create SBOM for software stack provided

[goern]

Is your feature request related to a problem? Please describe.
As a feature to support a more secure software supply chain, Thoth should generate a SBOM, for each advise requested, and build via a Tekton task. #needsRefinement

A SBOM is not a security tool but it is a means to improve security, it can’t guarantee “vulnerability-free” software but can be helpful in fast discovery of CVE.

High-level Goals

• SBOM should be machine-readable
• SBOM should be generated automatically
• SBOM should be static
• SBOM should be cryptographically signed

SBOM should contain:

• binary executables
• binary libraries
• packages (RPMs, wheels, jars, npm)

Describe the solution you'd like
TBD

Describe alternatives you've considered
TBD

Additional context
We need to figure out how to include/embed/reference SBOM from base operating system (composability)

https://cyclonedx.org/ might be interesting

Acceptance Criteria
TBD

[goern]

/priority backlog
/lifecycle frozen

[codificat]

/triage needs-information

[fridex]

Related: #361

[codificat]

/remove-label needs-triage

[sesheta]

@codificat: The label(s) /remove-label needs-triage cannot be applied. These labels are supported: community/discussion, community/group-programming, community/maintenance, community/question, deployment_name/ocp4-stage, deployment_name/ocp4-test, deployment_name/moc-prod, hacktoberfest, hacktoberfest-accepted, kind/cleanup, kind/demo, kind/deprecation, kind/documentation, kind/question, sig/advisor, sig/build, sig/cyborgs, sig/devops, sig/documentation, sig/indicators, sig/investigator, sig/knowledge-graph, sig/slo, sig/solvers, thoth/group-programming, thoth/human-intervention-required, thoth/potential-observation, tide/merge-method-merge, tide/merge-method-rebase, tide/merge-method-squash, triage/accepted, triage/duplicate, triage/needs-information, triage/not-reproducible, triage/unresolved, lifecycle/submission-accepted, lifecycle/submission-rejected

In response to this:

/remove-label needs-triage

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[goern]

/sig user-experience