Remove legacy bom for platform/0.9

[natalieparellano]

This change proposes that legacy boms output by older buildpacks be ignored on the newest platform.

The lifecycle implementation could output a warning if any boms are ignored.

[natalieparellano]

cc @ekcasey @matthewmcnew

[natalieparellano]

Per discussion in 2/17 Working Group, instead of totally discarding legacy boms, we may want to save them to a file such as <layers>/sbom/launch/<buildpack-id>/sbom.toml and <layers>/sbom/build/<buildpack-id>/sbom.toml. Slack conversation around if/how this should be spec'd.

[natalieparellano]

From yesterday's core sync, @samj1912 to provide suggestions for the "compat" format given that we have requirements around media types.

[hone]

@natalieparellano sorry for not voting on this, but based on the recent discussions are we deciding to add the "compat" part to the spec? It looks like we did in the slack conversations as well. Are there supposed to be changes to this PR?

[hone]

@samj1912 will leave a media type suggestion to this PR.

[sambhav]

We should do the following - put the legacy bom in JSON format in (the same format we put it in the label) with the extension *.legacy.json

We can document that if users wish to upload it as an attestation or attachment the media type can be application/vnd.buildpacks.io.legacy.sbom+json and the attestation predicate type can be buildpacks.io/legacy/SBOM/v0

[natalieparellano]

We should do the following - put the legacy bom in JSON format in (the same format we put it in the label) with the extension *.legacy.json

We can document that if users wish to upload it as an attestation or attachment the media type can be application/vnd.buildpacks.io.legacy.sbom+json and the attestation predicate type can be buildpacks.io/legacy/SBOM/v0

Please see 9089048

[hone]

We should do the following - put the legacy bom in JSON format in (the same format we put it in the label) with the extension *.legacy.json
We can document that if users wish to upload it as an attestation or attachment the media type can be application/vnd.buildpacks.io.legacy.sbom+json and the attestation predicate type can be buildpacks.io/legacy/SBOM/v0

Please see 9089048

Do we need to document the media type as well in the buildpack API? https://github.com/buildpacks/spec/blob/main/buildpack.md#software-bill-of-materials

[sambhav]

@natalieparellano I see that the legacy boms were added underneath individual buildpacks. I was hoping we could just output the combined one at the top level and save lifecycle some effort. It already has the combination logic and puts it in a label. We could just output the same JSON blob in a file at the top level?