Goal:

• Some customers need to have an open source compliance process, e.g. to align with European Union directives. The compliance process needs the list of software installed in a system with their license. When using Image Builder to generate the OS images, having a SBOM would simplify the process.
• Ideally, the SBOM should be available in SPDX and CycloneDX formats to allow customers to use their format their tools support.

Acceptance Criteria:

• A SPDK formatted SBOM is available alongside an Image Builder generated compose
• A CycloneDX formatted SBOM is available alongside an Image Builder generated compose
• The SBOM are available via the Image Builder API
• The SBOM are available via the Image Builder Cockpit UI