Image Builder is currently generating an SBOM document for each osbuild pipeline that installs RPM packages. Moreover, the SBOMs don’t contain any “meta” package representing the image itself as a single entry point to the SBOM. While this is not in violation of the SPDX standard, it also does not comply with the common practice of SBOM generators.

Therefore, the goal is to always use a single entry point, the “meta” package, in the SBOM, representing the image, and then describe the image content as the content of this “meta” package. This will allow Image Builder to represent all “layers” (corresponding to osbuild pipelines) that make up the image in a single SBOM. For image types with only a single “layer” containing content, it can optionally flatten the SBOM to exclude a “meta” package for an osbuild pipeline, if there’s only one that includes any external content (such as RPM packages, embedded container images, etc.).

The benefit is that Image Builder will always produce only a single SBOM document for a given image, describing the image. There would be an additional SBOM document for the image buildroot environment, but that could also be optionally embedded in the image SBOM.

There are two examples of how the SBOMs could look for various scenarios attached to this Epic.

Implementation outline

• Building on top of the implementation from https://issues.redhat.com/browse/HMS-8910, add a logic to osbuild/images, which will add a “meta” package representing the image and any layer to the SBOM with appropriate relationships.
• The implementation should be flexible enough to allow generating one complete SBOM or an SBOM for a specific pipeline (i.e. the buildroot).
• The implementation should allow extending the SBOM with additional information post-build. For example, add the hash of the image, which will be known only after the image has been built by osbuild.

Acceptance Criteria

• The image SBOM produced by Image Builder has a single "meta" package entity, which describes the image itself.
• The image SBOM produced by Image Builder describes all "layers" for a multi-layer image types, such as the image-installer.
• Image Builder produced a single SBOM for the image artifact.
• For flexibility, it should be possible to include the buildroot environment SBOM in the image artifact SBOM, or generate it as a separate SBOM document.