Some way to pass configuration to SBOM generator

[blowfishpro]

As one example, syft supports running multiple catalogers in parallel which can substantially speed up generating the SBOM on a system with more than one CPU core. buildkit-syft-scaner hardcodes the default config which forces parallelism to 1. I suppose it could look for the processor count but that's not always reliable or desirable. And since the generator runs in a container it's not possible to pass environment variables, CLI flags, etc without creating a new image.

While the syft scanner is the main one at the moment, it's hard to say if different scanners might need different options and what they might be. And passing arbitrary container configuration via attest:sbom could get horribly complex very fast. So this is kind of open-ended, I don't really know what the configuration interface should be.

[tonistiigi]

@jedevc

[blowfishpro]

So I thought about it a bit and maybe environment variables could be supported without adding too much complication. These attributes could look something like:

env.<ENV_VAR_NAME>=<ENV_VAR_VALUE>

Or as a full command line argument:

--opt attest:sbom=generator=example/image,env.EXAMPLE_ONE=value1,env.EXAMPLE_TWO=value2

Drawbacks

• The allowed character set of environment variable names and values is rather limited (e.g. a comma would break parsing).
  • Generally speaking environment variable names considered portable are limited to letters, digits, and underscores anyway, it might be more problematic for values though.
  • Since the attribute parsing uses CSV under the hood, you could quote to get around this, but when combined with shell quote processing that gets really messy really fast.
    • Example: --opt 'attest:sbom=generator=example/image,"env.SOME_LIST=one,two,three"'
• We're effectively defining a nested structure for this simple key/value attribute set.

[jedevc]

Fixed by #5372 (thanks @LaurentGoderre 🎉)