Add github_repository_sbom table

[lwakefield]

Example query results

Results

> select              
  repository_full_name,
  p->>'name' as package_name,
  p->>'versionInfo' as package_version,
  p->>'licenseConcluded' as package_license
from
  github_repository_sbom,
  jsonb_array_elements(packages) p
where
  repository_full_name = 'turbot/steampipe'
limit 10;
+----------------------+-------------------------------------------+-----------------+-----------------+
| repository_full_name | package_name                              | package_version | package_license |
+----------------------+-------------------------------------------+-----------------+-----------------+
| turbot/steampipe     | com.github.turbot/steampipe               |                 | <null>          |
| turbot/steampipe     | npm:@actions/core                         | 1.2.6           | MIT             |
| turbot/steampipe     | npm:@actions/github                       | 4.0.0           | MIT             |
| turbot/steampipe     | npm:@actions/http-client                  | 1.0.9           | MIT             |
| turbot/steampipe     | npm:@octokit/auth-token                   | 2.4.3           | MIT             |
| turbot/steampipe     | npm:@octokit/core                         | 3.2.1           | MIT             |
| turbot/steampipe     | npm:@octokit/endpoint                     | 6.0.9           | MIT             |
| turbot/steampipe     | npm:@octokit/graphql                      | 4.5.7           | MIT             |
| turbot/steampipe     | npm:@octokit/plugin-paginate-rest         | 2.6.0           | MIT             |
| turbot/steampipe     | npm:@octokit/plugin-rest-endpoint-methods | 4.2.1           | MIT             |

First time contributor! I'm looking for / expecting feedback on:

1. Is this the right way to model the data since it is focusing on the packages and not top level SBOM metadata? I can see a possibility where it might be preferred to move this to a github_repository_sbom_packages table instead, but unsure if that is the right move or not. - Pivoted based on feedback!
2. Pending 2 - there are some fields missing, I wanted to get feedback before adding them! - Addressed!

[cbruno10]

Hey @lwakefield , thanks for opening this PR!

I had a look at the SBOM API, and I think including top level SBOM data is OK and having the packages in its own column. So there will be additional columns like spdx_id ,spdx_version, creation_info, name, data_license, etc., along with packages`, which is a JSONB column.

To make querying easier in examples, you can include an example like:

select
  s.name as spdx_name,
  p.name as package_name,
  p.version as package_version,
  p.license as package_license
from
  github_repository_sbom as s,
  jsonb_array_elements(packages) as p
where
  repository_full_name = 'turbot/steampipe';

Also, I did have a quick look at if this was possible in GitHub's GraphQL API, and it seems like right now it's only in preview mode, which means it's also subject to API changes, so I think implementing this with the v3 REST API right now makes sense, and we can look at migrating to the GraphQL API when it's more widely available.

[lwakefield]

Thanks @cbruno10 - I pivoted based on your feedback!

[cbruno10]

@lwakefield Thanks for making the quick pivot!

I've left a few additional suggestions, can you please have a look?

[cbruno10]

Can you please post what select * from github_repository_sbom produces?