Feat: add SBOM support

[rchincha]

Is your feature request related to a problem? Please describe.

Generate SBOMs of out generated layers.

Describe the solution you'd like

No response

Describe alternatives you've considered

No response

Additional context

No response

[rchincha]

Add a directive as follows:

build:
  from: ...
  bom:
      - package: pkg1
         path: /dir1
      - package: pkg2
         path: /dir2
    run: |
         my-bom-tool ... > /stacker-artifacts/test.bom
   ...

When the bom directive is specified, a /stacker-artifacts is also bind-mounted into the container 1) One can run their own bom tool to genetate BOMs etc and output under /stacker-artifacts. We do this since it is not realistically possible to enable all scenarios (pkg mgmt cleanup, build/pkging staging, etc) https://github.com/anchore/syft https://github.com/kubernetes-sigs/bom https://github.com/microsoft/sbom-tool https://github.com/sbomtools/apt2sbom

2) One can also just specify bom generation directives. This option is useful when we don't have a run: specified and still want a bom. So one of the above as a library to be linked into stacker.

Each layer also gets a full file list of paths, sizes and checksums. This list is compared with the generated boms and if there are missing files, then the build fails - we must account for everything.

In terms of implementation, we create a internal-go bom cmd for the bom: directive. This must run in the container with the layer rootfs.

Finally, we can merge the boms and publish to a OCI registry with references support.

[rchincha]

All installed pkgs: /var/lib/rpm/rpmdb.sqlite /var/lib/dpkg/status /lib/apk/db/installed

[smoser]

This is related https://github.com/project-stacker/stacker/issues/477 .

Maybe it is completely a dupe of this?

[mikemccracken]

@rchincha this is done now right?