CycloneDX SBOM for databroker and databroker-cli

[SebastianSchildt]

Creates a CycloneDX Software Bill of Materials (SBOM) for the databroker. Refactor createbom so it can collect licenses from a CycloneDX input file, so it may be reused for other parts of the project as well.

This PR

• replaces the custom format sbom.json in databroker and datbroker-cli docker containers with one following https://cyclonedx.org standard. That is (one of) the "right" ways to do to fullfil CRA requirements.
• In our containers and archives in release we also ship all relevant license texts. In this PR the createbom tool doing this has been refactored/extended, that it can extract those licenses from a CycloneDX SBOM
• createbom is not longer used to create the DASH input files, instead we are using an approach based on the recommendation by Dash: https://github.com/eclipse/dash-licenses?tab=readme-ov-file#example-rustcargo . Thus, less code for us to maintain

Smaller fixes

• updated some action versions
• Fix typo in RiscV archive (it had a double dash "--")
• Fix BSD-3-clause license (it seemed we were shipping an empty file)
• Added OpenSSL license text (now also included seperatey for ring, we did not do that before)

Notes

I read quite a bit about SBOM generation in the RUST ecosystem and decided to go for https://crates.io/crates/cargo-cyclonedx , as this seems the most promising way. "Built-in" support in cargo may be a couple of years off, and cargo development is quite slow these days. Similarly I think we should not try to do this "ourself" by hand. By using that crate we profit from developments in that area. I verified that currently we did not loose any information compared to the "old" way.

In the future the "collectlicensefromcyclonedx.py" might be refactored to live pip-installable in kuksa-common, as it might also be used for other components, i.e. Python based ones - as long as a Cyclone SBOM is available. Not part of this PR though

[erikbosch]

Should we possibly as part of this PR delete the third party section in https://github.com/eclipse/kuksa.val/blob/master/NOTICE.md#third-party-content ? It is anyway out of date, right?

[SebastianSchildt]

Wrt to NOTICE:I agree. I removed all outdated/weird content from Notice. I left the third party content section, trying to explain how you would get such informaton

[SebastianSchildt]

I think it does not even "touch" Rust much. I suggest, if no further feedback to merge Monday

[erikbosch]

Adding @argerus as reviewer - we need to decide when we want to have "code freeze" on Databroker in this repo, and/or when we want to "remove" Databroker from this repo. If we merge it here we need to make sure that it is integrated to the new repo.

[erikbosch]

Databroker has been migrated to https://github.com/eclipse-kuksa/kuksa-databroker. Please open a new pull request in that repo.

[SebastianSchildt]

Replaced by https://github.com/eclipse-kuksa/kuksa-databroker/pull/24