chore: merge SBOM packages and remove old SBOM's

twoliter/embedded/rpm2img

@@ -256,6 +256,50 @@ printf "%s\n" "${INVENTORY_DATA}" >"${ROOT_MOUNT}/usr/share/bottlerocket/applica
 # can access the inventory without needed to dig into the generated image.
 printf "%s\n" "${INVENTORY_DATA}" >"${OUTPUT_DIR}/application-inventory.json"
 
+# Install SBOM subpackages for each installed RPM (only for EROFS images)
+if [[ "${EROFS_ROOT_PARTITION}" == "yes" ]]; then
+  SBOM_RPMS=()
+  while IFS= read -r rpm_name; do
+    sbom_rpm="${rpm_name}-sbom"
+    if rpm -q --root "${ROOT_MOUNT}" "${sbom_rpm}" >/dev/null 2>&1; then
+      SBOM_RPMS+=("${sbom_rpm}")
+    else
+      # Check if SBOM package file exists in local packages or external kits
+      sbom_file=$(find "${PACKAGE_DIR}" -maxdepth 1 -name "${sbom_rpm}*.rpm" -print -quit)
+      if [[ -z "${sbom_file}" && -n "${EXTERNAL_KITS_PATH}" ]]; then
+        sbom_file=$(find "${EXTERNAL_KITS_PATH}" -name "${sbom_rpm}*.rpm" -print -quit)
+      fi
+      if [[ -n "${sbom_file}" ]]; then
+        if rpm -iv --ignorearch --root "${ROOT_MOUNT}" "${sbom_file}" >/dev/null 2>&1; then
+          SBOM_RPMS+=("${sbom_rpm}")
+	      fi
+      fi
+    fi
+  done < <(rpm -qa --root "${ROOT_MOUNT}" --queryformat "%{NAME}\n")
+
+  # Merge SBOMs into a single json file
+  KIT_SBOMS_DIR="${ROOT_MOUNT}/usr/share/sboms"
+  if [ -d "${KIT_SBOMS_DIR}" ]; then
+    IMAGE_SBOM_DIR="${ROOT_MOUNT}/usr/share/bottlerocket"
+    mkdir -p "${IMAGE_SBOM_DIR}"
+    for format in "spdx" "cyclonedx"; do
+      image_sbom="${format}-sbom.json"
+      image_sbom_path="${IMAGE_SBOM_DIR}/${image_sbom}"
+      find "${KIT_SBOMS_DIR}" -name "*-${format}.json" -type f -exec sbomtool merge --output "${image_sbom_path}" {} \+
+
+      # Write the inventory to a file in the local build output directory
+      cp "${image_sbom_path}" "${OUTPUT_DIR}/${image_sbom}"
+    done
+    # Clean up old SBOM packages
+    rm -rf "${KIT_SBOMS_DIR}"
+  fi
+
+  # Uninstall SBOM subpackages
+  for sbom_rpm in "${SBOM_RPMS[@]}"; do
+    rpm -e --root "${ROOT_MOUNT}" "${sbom_rpm}" >/dev/null 2>&1 || true
+  done
+fi
+
 # Regenerate module dependencies, if possible.
 KMOD_DIR="${ROOT_MOUNT}/lib/modules"
 # First decompress the kernel modules, so they can be recompressed by EROFS.