feat: add trivy-based sbom artifact generation support

Agent-Logs-Url: https://github.com/project-zot/zot/sessions/eb3437af-edc8-4846-a9d9-f92bfe579c1e

Co-authored-by: rchincha <45800463+rchincha@users.noreply.github.com>

examples/README.md

@@ -1296,6 +1296,8 @@ A minimal configuration only sets how often the DB is refreshed; zot applies def
 
 To set those options explicitly (for example to mirror standalone Trivy’s `--vuln-severity-source` behavior), use a `trivy` object under `cve`:
 
-- [config-cve-trivy.json](config-cve-trivy.json) — shows optional `dbRepository`, `javaDBRepository`, and `vulnSeveritySources`.
+- [config-cve-trivy.json](config-cve-trivy.json) — shows optional `dbRepository`, `javaDBRepository`, `vulnSeveritySources`, and `sbom`.
 
 `vulnSeveritySources` is a list of source names in priority order (for example `auto`, `nvd`, or vendor IDs such as `redhat`, `alpine`). If omitted, zot defaults it to `["auto"]`, consistent with the Trivy CLI. See [Trivy: severity selection](https://trivy.dev/docs/latest/scanner/vulnerability/#severity-selection).
+
+`sbom.enable` lets zot generate SBOMs while scanning and store them as OCI artifacts attached to the scanned image. `sbom.format` supports `spdx-json` (default) and `cyclonedx`.

examples/config-cve-trivy.json

@@ -18,7 +18,11 @@
         "trivy": {
           "dbRepository": "ghcr.io/aquasecurity/trivy-db",
           "javaDBRepository": "ghcr.io/aquasecurity/trivy-java-db",
-          "vulnSeveritySources": ["auto"]
+          "vulnSeveritySources": ["auto"],
+          "sbom": {
+            "enable": true,
+            "format": "spdx-json"
+          }
         }
       }
     }