add code for attaching sbom

[rizul2108]

Add Support for Attaching SBOM to Artifacts

Description

This pull request introduces functionality to attach a Software Bill of Materials (SBOM) to artifacts.
By incorporating SBOMs, users can enhance the security and transparency of their artifacts by providing detailed metadata about their contents.

Key Changes

• Implemented a new command to attach SBOMs to specified artifacts.
• Integrated validation to ensure the SBOM meets the required standards before attachment.
• Generated the SBOM using the go.mod file instead of the binary, as go.mod includes all license information, whereas the binary does not.

Related Issue

This PR addresses issue #229, highlighting the need for improved artifact metadata management.

[rizul2108]

@bupd can you review this once ?

[bupd]

I was testing this. But getting the below error.

│ ✔ Container.from(address: "anchore/syft:v1.9.0"): Container! 3.5s
│ ✔ .withMountedDirectory(
│ │ │ path: "/src"
│ │ │ source: no(digest: "sha256:9238d928642f223db27e5a22ffc3a5760ea5cf8584c419da5587bf78643dc8ce"): Missing
│ │ ): Container! 0.0s
│ ✔ .withWorkdir(path: "/src"): Container! 0.0s
│ ✘ .withExec(args: ["syft", "packages", "go.mod", "-o", "spdx-json"]): Container! 0.6s
│ ┃ panic: exec: "syft": executable file not found in $PATH
│ ┃
│ ┃ goroutine 1 [running]:
│ ┃ main.main()
│ ┃         /app/cmd/init/main.go:115 +0x906
│ ! process "syft packages go.mod -o spdx-json" did not complete successfully: exit code: 2
│ ✘ .stdout: String! 3.6s
│ ! process "syft packages go.mod -o spdx-json" did not complete successfully: exit code: 2
│ │ ✔ remotes.docker.resolver.HTTPRequest 0.3s
│ │ ✔ remotes.docker.resolver.HTTPRequest 0.6s
│ │ ✔ remotes.docker.resolver.HTTPRequest 0.8s
│ │ ✔ remotes.docker.resolver.HTTPRequest 2.2s
│ │ ✔ remotes.docker.resolver.HTTPRequest 0.9s
│ │ ✔ remotes.docker.resolver.HTTPRequest 0.9s

Error logs:

✘ .publishImageAndSign(
│ │ imageTags: ["sbom"]
│ │ registry: "demo.goharbor.io"
│ │ registryPassword: ✔ secret(uri: "env://REGPASS"): Secret! 0.0s
│ │ registryUsername: "harbor-cli"
│ ): String! 28.7s
🛠️  Building with Dagger...
provided tags: [sbom]
Published image address: demo.goharbor.io/harbor-cli/harbor-cli:sbom@sha256:b214d890869725166c15f2b06aa00f3e0e05887f73a8e8b4f56131c5fb522067
! process "syft packages go.mod -o spdx-json" did not complete successfully: exit code: 2

✘ .withExec(args: ["git", "rev-parse", "--short", "HEAD", "--always"]): Container! 0.3s
fatal: not a git repository: /home/bupd/s/code/OSS/harbor-cli/worktrees/pr
! process "git rev-parse --short HEAD --always" did not complete successfully: exit code: 128

✘ .withExec(args: ["syft", "packages", "go.mod", "-o", "spdx-json"]): Container! 0.6s
panic: exec: "syft": executable file not found in $PATH

goroutine 1 [running]:
main.main()
        /app/cmd/init/main.go:115 +0x906
! process "syft packages go.mod -o spdx-json" did not complete successfully: exit code: 2

Setup tracing at https://dagger.cloud/traces/setup. To hide set DAGGER_NO_NAG=1

A new release of dagger is available: v0.15.4 → v0.16.3
To upgrade, see https://docs.dagger.io/install
https://github.com/dagger/dagger/releases/tag/v0.16.3

[rizul2108]

Oh I will check it once what is the issue. Sorry for that

[Vad1mo]

@rizul2108 can you rebase your changes on top of main...

[bupd]

closing in favor of #491