Implement Paketo RFC 0038: CycloneDX + Syft SBOM

[robdimsdale]

To implement Paketo RFC0038, this buildpack (and the implementation buildpacks inside) will need to move from storing SBOM information in layer metadata to storing it in files that the CNB lifecycle can manipulate during the build. The RFC outlines what these files are and what they should contain.

This issue serves as a meta-issue for work required to complete this work for the Go language family. This will require (link Github issues as they are created):

[ ] Add filesystem-based SBOM in CPython

• Conform to Paketo RFC0038: Generate SBOM on filesystem as well as label metadata cpython#288

[ ] Add filesystem-based SBOM in Pipenv

• Conform to Paketo RFC0038: Generate SBOM on filesystem as well as label metadata pipenv#171

[ ] Add filesystem-based SBOM in Pip

• Conform to Paketo RFC0038: Generate SBOM on filesystem as well as label metadata pip#213

[ ] Add filesystem-based SBOM in Miniconda

• Conform to Paketo RFC0038: Generate SBOM on filesystem as well as label metadata miniconda#173

[ ] Add filesystem-based SBOM in Poetry

• Conform to Paketo RFC0038: Generate SBOM on filesystem as well as label metadata poetry#32

[ ] Adding SBOM support for application dependencies in Pipenv Install

• Conform to Paketo RFC0038: Generate SBOM for application dependencies pipenv-install#83

[ ] Adding SBOM support for application dependencies in Pip Install

• Conform to Paketo RFC0038: Generate SBOM for application dependencies pip-install#86

[ ] Adding SBOM support for application dependencies in Conda Env Update

• Conform to Paketo RFC0038: Generate SBOM for application dependencies conda-env-update#88

[ ] Adding SBOM support for application dependencies in Poetry Install

• Conform to Paketo RFC0038: Generate SBOM for application dependencies poetry-install#23

We should also evaluate if there any use-cases for generating an SBOM in the Python Start and Poetry Run buildpacks separate from SBOM generation for dependencies in the Pip Install/Pipenv Install/Conda Env Update/Poetry Install buildpacks.

Switching from label-based BOM to filesystem based SBOM will be a breaking change for consumers of this buildpack (and the buildpacks within them) so it might be prudent to consider also doing any additional breaking changes (e.g. dropping support for buildpack.yml) at the same time. Adding support for a filesystem SBOM will now be in addition to the existing label-based SBOM and will not be a breaking change.

[robdimsdale]

Update: we will wait for first-class support in pack (and hence occam) before implementing this. We will support both the metadata/label format and the filesystem format via packit/v2.

Marking this as blocked until occam testing framework is available.

[robdimsdale]

This is unblocked - the testing framework in occam is available for use.

[robdimsdale]

This is blocked on the upstream issues/PRs. Once they are all merged and the buildpacks are released we can unblock this issue and bump them in this buildpack.

[robdimsdale]

All sub-buildpacks have been release with SBOM support; we are waiting on automation to pick them up and bump them in this buildpack's buildpack.toml. Once that happens this issue will be complete.

[thitch97]

The implementation buildpacks have been updated in buildpack.toml and v0.14.0 of the buildpack has been released with SBOM support