workflows: debos: Generate SBOM of rootfs with syft

[lool]

Depends on cleanup work in #29

Add a new job to generate SBOMs with Syft

[lool]

% zgrep cataloger rootfs-sbom.syft.txt.gz| sort | uniq -c
   1  Found by:	 deb-archive-cataloger
 466  Found by:	 dpkg-db-cataloger
   1  Found by:	 java-archive-cataloger
1353  Found by:	 linux-kernel-cataloger
  11  Found by:	 python-installed-package-cataloger

[lool]

Ok, this seems to do a good initial job; I'm not convinced by the value of the default set of catalogers, perhaps we should only keep the deb/dpkg catalogers active.

I checked the syft-json report, and it has:

   "licenses": [
    {
     "value": "Apache-2.0",
     "spdxExpression": "Apache-2.0",
     "type": "declared",
     "urls": [],
     "locations": [
      {
       "path": "/usr/share/doc/adbd/copyright",
       "accessPath": "/usr/share/doc/adbd/copyright"
[...]
   "purl": "pkg:deb/debian/[email protected]?arch=arm64&distro=debian&upstream=android-platform-tools",
   "metadataType": "dpkg-db-entry",
   "metadata": {
    "package": "adbd",
    "source": "android-platform-tools",
    "version": "34.0.5-12",

So I'm confident we could have a table of concluded licenses by source package, either using the syft csv/go templating or doing some light post-processing of the JSON.

[lool]

@ricardosalveti I think we could start with landing this, and then improve from there; what do you think?

[ricardosalveti]

@ricardosalveti I think we could start with landing this, and then improve from there; what do you think?

yeah, we can probably use deb/dpkg catalogers and merge the initial sbom generation even if that is package based at this point.

probably better to split the cleanup work in another pr.

next step would indeed be to merge the package based sbom to become a source package sbom.

[lool]

Rebasing on tip after the wave of CI changes

[lool]

Using syft's --select-catalogers debian picks up the dpkg and deb catalogers, which seems to be what we want here.

[lool]

license-report-csv.txt
@ricardosalveti what do you think of this report?

It has:

• one line per source package (sometimes that's the binary package when source info is not present)
• one column with list of binary packages
• source version (sometimes that's the binary version when source info is not present)
• one column with list of license ids found by syft
• one column with the sha256sum of the copyright files – it should be only one, otherwise it means different binary packages have different copyright files which is very unusual

[lool]

@ricardosalveti Note that it's a run without Xfce, so it's missing a bunch of packages, this is just to establish the format

[lool]

Noticed that the sha256sum of the copyrights weren't properly computed; adding a flag to the script for the path to the rootfs

[ricardosalveti]

LGTM, I think this is good for what we want now.