Add support for SPDX SBOM format

[kestewart]

What would you like to be added: Please add support for SPDX

Why is this needed: There is an ecosystem of open source projects that have adopted this format, and it would be great to let this community be able to work with your tools as well.

Additional context:
Details on the format can be found at: https://spdx.github.io/spdx-spec/
Happy to work with anyone interested in doing the port, I just lack the "go" programming chops to submit a PR in myself.

[wagoodman]

@kestewart we're definitely interested in getting SPDX support in syft. Lucky for us it seems there is a go package for expressing packages and other artifacts in memory as well as writing them to a document.

The tasks at hand are:

1. Create a new "presenter" object that implements the Presenter interface. There are examples of various implementations here in subdirectories. This is where most of the work would be, but essentially it's about translating fields from the pkg.Package struct for each package in the catalog and adding it to a new spdx. Package2_2 struct, and adding these new structs to a spdx. Document2_2 struct.
2. Add a new presenter option and corresponding case to the switch statement
3. Add a unit test for scanning an image as well as another for scanning a directory (the other presenters have examples of how to load test data and invoke the presenters).
4. Update the README.md to let folks know it exists :)

We haven't prioritized this work yet, but happy to work with you on a PR if you're itching to dive into some go-code! Feel free to reach out on the toolbox-dev slack channel for a more realtime chat about it as well.

[kestewart]

Just curious if there's been any updates here. Unfortunately, I don't have the right go-code chops to pull together a PR, but happy to collaborate with anyone interested in working on this, and helping on the how to express this in SPDX.

[luhring]

Hi @kestewart! No movement on this yet, but this is definitely something we want to add. We're hoping to get some time to look at this soon...

[wagoodman]

@luhring @kestewart I've started a branch with draft support for spdx at https://github.com/anchore/syft/compare/add-spdx-support

go run main.go my-image:latest -o spdx

There is still a lot of missing information and a lot of opportunity to add already cataloged metadata, but it's a start!

[kestewart]

@wagoodman - any questions you need answered to help move this forward? In case you don't know, there's https://tools.spdx.org/app/validate/ which will let you validate any doc you're generating.

[wagoodman]

@kestewart thanks for the heads up with the validate tool --definitely used that during development. After going through plugfest and getting feed back from other conversations, we're going to tackle adding SPDX support in a couple different ways. First by adding basic package support, then a follow up to enhance the output by adding more optional fields (rich package-to-package relationships, files owned, etc.). This issue will represent the former with initial SPDX support for the Tag-Value and JSON formats, making another issue shortly to capture a follow up.

Right now I'm adding tests and polish to the draft implementation that was used for plugfest and hope to get a PR opened soon 🎉 .