[WIP] Generate SBOM on release

[6543]

close #2849

we use trivy for golang as it injects lisense infos
and syft as each go binary result in different modules being compiled in (go.mod does not help)
and use jq to combine both tool outputs

Click to expand and see generation log

=== Generating base SBOM with license information ===
trivy fs --scanners license --license-full --format spdx-json -o dist/base.go.spdx.json go.mod
2026-02-06T15:10:26+01:00	INFO	[license] Full license scanning is enabled
2026-02-06T15:10:27+01:00	INFO	Number of language-specific files	num=1

📣 Notices:
  - Version 0.69.1 of Trivy is now available, current version is 0.68.2

To suppress version checks, run Trivy scans with the --skip-version-check flag


=== Generating WebUI SBOM ===
trivy fs --scanners license --license-full --format spdx-json -o dist/webui.spdx.json web/
2026-02-06T15:10:27+01:00	INFO	[license] Full license scanning is enabled
2026-02-06T15:10:28+01:00	INFO	Suppressing dependencies for development and testing. To display them, try the '--include-dev-deps' flag.
2026-02-06T15:10:28+01:00	INFO	Number of language-specific files	num=1

📣 Notices:
  - Version 0.69.1 of Trivy is now available, current version is 0.68.2

To suppress version checks, run Trivy scans with the --skip-version-check flag

=== Generating binary-specific dependency lists ===
syft scan file:dist/server/linux_amd64/woodpecker-server -o spdx-json > dist/server-deps.spdx.json
 ✔ Indexed file system                                                                                                                   dist/server/linux_amd64/woodpecker-server 
 ✔ Cataloged contents                                                                                             63ae36dc3cd0e1276b81be14c78abe04d3e9df9bbe36b1ce5732bb673a12a36e 
   ├── ✔ Packages                        [114 packages]  
   ├── ✔ Executables                     [1 executables]  
   ├── ✔ File metadata                   [1 locations]  
   └── ✔ File digests                    [1 files]  
syft scan file:dist/agent/linux_amd64/woodpecker-agent -o spdx-json   > dist/agent-deps.spdx.json
 ✔ Indexed file system                                                                                                                     dist/agent/linux_amd64/woodpecker-agent 
 ✔ Cataloged contents                                                                                             d3fb6582967b56d859a3161520b57dfabce2bac04c36bbda9b9c8e8eafbdc908 
   ├── ✔ Packages                        [80 packages]  
   ├── ✔ Executables                     [1 executables]  
   ├── ✔ File metadata                   [1 locations]  
   └── ✔ File digests                    [1 files]  
syft scan file:dist/cli/linux_amd64/woodpecker-cli -o spdx-json       > dist/cli-deps.spdx.json
 ✔ Indexed file system                                                                                                                         dist/cli/linux_amd64/woodpecker-cli 
 ✔ Cataloged contents                                                                                             53ac782a119b967e550c1a27bed32672be497b3d0284bd4c19f6aef24a9bdcdd 
   ├── ✔ Packages                        [125 packages]  
   ├── ✔ Executables                     [1 executables]  
   ├── ✔ File digests                    [1 files]  
   └── ✔ File metadata                   [1 locations]  
=== Filtering base SBOM for each binary ===

=== Combining Server + WebUI ===

=== Package Counts ===
Base (all go.mod):  225 packages
Server (combined):  219 packages
  Server (Go):      114 packages
  Server (WebUI):   105 packages
Agent binary:       79 packages
CLI binary:         124 packages

=== License Coverage ===
Server with licenses: 215/219
Agent with licenses:  78/79
CLI with licenses:    123/124

=== License Distribution (Server) ===
  148   MIT
  27    Apache-2.0
  26    BSD-3-Clause
  6     MPL-2.0
  4     NOASSERTION
  3     ISC
  2     BSD-2-Clause
  1     Apache-2.0 AND MIT
  1     CC0-1.0
  1     MPL-2.0 OR Apache-2.0

=== License Distribution (Agent) ===
  33    Apache-2.0
  22    MIT
  14    BSD-3-Clause
  4     Apache-2.0 AND BSD-3-Clause
  2     Apache-2.0 AND MIT
  1     Apache-2.0 AND BSD-3-Clause AND MIT
  1     BSD-2-Clause
  1     ISC
  1     NOASSERTION

=== License Distribution (CLI) ===
  62    MIT
  34    Apache-2.0
  16    BSD-3-Clause
  4     Apache-2.0 AND BSD-3-Clause
  3     BSD-2-Clause
  2     Apache-2.0 AND MIT
  1     Apache-2.0 AND BSD-3-Clause AND MIT
  1     ISC
  1     NOASSERTION

=== Cleaning up intermediate files ===

✓ SBOM generation complete!

=== Files Generated ===
  - dist/server.spdx.json
  - dist/agent.spdx.json
  - dist/cli.spdx.json

[qwerty287]

Why can't we directly use a docker image for syft? https://hub.docker.com/hardened-images/catalog/dhi/syft

[6543]

because they use a from scratch image witch has no /bin/sh and we need that if we don't have a plugin for it...

[6543]

WIP because:

• works with make
• ci does not retrive license infos :/

[6543]

via makefile

via ci currently:

(https://ci.woodpecker-ci.org/repos/3780/pipeline/31382/18)

[6543]

=== License Coverage ===
Server with licenses: 103/219
Agent with licenses:  0/79
CLI with licenses:    0/124

still 🤔