Welkin CycloneDX SBOM generation

[anders-elastisys]

Warning

This is a public repository, ensure not to disclose:

• personal data beyond what is necessary for interacting with this pull request, nor
• business confidential information, such as customer names.

What kind of PR is this?

Required: Mark one of the following that is applicable:

• kind/feature
• kind/improvement
• kind/deprecation
• kind/documentation
• kind/clean-up
• kind/bug
• kind/other

Optional: Mark one or more of the following that are applicable:

Important

Breaking changes should be marked kind/admin-change or kind/dev-change depending on type
Critical security fixes should be marked with kind/security

• kind/admin-change
• kind/dev-change
• kind/security
• [kind/adr](set-me)

What does this PR do / why do we need this PR?

This PR adds script to generate and modify an SBOM in CycloneDX format containing components of charts and their respective containers.
The release document has been update to include a step for running sbom generate when doing a new release to keep it up to date.
There are also pre-commit hooks that will warn if the SBOM is not validated against the cyclonedx v1.6 schema, that will complain if there are fields that needs to be updated manually, and also one that checks that chart versions and names in the SBOM are up to date with the current state of this repo.
This will thus also be triggered during chart upgrades not tied to doing a release, and the pre-commit hooks will provide with information on what commands to run and which fields that needs to be addressed.

There are some changes to other files in this PR done mainly to improve running the commands and fixes to other issues encountered during working on this, all may no longer be needed as the SBOM script has changed a few times how it works.

Information to reviewers

Yes, it is done in bash.

Running sbom.bash generate takes about 5-6 min when I tested it.

Would like to add more tests but it is difficult to test things in parallel when the commands modify the same file in the repo.
I am open for suggestions on writing better tests for this if needed.

Checklist

• Proper commit message prefix on all commits
• Change checks:
  • The change is transparent
  • The change is disruptive
  • The change requires no migration steps
  • The change requires migration steps
  • The change updates CRDs
  • The change updates the config and the schema
• Documentation checks:
  • The public documentation required no updates
  • The public documentation required an update - TODO: [link to change](set-me)
• Metrics checks:
  • The metrics are still exposed and present in Grafana after the change
  • The metrics names didn't change (Grafana dashboards and Prometheus alerts required no updates)
  • The metrics names did change (Grafana dashboards and Prometheus alerts required an update)
• Logs checks:
  • The logs do not show any errors after the change
• PodSecurityPolicy checks:
  • Any changed Pod is covered by Kubernetes Pod Security Standards
  • Any changed Pod is covered by Gatekeeper Pod Security Policies
  • The change does not cause any Pods to be blocked by Pod Security Standards or Policies
• NetworkPolicy checks:
  • Any changed Pod is covered by Network Policies
  • The change does not cause any dropped packets in the NetworkPolicy Dashboard
• Audit checks:
  • The change does not cause any unnecessary Kubernetes audit events
  • The change requires changes to Kubernetes audit policy
• Falco checks:
  • The change does not cause any alerts to be generated by Falco
• Bug checks:
  • The bug fix is covered by regression tests

[aarnq]

Let me know if you want this reviewed, then we should probably have a sync to go though it.

[cristiklein]

Overall looks good, thank you! This definitely implements the capability we need right now.

Your PR made me realize that we really need to start using Go more "actively". 😄 I asked the CTO Office how to proceed. We decided that I'll draft a PBI for converting the SBOM Bash script into Go. Hopefully, it will be prioritized so that someone can work on it during the summer.