================
- Hits        16893    16889       -4     
- Misses        399      402       +3     
- Partials       97       98       +1     

Impacted Files	Coverage Δ
cmd/query/app/static_handler.go	96.38% <0.00%> (-1.81%)	⬇️
plugin/storage/integration/integration.go	75.95% <0.00%> (-0.39%)	⬇️

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

☔ View full report at Codecov.
📢 Do you have feedback about the report comment? Let us know in this issue.

[jkowall]

Thanks for doing this! I can add the link to Readme after.

[yurishkuro]

This will only publish SBOM for Go code. We also have UI code, and the content of the base Docker images.

• Should we publish more than one SBOM, at minimum binaries-sbom (Go + UI) and images-sbom (including image layers)?
• Should we be using syft-based https://github.com/anchore/sbom-action instead of CycloneDX? syft seems to cover both source code and binaries.

[jkowall]

This will only publish SBOM for Go code. We also have UI code, and the content of the base Docker images.

• Should we publish more than one SBOM, at minimum binaries-sbom (Go + UI) and images-sbom (including image layers)?
• Should we be using syft-based https://github.com/anchore/sbom-action instead of CycloneDX? syft seems to cover both source code and binaries.

That's why I just used Syft on the base all-in-one image, which should get us where we need to be. This seems like a one-time thing, since we don't add a huge amount of code and libraries to the project at this point. Probably over-engineering it to build it into the pipeline. Most folks who really need to track libraries in projects will use a service like Snyk, Whitesource, etc they will not just rely on a file published in a project. I considered this work as a box checking exercise.

[yurishkuro]

Probably over-engineering it to build it into the pipeline.

I don't think so - we have dependabot enabled and update dependencies constantly, so the one-off SBOM will be out of date usually by the next release. If we can't automate it, I'd rather not publish SBOM at all than publish a misleading one.

E.g. this year, 92 dependency bumps (not counting manual ones), ie.. 2-3 times a week on average:

$ gl main@{2022-01-01}..HEAD | grep dependabot | wc -l
      92

[yurishkuro]

Done in #3987