[FLINK-30578][build] Publish SBOM artifacts

[dongjoon-hyun]

What is the purpose of the change

This PR aims to publish SBOM artifacts.

Here is an article to give some context.

• https://www.activestate.com/blog/why-the-us-government-is-mandating-software-bill-of-materials-sbom/

Software Bill of Materials (SBOM) are additional artifacts containing the aggregate of all direct and transitive dependencies of a project. The US Government (based on NIST recommendations) currently accepts only the three most popular SBOM standards as valid, namely: CycloneDX, Software Identification (SWID) tag, Software Package Data Exchange® (SPDX).

This PR uses CycloneDX maven plugin, a lightweight software bill of materials (SBOM) standard designed for use in application security contexts and supply chain component analysis.

Brief change log

• Add cyclonedx-maven-plugin plugin

Verifying this change

Each jar file will have two corresponding files, xxx-cyclonedx.xml and xxx-cyclonedx.json, like the following.

$ mvn install -DskipTests
...
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 15:31 min
[INFO] Finished at: 2023-01-05T16:51:10-08:00
[INFO] Final Memory: 537M/3856M
[INFO] ------------------------------------------------------------------------

$ ls -al ~/.m2/repository/org/apache/flink/flink-core/1.17-SNAPSHOT/
total 7176
drwxr-xr-x  9 dongjoon  staff      288 Jan  5 14:56 .
drwxr-xr-x  5 dongjoon  staff      160 Jan  5 14:56 ..
-rw-r--r--  1 dongjoon  staff      315 Jan  5 14:56 _remote.repositories
-rw-r--r--  1 dongjoon  staff    33566 Jan  5 14:56 flink-core-1.17-SNAPSHOT-cyclonedx.json
-rw-r--r--  1 dongjoon  staff    29527 Jan  5 14:56 flink-core-1.17-SNAPSHOT-cyclonedx.xml
-rw-r--r--  1 dongjoon  staff  1775935 Jan  5 14:56 flink-core-1.17-SNAPSHOT-tests.jar
-rw-r--r--  1 dongjoon  staff  1804660 Jan  5 14:56 flink-core-1.17-SNAPSHOT.jar
-rw-r--r--  1 dongjoon  staff    10071 Jan  5 14:56 flink-core-1.17-SNAPSHOT.pom
-rw-r--r--  1 dongjoon  staff     1324 Jan  5 14:56 maven-metadata-local.xml

Does this pull request potentially affect one of the following parts:

• Dependencies (does it add or upgrade a dependency): Yes, but it's plugin dependency.
• The public API, i.e., is any changed class annotated with @Public(Evolving): No
• The serializers: No
• The runtime per-record code paths (performance sensitive): No
• Anything that affects deployment or recovery: JobManager (and its components), Checkpointing, Kubernetes/Yarn, ZooKeeper: No
• The S3 file system connector: No

Documentation

• Does this pull request introduce a new feature? No
• If yes, how is the feature documented? N/A

[flinkbot]

CI report:

• 8059fba Azure: SUCCESS

Bot commands

The @flinkbot bot supports the following commands:

• @flinkbot run azure re-run the last Azure build

[dongjoon-hyun]

cc @gyfora , @mbalassi , @morhidi, @gaborgsomogyi

[mbalassi]

Thank you @dongjoon-hyun. Just to make sure that I understand correctly do these BOM files get automatically published on maven deploy?

[dongjoon-hyun]

Thank you, @mbalassi . Yes, right. Here are the examples.

• Apache ORC: https://repository.apache.org/content/repositories/snapshots/org/apache/orc/orc-core/1.9.0-SNAPSHOT/orc-core-1.9.0-20230107.072916-189-cyclonedx.xml
• Apache Spark: https://repository.apache.org/content/repositories/snapshots/org/apache/spark/spark-core_2.12/3.4.0-SNAPSHOT/spark-core_2.12-3.4.0-20230109.001206-298-cyclonedx.xml

[dongjoon-hyun]

Thank you for merging, @mbalassi !

[mbalassi]

Thanks, @dongjoon-hyun. Works like a charm:
https://repository.apache.org/content/repositories/snapshots/org/apache/flink/flink-core/1.17-SNAPSHOT/