Spike: Add support for creating a cargo cyclonedx sbom

Problem to solve

License detection for package registries is done via the creation of an sbom component enumerating all the components of a project. The identified packages/components are subsequently matched against known package metadata to find their licenses. In order to support license scanning for cargo the monolith should be able to generate an sbom which can then be matched to package metadata (added in Update package metadata ingestion to add sync f... (#456283 - closed) • Igor Frenkel • 17.2 • Needs attention).

Proposal

Assess what would be necessary to create an sbom for cargo with a ci/cd component.

Tasks to Evaluate

• Create a ci/cd component which can export a cyclonedx sbom as an artifact.
• Steps for making it work offline.
• Steps for making it work in fips mode.
• If the 2 points above are simple, what would user instructions look like to generate an sbom without any component.

Timebox

2d

Expected outcomes

• Examples of best practices for cargo sbom generation
• Decision on how to proceed with sbom cargo generation (MVC and long-term)
  • SBOM
  • FIPS