Add extract-sbom command to native-image-utils tool

[jerboaa]

Summary

This tool relies on a native library, libextract_sbom.a, produced by the build, which is currently Linux only and allows for extract-sbom command added to the native-image-utils tool. It can be used to read the gzip compressed SBOM bytes from another native image.

Related Issues

Implementation of #13374

Testing

• SBOM extraction on a native image produced with Oracle GraalVM
• SBOM extraction on a patched build of Mandrel 25 which embeds a Quarkus SBOM.

Basic Usage:

1. Build GraalVM (with native-image-utils). E.g. by adding: --native=...,native-image-utils --components="Native Image Configure Tool,...
2. $GRAALVM_HOME/bin/native-image-utils extract-sbom --image-path=/path/to/binary-with-sbom-embedded

Assisted-by: Claude, Model: Sonnet 4.5

[dougxc]

How does this relate to the existing native-image-utils?

[jerboaa]

How does this relate to the existing native-image-utils?

Thanks for the pointer. It wasn't clear that native-image-utils existed in GraalVM CE code. From the looks of it I could adapt the extract-sbom command akin to ConfigurationGenerateFiltersCommand et. al. That should work for us. Would that be a way to move this forward?

[dougxc]

How does this relate to the existing native-image-utils?

Thanks for the pointer. It wasn't clear that native-image-utils existed in GraalVM CE code. From the looks of it I could adapt the extract-sbom command akin to ConfigurationGenerateFiltersCommand et. al. That should work for us. Would that be a way to move this forward?

No objection from me.

[jerboaa]

The updated patch now uses existing native-imag-utils and just adds the extract-sbom command.