[CI] Add CI stage to generate a Software Bill of Materials for CTA (!1022) · Merge requests · CTA / CTA · GitLab

Description

This MR adds a stage to the CI to generate an SBOM from the build artifacts. It works as follows:

Install all CTA RPMs in a clean installroot
Run Trivy on this clean installroot to obtain an SBOM
Augment the SBOM with CERN-specific information
Prune the SBOM to ensure we only have the direct project dependencies
Score the dependencies and upload them as artefacts to GitLab

Note that e.g. header-only libraries are not included in the SBOM (such as jwt-cpp)

Checklist

Documentation reflects the changes made.
Merge Request title is clear, concise, and suitable as a changelog entry. See our contributing docs

References

Closes #1250

Edited Sep 30, 2025 by Niels Alexander Buegel