apps: Add a flag to disable SBOM generation

Signed-off-by: Andy Doan <[email protected]>

apps/build.sh

@@ -175,10 +175,14 @@ for x in $IMAGES ; do
 
 	echo "Build step $((completed+2)) of $total is complete"
 
-	status "Doing a syft SBOM scan"
-	sbom_dst=/archive/sboms/${ct_base}/${ARCH}.spdx.json
-	mkdir -p $(dirname $sbom_dst)
-	syft ${ct_base}:$TAG-$ARCH -o spdx-json > $sbom_dst
+	if [ -z "$DISABLE_SBOM" ] ; then
+		status "Doing a Syft SBOM scan"
+		sbom_dst=/archive/sboms/${ct_base}/${ARCH}.spdx.json
+		mkdir -p $(dirname $sbom_dst)
+		syft ${ct_base}:$TAG-$ARCH -o spdx-json > $sbom_dst
+	else
+		status "Skipping SBOM generation: DISABLE_SBOM enabled"
+	fi
 
 	if [ -n "$TEST_CMD" ] ; then
 		status Running test command inside container: $TEST_CMD
@@ -216,7 +220,9 @@ done
 # factory may not have built any containers, so ensure the directory exists
 [ -d $HOME/.docker/manifests ] && mv $HOME/.docker/manifests /archive/manifests || echo 'no manifests to archive'
 
-PYTHONPATH=${HERE}/.. python3 ${HERE}/generate_non_factory_sboms.py --arch=$ARCH
+if [ -z "$DISABLE_SBOM" ] ; then
+	PYTHONPATH=${HERE}/.. python3 ${HERE}/generate_non_factory_sboms.py --arch=$ARCH
+fi
 # 1. Parse the local docker store (the one where the built images are stored).
 # 2. Extract layers metadata (size, usage) of all Apps' images
 # 3. Store the gathered layers metadata as a CI artifact