ci: sbom filter to allow image distribution

[ricardosalveti]

Post build filter that evaluates the generated sbom based on a pre-approved sbom list, to allow image distribution.

Job should fail in case a new package gets included and it is not previously approved based on the approved list.

[quaresmajose]

For that propose I think we can use the INCOMPATIBLE_LICENSE with the pretended spdx license identifiers that we don't want.

Building an image without GNU General Public License Version 3 (GPLv3), GNU Lesser General Public License Version 3 (LGPLv3), and the GNU Affero General Public License Version 3 (AGPL-3.0) components is only tested for core-image-minimal image. Furthermore, if you would like to build an image and verify that it does not include GPLv3 and similarly licensed components, you must make the following changes in the image recipe file before using the BitBake command to build the image:

INCOMPATIBLE_LICENSE = “GPL-3.0* LGPL-3.0*”

Alternatively, you can adjust local.conf file, repeating and adjusting the line for all images where the license restriction must apply:

INCOMPATIBLE_LICENSE:pn-your-image-name = “GPL-3.0* LGPL-3.0*”

https://docs.yoctoproject.org/ref-manual/images.html?highlight=incompatible_license# https://docs.yoctoproject.org/ref-manual/variables.html#term-INCOMPATIBLE_LICENSE

[ricardosalveti]

Our distribution issues are not specific to a certain license, but instead a combination of project + license, which is why we need a list of what can be approved for distribution.