feat: add trivy-based sbom artifact generation support (#4088)

fixes issue #4067

Signed-off-by: Ramkumar Chinchani <rchincha.dev@gmail.com>

examples/README.md

@@ -1296,6 +1296,8 @@ A minimal configuration only sets how often the DB is refreshed; zot applies def
 
 To set those options explicitly (for example to mirror standalone Trivy’s `--vuln-severity-source` behavior), use a `trivy` object under `cve`:
 
-- [config-cve-trivy.json](config-cve-trivy.json) — shows optional `dbRepository`, `javaDBRepository`, and `vulnSeveritySources`.
+- [config-cve-trivy.json](config-cve-trivy.json) — shows optional `dbRepository`, `javaDBRepository`, `vulnSeveritySources`, and `sbom`.
 
 `vulnSeveritySources` is a list of source names in priority order (for example `auto`, `nvd`, or vendor IDs such as `redhat`, `alpine`). If omitted, zot defaults it to `["auto"]`, consistent with the Trivy CLI. See [Trivy: severity selection](https://trivy.dev/docs/latest/scanner/vulnerability/#severity-selection).
+
+`sbom.enable` lets zot generate SBOMs while scanning and store them as OCI artifacts attached to the scanned image. `sbom.format` supports `spdx-json` (default) and `cyclonedx`.

examples/config-sbom-trivy.json

@@ -0,0 +1,34 @@
+{
+  "distSpecVersion": "1.1.1",
+  "storage": {
+    "rootDirectory": "/tmp/zot"
+  },
+  "http": {
+    "address": "127.0.0.1",
+    "port": "8080"
+  },
+  "log": {
+    "level": "debug",
+    "output": "/tmp/zot.log"
+  },
+  "extensions": {
+    "ui": {
+      "enable": true
+    },
+    "search": {
+      "enable": true,
+      "cve": {
+        "updateInterval": "24h",
+        "trivy": {
+          "dbRepository": "ghcr.io/aquasecurity/trivy-db",
+          "javaDBRepository": "ghcr.io/aquasecurity/trivy-java-db",
+          "vulnSeveritySources": ["auto"],
+          "sbom": {
+            "enable": true,
+            "format": "spdx-json"
+          }
+        }
+      }
+    }
+  }
+}