Provide a list of packaged files (SBOM, CycloneDX) as an output

[plaird]

In addition to the executable jar, the rule should produce a Bill of Materials that lists everything packaged in the jar.

The Maven plugin beat us to this. I like their solution, so look at what they are doing:
https://spring.io/blog/2024/05/24/sbom-support-in-spring-boot-3-3

Two outputs:

• bundle the SBOM inside the springboot executable jar
• make the SBOM a Bazel output (or a separate rule), such that input into other rules, such as:
  • internally we have a custom docker image packaging rule, which could put the SBOM into the docker image in a well known location
  • a custom validation rule that parses the SBOM looking for verboten stuff. "scan the SBOM and look for some-dev-only.jar and fail my build if it is found" or "scan the SBOM and look for anything GPL and failed my build"

sprintboot(
   ...
   sbom_generate = True, # default True as of 2.4.0
   sbom_format = "cyclonedx", # only supported value as of 2.4.0
)

Implemenation:
I learned at BazelCon rules_license has apparently gotten support from rules_jvm_external to populate the sbom provider. Look into rules_license as the primary means for generating the sbom. Balance the benefits of that against taking a hard dependency on another project.

[plaird]

Recent progress on this includes:

• added rules_license add rules_license license support #222
• switched to Bzlmod BZLMOD: move repo to use bzlmod for everything, delete WORKSPACE #225 which feels like a good place to start from for SBOMs
• adopted the latest rules_jvm_external for our examples, which includes support for the SBOM provider

[plaird]

We will need to figure out how to handle libs with missing license info. See: bazelbuild/rules_license#165