SBOM support #7
Description
We should be able to generate an SBOM of the packages in the ZIP(s).
We already have code to invoke pip with --report tmpfile.json and consume the JSON, returning it from invoke_pip_install().
. cyclonedx-python-lib looks like an easy way to do it.
Including the SBOM output in our ZIP file would be nice.
Option to post it to DependencyTrack would also be nice, but we need to document how we'll deal with layers and project versions within DT.