[RFC #0095] Lifecycle should merge CycloneDX bom files

[buildpack-bot]

This issue have been automatically created from pull request buildpacks/rfcs#166.

A/C

Given for example the following file tree:

/layers
  /config
    /sbom
      /launch
        /buildpack.id
          bom.cdx.json <- should be annotated with io.buildpacks.bom.buildpack.id (only) in the merged file
          /cache-true-launch-true
            bom.cdx.json <- should be annotated with io.buildpacks.bom.buildpack.id and io.buildpacks.bom.layer.name in the merged file
      /build
        /buildpack.id
          bom.cdx.json <- should be annotated with io.buildpacks.bom.buildpack.id (only) in the merged file
          /cache-true-launch-false
            bom.cdx.json <- should be annotated with io.buildpacks.bom.buildpack.id and io.buildpacks.bom.layer.name in the merged file

The lifecycle should create a merged launch bom containing bom entries from /layers/config/sbom/launch and similarly for build. See Slack inquiry on whether the merged bom should live at /layers/config/sbom/launch/bom.cdx.json or /layers/config/launch/sbom/bom.cdx.json.

Note that this is only applicable to cdx files, as spdx does not have readily available tooling.

[aemengo]

Related cycloneDX issue here: CycloneDX/cyclonedx-go#9
Let's see if they can provide an easy API method for us to do the merging.

[VinodAnandan]

Related PR : CycloneDX/cyclonedx-go#12