Generate singular SBOM based on manifestInfo parameter

[pragnya17]

We currently generate SBOMs for all support spdx versions. However, we would like the user experience to be only 1 generated SBOM when the generate CLI command is used. For generation the default behavior is to return the SPDX 2.2 SBOM. This is only override if the -mi argument is specified.

For example:
If the -mi parameter is SPDX:3.0, then we will generate SPDX 3.0 SBOMs.
If the -mi parameter is SPDX:2.2, then we will generate SPDX 2.2 SBOMs.
If no -mi parameter specified, then we will generate SPDX 2.2 SBOMs.

[pragnya17]

/azp run

[azure-pipelines]

Azure Pipelines will not run the associated pipelines, because the pull request was updated after the run command was issued. Review the pull request again and issue a new run command.

[github-actions]

This PR changes files in the API project. Does it change any of the API interfaces in any way? Please note that this includes the following types of changes:

• Changing the signature of an existing interface method
• Adding a new method to an existing interface
• Adding a required data member to a class that an existing interface method consumes

Because any of these changes can potentially break a downstream consumer with customized interface implementations, these changes need to be treated as breaking changes. Please do one of the following:

Option 1 - Publish this as a breaking change

1. Update the documentation to show the new functionality
2. Bump the major version in the next release
3. Be sure to highlight the breaking changes in the release notes

Option 2 - Refactor the changes to be non-breaking

1. Review this commit, which adds a new interface in a backward-compatible way
2. Refactor the change to follow this pattern so that existing interfaces are left completely intact
3. Bump the minor version in the next release

[pragnya17]

/azp run

[pragnya17]

/azp run

[pragnya17]

/azp run

[pragnya17]

/azp run

[DaveTryon]

Things are now working correctly when I run the tool with either no -mi parameter or with -mi SPDX:2.2. When I run it with -mi SPDX:3.0, the output emits the following warning:

>Microsoft.Sbom.Tool.exe generate -ps Blah -pn Blah -pv 1.2.3 -b C:\repos\CsvToJson\CsvToJson\bin\Debug\net8.0 -bc C:\repos\CsvToJson -mi SPDX:3.0
##[warning]Unhandled exception caught when trying to open "C:\\repos\\CsvToJson\\CsvToJson\\bin\\Debug\\net8.0\\_manifest\\spdx_3.0\\manifest.spdx.json"
System.IO.IOException: The process cannot access the file 'C:\repos\CsvToJson\CsvToJson\bin\Debug\net8.0\_manifest\spdx_3.0\manifest.spdx.json' because it is being used by another process.
   at Microsoft.Win32.SafeHandles.SafeFileHandle.CreateFile(String fullPath, FileMode mode, FileAccess access, FileShare share, FileOptions options)
   at Microsoft.Win32.SafeHandles.SafeFileHandle.Open(String fullPath, FileMode mode, FileAccess access, FileShare share, FileOptions options, Int64 preallocationSize, Nullable`1 unixCreateMode)
   at System.IO.Strategies.OSFileStreamStrategy..ctor(String path, FileMode mode, FileAccess access, FileShare share, FileOptions options, Int64 preallocationSize, Nullable`1 unixCreateMode)
   at System.IO.Strategies.FileStreamHelpers.ChooseStrategyCore(String path, FileMode mode, FileAccess access, FileShare share, FileOptions options, Int64 preallocationSize, Nullable`1 unixCreateMode)
   at System.IO.FileInfo.OpenRead()
   at Microsoft.ComponentDetection.Common.LazyComponentStream.SafeOpenFile()
##[warning]Discovered SPDX file at "C:\\repos\\CsvToJson\\CsvToJson\\bin\\Debug\\net8.0\\_manifest\\spdx_3.0\\manifest.spdx.json" is not a valid document, skipping

We have no similar warning with SPDX 2.2

[DaveTryon]

I tried running with -mi SPDX:2.5 to see how the error handling works, and it's not great. Here's the output:

>Microsoft.Sbom.Tool.exe generate -ps Blah -pn Blah -pv 1.2.3 -b C:\repos\CsvToJson\CsvToJson\bin\Debug\net8.0 -bc C:\repos\CsvToJson -mi SPDX:2.5
##[error]Encountered an error while generating the manifest.
##[error]Error details: The given key 'SPDX:2.5' was not present in the dictionary.
##[warning]0 Packages were detected during the Generate workflow.

Compare that to what comes from the validate job:

>Microsoft.Sbom.Tool.exe validate -b c:\repos\CsvToJson\CsvToJson\bin\Debug\net8.0 -o ./foo.json -mi SPDX:2.5
Encountered error while running ManifestTool validation workflow. Error: Validation only supports the SPDX2.2 or SPDX3.0 format.

The error for validate comes from src/Microsoft.Sbom.Api/Config/Validator.cs. Maybe we ought to add a case for the generate parameter?

[github-actions]

This PR changes files in the API project. Does it change any of the API interfaces in any way? Please note that this includes the following types of changes:

• Changing the signature of an existing interface method
• Adding a new method to an existing interface
• Adding a required data member to a class that an existing interface method consumes

Because any of these changes can potentially break a downstream consumer with customized interface implementations, these changes need to be treated as breaking changes. Please do one of the following:

Option 1 - Publish this as a breaking change

1. Update the documentation to show the new functionality
2. Bump the major version in the next release
3. Be sure to highlight the breaking changes in the release notes

Option 2 - Refactor the changes to be non-breaking

1. Review this commit, which adds a new interface in a backward-compatible way
2. Refactor the change to follow this pattern so that existing interfaces are left completely intact
3. Bump the minor version in the next release