Introduce a single SBOM document

[wagoodman]

This PR replaces poweruser.JSONDocumentConfig with sbom.SBOM. Specifically this datastructure is being promoted as a first-class object to be used internally for tasking, presentation, and processing concerns. This is proposed in #555 (comment) but closely affects #554 and #556.

The main proposal of the PR is the following datastructure:

syft/syft/sbom/sbom.go

Lines 10 to 23 in a26e9e4

	type SBOM struct {
	Artifacts Artifacts
	Source source.Metadata
	}
	type Artifacts struct {
	PackageCatalog *pkg.Catalog
	FileMetadata map[source.Location]source.FileMetadata
	FileDigests map[source.Location][]file.Digest
	FileClassifications map[source.Location][]file.Classification
	FileContents map[source.Location]string
	Secrets map[source.Location][]file.SearchResult
	Distro *distro.Distro
	}

All other changes attempt to promote usage of this data structure over passing parts of an SBOM around, for example... replacing:

func Encode(catalog *pkg.Catalog, metadata *source.Metadata, dist *distro.Distro, scope source.Scope, option format.Option) ([]byte, error) { ... }

with:

func Encode(s sbom.SBOM, option format.Option) ([]byte, error) { ... }

Notes:

• Relationships has not been included but will later be added as a field under sbom.SBOM in other PRs implementing Prefer artifact relationships over package relationships #556
• source.Scope was removed from any presenter output as described in Encapsulate all artifacts in syft JSON output #555 (comment)

[github-actions]

Benchmark Test Results

Benchmark results from the latest changes vs base branch

name                                                   old time/op    new time/op    delta
ImagePackageCatalogers/ruby-gemspec-cataloger-2          1.37ms ± 3%    1.67ms ± 2%  +21.98%  (p=0.008 n=5+5)
ImagePackageCatalogers/python-package-cataloger-2        3.29ms ± 6%    3.88ms ± 6%  +18.15%  (p=0.008 n=5+5)
ImagePackageCatalogers/javascript-package-cataloger-2     821µs ± 2%     996µs ± 3%  +21.35%  (p=0.008 n=5+5)
ImagePackageCatalogers/dpkgdb-cataloger-2                 893µs ± 4%    1077µs ± 2%  +20.60%  (p=0.008 n=5+5)
ImagePackageCatalogers/rpmdb-cataloger-2                  848µs ± 1%    1013µs ± 2%  +19.42%  (p=0.008 n=5+5)
ImagePackageCatalogers/java-cataloger-2                  11.8ms ± 3%    14.2ms ± 1%  +20.49%  (p=0.008 n=5+5)
ImagePackageCatalogers/apkdb-cataloger-2                 1.22ms ± 7%    1.55ms ± 3%  +26.69%  (p=0.008 n=5+5)
ImagePackageCatalogers/go-module-binary-cataloger-2       654ns ± 4%     783ns ± 3%  +19.65%  (p=0.008 n=5+5)

name                                                   old alloc/op   new alloc/op   delta
ImagePackageCatalogers/ruby-gemspec-cataloger-2           248kB ± 0%     247kB ± 0%   -0.38%  (p=0.008 n=5+5)
ImagePackageCatalogers/python-package-cataloger-2        1.11MB ± 0%    1.11MB ± 0%   -0.33%  (p=0.008 n=5+5)
ImagePackageCatalogers/javascript-package-cataloger-2     199kB ± 0%     197kB ± 0%   -0.68%  (p=0.008 n=5+5)
ImagePackageCatalogers/dpkgdb-cataloger-2                 228kB ± 0%     228kB ± 0%   -0.39%  (p=0.016 n=5+4)
ImagePackageCatalogers/rpmdb-cataloger-2                  222kB ± 0%     221kB ± 0%   -0.48%  (p=0.008 n=5+5)
ImagePackageCatalogers/java-cataloger-2                  3.24MB ± 0%    3.24MB ± 0%   -0.13%  (p=0.032 n=5+5)
ImagePackageCatalogers/apkdb-cataloger-2                 1.29MB ± 0%    1.29MB ± 0%   -0.08%  (p=0.008 n=5+5)
ImagePackageCatalogers/go-module-binary-cataloger-2        336B ± 0%      336B ± 0%     ~     (all equal)

name                                                   old allocs/op  new allocs/op  delta
ImagePackageCatalogers/ruby-gemspec-cataloger-2           6.82k ± 0%     6.79k ± 0%     ~     (p=0.079 n=4+5)
ImagePackageCatalogers/python-package-cataloger-2         26.3k ± 0%     26.3k ± 0%   -0.27%  (p=0.008 n=5+5)
ImagePackageCatalogers/javascript-package-cataloger-2     5.19k ± 0%     5.17k ± 0%   -0.46%  (p=0.008 n=5+5)
ImagePackageCatalogers/dpkgdb-cataloger-2                 6.67k ± 0%     6.65k ± 0%   -0.36%  (p=0.008 n=5+5)
ImagePackageCatalogers/rpmdb-cataloger-2                  6.56k ± 0%     6.53k ± 0%   -0.37%  (p=0.008 n=5+5)
ImagePackageCatalogers/java-cataloger-2                   59.0k ± 0%     58.9k ± 0%   -0.20%  (p=0.008 n=5+5)
ImagePackageCatalogers/apkdb-cataloger-2                  7.74k ± 0%     7.71k ± 0%   -0.30%  (p=0.008 n=5+5)
ImagePackageCatalogers/go-module-binary-cataloger-2        9.00 ± 0%      9.00 ± 0%     ~     (all equal)

[spiffcs]

First pass.

I like the new SBOM struct and how it just encapsulates current information. Is there a future where the underlying Artifacts struct is changed as we build into developing relationships between everything?

Also small comments on data loss across the new outputs of the golden snapshots. I wasn't sure if we wanted to start excluding the information, or if it got lost as a consequence of moving to the new encode architecture.

[wagoodman]

@spiffcs

Is there a future where the underlying Artifacts struct is changed as we build into developing relationships between everything?

Indeed! I have some of that drafted out in #607, specifically:

syft/syft/sbom/sbom.go

Line 13 in c3a65f5

Relationships []artifact.Relationship

This is where the relationships object gets promoted to in the end (the sbom.SBOM struct).

[luhring]

Very nice work! 👏

I had just one question from curiosity

[wagoodman]

@spiffcs thanks a ton for solving what ended up being a caching issue I was having --I was starting to go a little crazy there 🙌