jam create-stack: Produce SBOMs for stacks in a standard SBOM format

[fg-j]

While working on paketo-buildpacks/jammy-tiny-stack#2, it was brought up that the current mechanism for generating package receipts (using dpkg -l) is brittle; it won't work for non-Ubuntu stacks. It'd be better for Paketo's stacks automation – and probably for stack consumers – if the list of packages installed in the stack were generated in a standard SBOM format (e.g. CycloneDX) and returned as an output of jam create-stack.

[fg-j]

I find myself wondering if jam create-stack should take on this responsibility or if it's just as easy for stack creators to use a tool like syft to generate a package receipt themselves.

Maybe it's prudent to avoid SBOM implementation lock-in within jam itself. @ryanmoran What are your thoughts on that?

[ryanmoran]

I only thought it would make sense for jam create-stack to emit an SBOM because its already capable of generating them for the stack itself. That code already lives in the command and adding this feature would mostly be about piping that SBOM output into a file onto the user's machine.

[fg-j]

Good point. I forgot about that feature. That's currently "hidden," right? You have to set an undocumented env var to get an SBOM attached to the image. I guess the question is -- do we want to expose the SBOM as a full-fledged feature or are we trying to move toward a future where we can stop importing syft?

[ryanmoran]

There's no near-term timeline where I see us being able to stop importing syft into this command. At the very least we will be supporting it in Bionic stacks until March of next year.

[ForestEckhardt]

@paketo-buildpacks/stacks-maintainers What is the status of this?

[robdimsdale]

This issue is stale - I'm going to close it. If/when we encounter the underlying request (i.e. either we receive requests to create an SBOM in CDX format, or we can't successfully create non-ubuntu stacks) we can re-open.