Generate both SPDX and CycloneDX SBOMs by default

[imjasonh]

Today the default is --sbom=spdx, we should probably have an --sbom=all option and make that the default.

all kinda sounds like it includes the go-version.m SBOM, and I'm not sure that makes sense since I don't think anybody uses that today. It was mostly there for testing IIRC. Maybe we should just remove that option entirely?

[mattmoor]

I hit a similar problem in chainguard-dev/apko#149

[puerco]

What about making --sbom a string list defaulting to spdx,cyclonedx?

[mattmoor]

I think that's fine once we resolve the bigger issues with how we store things.

[github-actions]

This issue is stale because it has been open for 90 days with no
activity. It will automatically close after 30 more days of
inactivity. Keep fresh with the 'lifecycle/frozen' label.

[costica11]

@imjasonh This issue is closed as completed. But I can't find this feature in the main branch. What is the meaning of "completed" here?

[imjasonh]

Sorry, that was my fault, I meant to close it as "not planned".

[costica11]

@imjasonh Thank you for the reply. Does this mean that the project no longer wants to consider this proposal? Are there any particular reasons for it?

[imjasonh]

I think in general we discovered there wasn't much user demand for the feature, even among our own usage. I wouldn't rule it out completely in the future, but emitting both flavors would need to be motivated by a use case, even moreso to make it the default behavior.

If you have a use case we can discuss it. I think we'd start with an option to write both formats, and evaluate making it the default at a later time.