Implement SBOM actuator endpoint

[mhalbritter]

This adds an endpoint which exposes SBOMs.

/actuator/sbom returns a list of all available SBOMs:

{
    "ids": [
        "application"
    ]
}

/actuator/sbom/{id} returns the content of a specific SBOM:

HTTP/1.1 200 
Accept-Ranges: bytes
Content-Type: application/vnd.cyclonedx+json
Content-Length: 167432

{
  "bomFormat" : "CycloneDX",
  "specVersion" : "1.5",
  "serialNumber" : "urn:uuid:c34c8afc-f4f2-45a9-84d7-394f31b549b6",
  "version" : 1,
  // ...

It configures the cyclonedx-maven-plugin and the cyclonedx-gradle-plugin, if included in the project, to create a CycloneDX sbom. This SBOM is then returned in on the sbom/application actuator endpoint. It also includes the SBOM in the uber JAR, and adds two manifest entries (Sbom-Format and Sbom-Location) to point to it, so that 3rd party tools can find the SBOM.

With configuration properties under management.endpoint.sbom, users can override the application SBOM location and override the detected media type (it autodetects CycloneDX JSON, Syft JSON and SPDX JSON). This way, if users want to expose an SBOM in a different format, it works. Those properties also allow users to expose further SBOMS, e.g. with this configuration:

management.endpoint.sbom.additional.buildpacks-lifecycle.location=optional:file:/layers/sbom/launch/buildpacksio_lifecycle/launcher/sbom.cdx.json
management.endpoint.sbom.additional.buildpacks-liberica-helper.location=optional:file:/layers/sbom/launch/paketo-buildpacks_bellsoft-liberica/helper/sbom.syft.json
management.endpoint.sbom.additional.buildpacks-liberica-jre.location=optional:file:/layers/sbom/launch/paketo-buildpacks_bellsoft-liberica/jre/sbom.syft.json
management.endpoint.sbom.additional.buildpacks-ca-certificates.location=optional:file:/layers/sbom/launch/paketo-buildpacks_ca-certificates/helper/sbom.syft.json
management.endpoint.sbom.additional.buildpacks-executable-jar.location=optional:file:/layers/sbom/launch/paketo-buildpacks_executable-jar/sbom.cdx.json
management.endpoint.sbom.additional.buildpacks-spring-boot-helper.location=optional:file:/layers/sbom/launch/paketo-buildpacks_spring-boot/helper/sbom.syft.json
management.endpoint.sbom.additional.buildpacks-spring-boot-spring-cloud-bindings.location=optional:file:/layers/sbom/launch/paketo-buildpacks_spring-boot/spring-cloud-bindings/sbom.syft.json

additional SBOMs are exported when using the paketo buildpacks.

To activate the support, users have to add the Gradle plugin

plugins {
  id 'org.cyclonedx.bom' version '1.8.2'
}

or the maven plugin

<plugin>
  <groupId>org.cyclonedx</groupId>
  <artifactId>cyclonedx-maven-plugin</artifactId>
</plugin>

to their build. We manage the version of the cyclonedx-maven-plugin.
Don't forget to expose the sbom endpoint with management.endpoints.web.exposure.include=sbom!

[mhalbritter]

Blocked until the doc work by Phil is done.