GoVPP Software Bill of Materials Generation

[dwallacelf]

Per recommendations by the LF Networking Security Forum on the Security Best Practices Wiki Page, GoVPP releases should include the generation of a Software Bill of Materials in SPDX 2.2 or greater format.

[dwallacelf]

Per this blog entry [0], Github incorporates the generation of SPDX formated SBOM json file from the 'Insights->Dependency Graph' page [1] by hitting the "Export SBOM" button.

@ondrej-fabry, given the releases tags provide a convenient URL to retrieve tarballs of the source code, does it make sense to download & check the latest SBOM file into the tree (e.g. RELEASE_SBOM.json) before each release?

[0] https://github.blog/2023-03-28-introducing-self-service-sboms/ [1] https://github.com/FDio/govpp/network/dependencies

[dwallacelf]

The procedure for generating SBOMs should be added to the Developer Documentation

[sknat]

We could also add this as part of the release process, and upload the generated sboms alongside the release packages