[RFC #0095] Restorer should restore bom files from app and cache

[buildpack-bot]

This issue have been automatically created from pull request buildpacks/rfcs#166.

The lifecycle should restore bom layers for detected buildpacks.

For launch=true,cache=true layers, the bom layer can come from the cache. The SHA for the bom layer for each buildpack should be available in the restored layer metadata (e.g., /layers/buildpack.id/some-layer.toml).

For launch=true,cache=false layers, the bom layer must come from the previous image. The SHA for the bom layer for each buildpack should be available in the restored layer metadata (e.g., /layers/buildpack.id/some-layer.toml).

After the layers are restored, the build container would have the following file tree for example:

/layers
  /config
    /sbom
      /launch
        /buildpack.id
          bom.cdx.json
          /cache-true-launch-true
            bom.cdx.json
      /cache
        /buildpack.id
          /cache-true-launch-true
            bom.cdx.json
          /cache-true-launch-false
            bom.cdx.json

Note that the buildpack-level /layers/config/sbom/launch/buildpack.id/bom.cdx.json should be deleted after the layer is unpacked since it is not tied to a layer and should be re-created by the buildpack.

The other bom.cdx.json files should be copied such that the following file tree is created:

/layers
  /buildpack.id
    cache-true-launch-false.bom.cdx.json
    cache-true-launch-true.bom.cdx.json

This is essentially the reverse of #738.

Note that cdx could be replaced with spdx.

[natalieparellano]

Closed in #749