chore: merge SBOM packages and remove old SBOM's

Author: cezar-r

twoliter/embedded/.rpm2img.swp

@@ -256,6 +256,23 @@ printf "%s\n" "${INVENTORY_DATA}" >"${ROOT_MOUNT}/usr/share/bottlerocket/applica
 # can access the inventory without needed to dig into the generated image.
 printf "%s\n" "${INVENTORY_DATA}" >"${OUTPUT_DIR}/application-inventory.json"
 
+# Merge SBOMs into a single json file
+KIT_SBOMS_DIR="${ROOT_MOUNT}/usr/share/sboms"
+if [ -d "${KIT_SBOMS_DIR}" ]; then
+  IMAGE_SBOM_DIR="${ROOT_MOUNT}/usr/share/bottlerocket"
+  mkdir -p "${IMAGE_SBOM_DIR}"
+  for format in "spdx" "cyclonedx"; do
+    image_sbom="${format}-sbom.json"
+    image_sbom_path="${IMAGE_SBOM_DIR}/${image_sbom}"
+    find "${KIT_SBOMS_DIR}" -name "*-${format}.json" -type f -exec sbomtool merge --output "${image_sbom_path}" {} \+
+
+    # Write the inventory to a file in the local build output directory
+    cp "${image_sbom_path}" "${OUTPUT_DIR}/${image_sbom}"
+  done
+  # Clean up old SBOM packages
+  rm -rf "${KIT_SBOMS_DIR}"
+fi
+
 # Regenerate module dependencies, if possible.
 KMOD_DIR="${ROOT_MOUNT}/lib/modules"
 # First decompress the kernel modules, so they can be recompressed by EROFS.