ibcli: add new --extra-artifacts option with sbom support

This commit adds an option --extra-artifacts that can be
used to generate extra artifacts during the build or manifest
generation. Initially supported is `sbom` (but `manifest` is
planned too).

To use it run `--extra-artifacts=sbom` and it will generate
files like `centos-9-qcow2-x86_64.image-os.spdx.json` in
the output directory next to the generate runable artifact.

Closes: https://github.com/osbuild/image-builder-cli/issues/46

test/test_container.py

@@ -1,4 +1,6 @@
+import json
 import os
+import platform
 import subprocess
 
 import pytest
@@ -24,3 +26,29 @@ def test_container_builds_image(tmp_path, build_container, use_librepo):
     # XXX: ensure no other leftover dirs
     dents = os.listdir(output_dir)
     assert len(dents) == 1, f"too many dentries in output dir: {dents}"
+
+
+@pytest.mark.skipif(os.getuid() != 0, reason="needs root")
+def test_container_manifest_generates_sbom(tmp_path, build_container):
+    output_dir = tmp_path / "output"
+    output_dir.mkdir()
+    subprocess.check_call([
+        "podman", "run",
+        "--privileged",
+        "-v", f"{output_dir}:/output",
+        build_container,
+        "manifest",
+        "minimal-raw",
+        "--distro", "centos-9",
+        "--extra-artifacts=sbom",
+    ], stdout=subprocess.DEVNULL)
+    arch = platform.processor()
+    fn = f"centos-9-minimal-raw-{arch}/centos-9-minimal-raw-{arch}.image-os.spdx.json"
+    image_sbom_json_path = output_dir / fn
+    assert image_sbom_json_path.exists()
+    fn = f"centos-9-minimal-raw-{arch}/centos-9-minimal-raw-{arch}.buildroot-build.spdx.json"
+    buildroot_sbom_json_path = output_dir / fn
+    assert buildroot_sbom_json_path.exists()
+    sbom_json = json.loads(image_sbom_json_path.read_text())
+    # smoke test that we have glibc in the json doc
+    assert "glibc" in [s["name"] for s in sbom_json["Document"]["packages"]]