1ES Pipeline Templates generates SBOMs for our SBOMs

[lbussell]

We compute and upload our container image SBOMs ourselves, and upload them as a pipeline artifact. 1ES pipeline templates also generates an SBOM for every pipeline artifact that's published. Thus, 1ES pipeline templates ends up generating a (useless) SBOM for our real SBOMs. The result is that it's difficult to traverse the pipeline artifacts and grab a useful SBOM. We should find a way to stop uploading these meta-SBOMs.

Example:

• The sboms folder is what we upload.
• It contains SBOMs for each of the images in its own folder.
• 1ESPT injects the _manifest folder which contains the SBOMs for our SBOMs.

[ghost]

I couldn't figure out the best area label to add to this issue. If you have write-permissions please help me learn by adding exactly one area label.

[ghost]

I couldn't figure out the best area label to add to this issue. If you have write-permissions please help me learn by adding exactly one area label.

[lbussell]

[Triage] The 1ES pipeline templates documentation specifies how to disable SBOM generation for specific artifacts: https://eng.ms/docs/cloud-ai-platform/devdiv/one-engineering-system-1es/1es-docs/1es-pipeline-templates/features/sbom

[lbussell]

I ran some tests with disabling SBOM on pipeline artifacts since we never emit shipping code as pipeline artifacts. This causes us to run into issues with generating SBOM manifests for our container images, due to https://github.com/dotnet/docker-tools/pull/1283. That will need to be reverted for this change to work.

Pipeline test runs: docker-tools, dotnet-docker

[lbussell]

[Triage] We should first focus on disabling SBOM generation for other SBOMs, rather than disabling SBOM generation for all pipeline artifacts. We can revisit the necessity of other SBOMs at a later date.