Make SBOM generation less bad

[jonjohnsonjr]

This is quadratic:

apko/pkg/sbom/generator/spdx/spdx.go

Lines 214 to 264 in 346ce04

	func (sx *SPDX) ProcessInternalApkSBOM(opts *options.Options, doc *Document, p *Package) error {
	// Check if apk installed an SBOM
	path, err := locateApkSBOM(sx.fs, p)
	if err != nil {
	return fmt.Errorf("inspecting FS for internal apk SBOM: %w", err)
	}
	if path == "" {
	return nil
	}
	// TODO: Logf("composing packages from %s into image SBOM", path)
	internalDoc, err := sx.ParseInternalSBOM(opts, path)
	if err != nil {
	// TODO: Log error parsing apk SBOM
	return nil
	}
	targetElementIDs := []string{}
	// Cycle the top level elements...
	for _, elementID := range internalDoc.DocumentDescribes {
	// ... searching for a 1st level package
	for _, pkg := range internalDoc.Packages {
	// that matches the name
	if pkg.ID == elementID && p.Name == pkg.Name {
	targetElementIDs = append(targetElementIDs, pkg.ID)
	// TODO: Logf("Found package %s describing %s", pkg.ID, p.Name)
	}
	}
	// Copy the targetElementIDs
	copiedElements := &map[string]struct{}{}
	for _, id := range targetElementIDs {
	if err := copySBOMElement(id, internalDoc, doc, copiedElements); err != nil {
	return fmt.Errorf("copying element: %w", err)
	}
	// Search for a package in the new SBOM describing the same thing
	for _, pkg := range doc.Packages {
	// TODO: Think if we need to match version too
	if pkg.Name == p.Name {
	replacePackage(doc, pkg.ID, id)
	break
	}
	}
	}
	}
	return nil
	}