Provide the SBOM for each build with attestation

[macintoshplus]

In the Cyber Resilience Act context, can you provide a SBOM with attestation?

In fact, each build need specific SBOM of spc and pre build PHP version.

[henderkes]

We'd first need to pin all dependencies used with the build to a specific version and then also allow using that version lock file to download dependencies again.

[crazywhalecc]

We'd first need to pin all dependencies used with the build to a specific version and then also allow using that version lock file to download dependencies again.

Currently we can lock the dependencies from .cache.json cached version, SPDX and source (or pre-built) archives. Locking the version after downloading is easier to implement than locking the version before downloading.

[crazywhalecc]

Given the current architecture, for PHP builds, we can ensure that the version of downloaded materials is locked, and generate and sign a manifest after the build, including the download source, the locked version, and the corresponding dependency license SPDX (introduced in v3).

For spc binaries, it may rely more on a combination of box, StaticPHP's own composer dependency chain, and the SBOM of its own micro.sfx.