Extension of the OSISM SBOM by packages and checksums

[berendt]

As an SCS operator, I want to have a complete list of software (SBOM) (along with sources and versions) that gets pulled into my SCS deployment.

TODO:

• Collect SW included in container images
• Collect SW pulled in by playbooks etc.
• Add checksums

NOT YET TODO:

• Collect license information -> own story
• Collect security information -> own work package

Definition of Ready:

• User Story is small enough to be finished within one sprint
• User Story is clear and understood by the whole team
• Acceptance criteria are defined
• Acceptance criteria are clear and understood by the whole team

Definition of Done:

• All acceptance criteria are met
• Changes have been reviewed
• CI tests have run successfully
• Documentation has been updated
• Release Notes have been updated

[berendt]

Sample for 3.2.0: osism/sbom@a3d0820

[berendt]

Moved to Blocked. The preparation for the airgap is still needed for the list of the individual packages.

[garloff]

Cryptographic checksums are there and sufficient (sha256 for each container/artifact).
Should be mentioned in release notes.

[berendt]

Prepare SPDX files for several container images (ceph-ansible, kolla-ansible, osism-ansible, python-osism, inventory-reconciler). Added them to the SBOM repository.

SPDX files for kolla-images prepared, not yet pushed anywhere (because of the huge file size)

[berendt]

What still needs to be clarified here? The daily deployments will be changed this week. The rest is done.