Implement RFC0044: Disable SBOM

[candrews]

Describe the Enhancement

This buildpack should opt-in to allowing users to disable SBOM generation. In doing so, it should conform to RFC044.

When BP_DISABLE_SBOM is set to true, buildpacks that allow SBOM to be omitted from their output should refrain from generating or attaching an SBOM in their outputs. This would apply to both new (Syft, CycloneDX, and SPDX formats) and old (label) SBOM outputs.

Additionally, when this variable is set to true a buildpack should set an image label of io.paketo.sbom.disabled to true. This label interface would allow downstream consumers of the image to understand that SBOM generation had been explicitly disabled.

Possible Solution

Motivation

SBOM generation can take substantial time. There may also be other reasons for wanting this functionality to be disabled.

[dmikusa]

SBOM generation can take substantial time. There may also be other reasons for wanting this functionality to be disabled.

Do you have an example of it actually taking a long time? My experience has been that syft can scan a Java app in a negligible/non-noticable amount of time. If you have an example application or something that can show this, it'll help with prioritization.

I'm also going to move this to paketo-buildpacks/java, as this would have to be implemented in a few different places.

Thanks

[davidkarlsen]

It would also be handy when the syft buildpack fails - in order to ignore it until fixed.