Add SBOM and related checks to project

[d33bs]

Description

This PR adds a software bill of materials (SBOM) to the project using the SPDX convention. It also adds a pre-commit based check to ensure the packages section of the SBOM is up to date with any changes which have occurred in the source which could be reflected as a difference in the SBOM (meaning the SBOM will stay up to date so long as checks are passing).

SBOM's are increasingly becoming commonplace to include within software projects and the use is also listed in RSMM framework (https://arxiv.org/pdf/2406.01788) under focus area 4 software adoptability, section 4.6 deployability as "the project has an SBOM".

This change is a first step towards following the convention and then checking for this convention in other work through the Almanack.

Closes #139

What is the nature of your change?

• Content additions or updates (adds or updates content)
• Bug fix (fixes an issue).
• Enhancement (adds functionality).
• Breaking change (these changes would cause existing functionality to not work as expected).

Checklist

Please ensure that all boxes are checked before indicating that this pull request is ready for review.

• I have read the CONTRIBUTING.md guidelines.
• My code follows the style guidelines of this project.
• I have performed a self-review of my own contributions.
• I have commented my content, particularly in hard-to-understand areas.
• I have made corresponding changes to related documentation (outside of book content).
• My changes generate no new warnings.
• New and existing tests pass locally with my changes.
• I have added tests that prove my additions are effective or that my feature works.
• I have deleted all non-relevant text in this pull request template.

[gwaybio]

Is there a place to describe what these checks actually are? (sorry if i missed this)

[d33bs]

Thanks @gwaybio - I added some comments to help better describe the check for the SBOM. All changes here pertain to the Almanack repo itself; we're adding an sbom.json file and a pre-commit check which makes sure this file is up to date. The pre-commit check uses a poethepoet shell script to ensure the diff is inconsequential (the date and checksum will differ slightly from file to file based on how they're generated but we don't need to update if the dependencies haven't changed). We use syft to help generate the SPDX-style SBOM. We use a newly added dev dependency sbomdiff to help with this diffing and to avoid more complicated solutions.

Eventually my hope would be to check for these files in other repos and make this a metric for the Almanack. The changes here were complex enough that I felt they should be standalone before an external-facing metric would be developed.

[falquaddoomi]

Neat; I wasn't aware that there were formal formats for SBOMs, so thanks for the opportunity to learn. I left a minor comment, but otherwise this all looks reasonable to me.

[d33bs]

Thanks @falquaddoomi and @gwaybio for the reviews! Merging this in.