Publish spdx files with generated images

[rothgar]

When a user generates a custom image with extensions we should publish an spdx file they can download and import into 3rd party tools for internal compliance and CVE verification.

Currently, if someone wants to verify CVEs from a 3rd party tool they can download the generic SBOM from github (without extensions) or they can read the spdx file from a running Talos system. Reading the spdx file from a running system wouldn't work for a system connected to Omni because of limits on the Talos API.

[frezbo]

If Omni allows reading spdx from Talos would this issue still be useful?

[rothgar]

The customers I've talked to have their own scanners and validation flows for security teams and those tools need manual file uploads or agents to scan systems.

They could theoretically download an iso from the image factory, boot it up, read the spdx, save the file, upload it to their tool, but some of their policies won't let them run Talos without first having it validated with the security tool.