Add SBOM enrichment usage CRD field for "package in use" feature

[0intro]

What does this PR do?

Add first-class CRD support for sbom.enrichment.usage.enabled, which maps to DD_SBOM_ENRICHMENT_USAGE_ENABLED on both the core agent and system-probe containers. This decouples the "package in use" eBPF-based SBOM enrichment from CWS, matching the new agent config hierarchy.

Testing

• Set specs.features.sbom.enrichment.usage.enabled to  true in the CRD.
• Generate a flare.
• Look for LastSeenRunning in the .json files of the flare sbomfolder.

Motivation

What inspired you to submit this pull request?

Additional Notes

Anything else we should know when reviewing?

Minimum Agent Versions

Are there minimum versions of the Datadog Agent and/or Cluster Agent required?

• Agent: v7.79.0

Describe your test plan

Write there any instructions and details you may have to test your PR.

Checklist

• PR has at least one valid label: bug, enhancement, refactoring, documentation, tooling, and/or dependencies
• PR has a milestone or the qa/skip-qa label
• All commits are signed (see: signing commits)

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 5323ad9b41

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

Provision system-probe privileges for SBOM enrichment

When f.enrichmentUsageEnabled is true, this path only adds DD_SBOM_ENRICHMENT_USAGE_ENABLED to core-agent/system-probe, but the feature never configures system-probe with the eBPF privileges setup (capabilities/AppArmor) that other system-probe-backed features add. In the common case where users enable SBOM enrichment without also enabling CWS/USM/NPM, system-probe runs without the privileges needed for runtime file-access probes, so the new features.sbom.enrichment.usage.enabled setting does not actually work.

Useful? React with 👍 / 👎.

[lebauce]

👎

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 40.15%. Comparing base (6e2c0c9) to head (b558fd8).

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2908      +/-   ##
==========================================
+ Coverage   40.08%   40.15%   +0.06%     
==========================================
  Files         320      320              
  Lines       28075    28107      +32     
==========================================
+ Hits        11254    11286      +32     
  Misses      16012    16012              
  Partials      809      809              

Flag	Coverage Δ
unittests	40.15% <100.00%> (+0.06%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines	Coverage Δ
...al/controller/datadogagent/feature/sbom/feature.go	70.00% <100.00%> (+8.13%)	⬆️

---

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 6e2c0c9...b558fd8. Read the comment docs.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[lebauce]

👎

[khewonc]

Can you add testing instructions in your PR description?

[0intro]

Can you add testing instructions in your PR description?

Done.

[diogocp]

We tested this in chillpenguin.us1.staging.dog using a custom operator build.