feat(ISV-5859): Add index image SBOM generator

A Mobster can now generate SBOMs for index images that represents its
multiarch structure. The script generates SBOMs in SPDX format using
provided index manifest generated using Buildah/Skopeo.

The generator uses spdx_tools library to assemble the document and
before storing it to file it validates its schema.

JIRA: ISV-5859

Signed-off-by: Ales Raszka <araszka@redhat.com>

Author: Allda

.yamllint

@@ -21,3 +21,4 @@ ignore:
   - ansible/vaults/
   - .venv
   - node_modules/
+  - .tekton/ # Directory managed by Konflux

docs/img/index-image.spdx.svg

@@ -0,0 +1,57 @@
+# SBOM for Image Index
+
+The Mobster tool is capable of generating SBOMs for OCI image indexes based
+on the guidelines from the
+[Red Hat Product Security](https://github.com/RedHatProductSecurity/security-data-guidelines).
+
+## Usage
+
+```bash
+# First get index manifest using buildah
+buildah manifest inspect registry.redhat.io/ubi10-beta/ubi@sha256:f817eb70b083c93b4d6b47e1daae292d662e3427f5e73c5e8f513695e5afc7cc > ./index-image-manifest.json
+
+# Then generate SBOM using Mobster
+mobster generate \
+    --output index.sbom.spdx.json \
+    oci-index \
+    --index-image-pullspec "registry.redhat.io/ubi10-beta/ubi:latest" \
+    --index-image-digest "sha256:f817eb70b083c93b4d6b47e1daae292d662e3427f5e73c5e8f513695e5afc7cc" \
+    --index-manifest-path ./index-image-manifest.json
+```
+
+
+**List of arguments:**
+
+- `--index-image-pullspec`
+  - Must be in the format `repository/image:tag`
+  - Example value `registry.redhat.io/ubi10-beta/ubi:latest`
+- `--index-image-digest`
+  - Must be in the format `algorithm:hexvalue`
+  - Example value `sha256:f817eb70b083c93b4d6b47e1daae292d662e3427f5e73c5e8f513695e5afc7cc`
+- `--index-manifest-path`
+  - Path to a file containing a json output of `buildah manifest inspect` command
+  - File contents MUST be a valid JSON
+  - See example in [index_manifest.json](../../tests/data/index_manifest.json)
+- `--output`
+  - Path where the SBOM should be written
+
+
+## Example
+
+To closely replicate the [example image index](https://github.com/RedHatProductSecurity/security-data-guidelines/blob/main/sbom/examples/container_image/build/ubi9-micro-container-9.4-6.1716471860.spdx.json),
+you can use the following command:
+
+
+# Structure of the generated SBOM
+
+The generated SBOM has following structure:
+```
+ - SPDXRef-DOCUMENT
+    - SPDXRef-image-index
+        - Image-amd64 (VARIANT_OF)
+        - Image-arm64 (VARIANT_OF)
+        - Image-ppc64le (VARIANT_OF)
+        - Image-s390x (VARIANT_OF)
+```
+
+![index-sbom](../img/index-image.spdx.svg)