Problem

Now that we've switched to Kondukto, we no longer run snyk check in CI. Originally, when we adopted this SSDLC tooling, we would check that the Augmented SBOM was up to date as part of the release CI tasks. But we ended up disabling that check because it had issues.

This means that right now, the release-time check for outstanding vulnerabilities is entirely manual. This is not ideal.

Solution & Acceptance Criteria

We can address this and simplify our SBOM handling by only using the Augmented SBOM, and forgoing the SBOM Lite file entirely. This would consist of the following changes:

• Change the code which generates the SBOM Lite to generate an augmented SBOM. This basically just means running silkbomb update and then silkbomb augment. There's no need to call silkbomb upload, and there's no waiting period needed to get the latest vulnerability info.
• Get rid of everything referring to the SBOM Lite and only refer to the Augmented SBOM. We can probably also use the term "SBOM" everywhere now.
• Remove all code related to checking the Augmented SBOM during a release. Instead, our existing code to check that the SBOM is up to date for all PRs will do what we need.
• Update the release docs as appropriate.

Impact

We will greatly simplify our SBOM handling while making sure it's always up to date with the latest vulnerability info.

This also makes doing REP-4833 unnecessary.