Plan for GA CLI

[mikeparker]

Questions:

1. Do we need a replacement CLI by the time we remove Snyk? - Product call?
2. Do we keep the existing codebase or start from scratch?
3. Do we need to do anything to ensure the code can be consumed as a library in desktop instead of being run as an external executable?
4. What is the CLI named? docker index or docker X or docker image <analyse|report|...> - worth creating an alias as well? Maybe need to extend the plugins system to allow plugins to insert aliases.
5. What functionality do we need to clean up? - Obtaining an image from a daemon and a registry etc, loading it down, downloading. Local branch for buildkit attestations and shortcut the SBOM generation and use the one from the image, theres a lot of redirection here and hacky code to get it working.
6. What output format(s) do we want to support? SPDX does not support vulns.. cyclonedx does... do we need to separate (a) SBOM output and (b) Vulnerability reports?
7. What does a pretty human output look like, colors, tables etc?
8. Which mechanisms of obtaining SBOMs do we want to support? Can we use buildkit code to generate the SBOM?
9. Do we want to do anything with docker sbom command?
10. What params / flags do we need to support? Severity filtering?
11. Should the codebase be open or closed source?

Next steps:

1. Yves to look more at the codebase