Extension of the OSISM SBOM by packages and checksums

[berendt]

As an SCS operator, I want to have a complete list of software (SBOM) (along with sources and versions) that gets pulled into my SCS deployment.

TODO:

• [x] Collect SW included in container images
• [ ] Collect SW pulled in by playbooks etc.
• [x] Add checksums

NOT YET TODO:

• [ ] Collect license information -> own story
• [ ] Collect security information -> own work package

Definition of Ready:

• [ ] User Story is small enough to be finished within one sprint
• [ ] User Story is clear and understood by the whole team
• [ ] Acceptance criteria are defined
• [ ] Acceptance criteria are clear and understood by the whole team

Definition of Done:

• [ ] All acceptance criteria are met
• [ ] Changes have been reviewed
• [ ] CI tests have run successfully
• [ ] Documentation has been updated
• [ ] Release Notes have been updated

[berendt]

Sample for 3.2.0: https://github.com/osism/sbom/commit/a3d0820e6261250e648b3e18312da55017ced292

[berendt]

Moved to Blocked. The preparation for the airgap is still needed for the list of the individual packages.

[garloff]

Cryptographic checksums are there and sufficient (sha256 for each container/artifact). Should be mentioned in release notes.

[berendt]

Prepare SPDX files for several container images (ceph-ansible, kolla-ansible, osism-ansible, python-osism, inventory-reconciler). Added them to the SBOM repository.

SPDX files for kolla-images prepared, not yet pushed anywhere (because of the huge file size)

[berendt]

What still needs to be clarified here? The daily deployments will be changed this week. The rest is done.