Build: [AEA-3993] - Add SBOM generation and scanning

[wildjames]

Summary

• 🤖 Operational or Infrastructure Change

Details

Add a github workflow that generates a software bill of materials (SBOM), and scans it for vulnerabilities. Any critical warnings will cause the pipeline to fail.

[github-actions]

This branch is work on a ticket in the NHS Digital APM JIRA Project. Here's a handy link to the ticket:

[wildjames]

There are a few problems with our NPM packages. We need to sort these out! I've filtered out all non-critical warnings.

NAME                   INSTALLED  FIXED-IN  TYPE  VULNERABILITY        SEVERITY 
gen-mapping            0.3.5                npm   GHSA-8rmg-jf7p-4p22  Critical  
lodash                 4.17.0     4.17.12   npm   GHSA-jf85-cpcp-j695  Critical  
lodash-es              4.17.12    4.17.14   npm   GHSA-jf85-cpcp-j695  Critical  
middleware-user-agent  3.637.0              npm   GHSA-7jfr-mfm3-p4mh  Critical  
node-config-provider   3.1.4                npm   GHSA-p2f3-jr96-8rhf  Critical  
protocol-http          4.1.0                npm   GHSA-p57r-cpw5-9h67  Critical  
sandbox                1.0.0                npm   GHSA-gc25-3vc5-2jf9  Critical  
smithy-client          3.2.0                npm   GHSA-xh9p-w3hh-pqp5  Critical

Note that some of these don't have solutions that we can apply easily. We can look up the vulnerability codes here

[wildjames]

Sonar complains that some code in a tests directory is not covered by tests... It's a one-line change, we should probably force merge past it.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud