From 300c4fdcb22b0a195b0469e79bc9e22cd8252169 Mon Sep 17 00:00:00 2001
From: Scott Hebert <scoheb@gmail.com>
Date: Tue, 12 Mar 2024 08:48:53 -0400
Subject: [PATCH] fix(KFLUXBUGS-1152): add support for multi-arch

- if IMAGE_URL is a multi-arch one, print out sbom
  for each arch present

Signed-off-by: Scott Hebert <scoheb@gmail.com>
---
 task/show-sbom/0.1/show-sbom.yaml | 60 +++++++++++++++++++++++--------
 1 file changed, 45 insertions(+), 15 deletions(-)

diff --git a/task/show-sbom/0.1/show-sbom.yaml b/task/show-sbom/0.1/show-sbom.yaml
index a4fc6b2f34..4bbf3d43ff 100644
--- a/task/show-sbom/0.1/show-sbom.yaml
+++ b/task/show-sbom/0.1/show-sbom.yaml
@@ -10,14 +10,14 @@ metadata:
     tekton.dev/tags: "appstudio, hacbs"
 spec:
   description: >-
-    Shows the Software Bill of Materials (SBOM) generated for the built image in CyloneDX JSON format.
+    Shows the Software Bill of Materials (SBOM) generated for the built image in CyloneDX JSON format:
   params:
     - name: IMAGE_URL
       description: Fully qualified image name to show SBOM for.
       type: string
   steps:
   - name: show-sbom
-    image: quay.io/redhat-appstudio/cosign:v2.1.1@sha256:c883d6f8d39148f2cea71bff4622d196d89df3e510f36c140c097b932f0dd5d5
+    image: quay.io/redhat-appstudio/appstudio-utils:3e548a38b3ad183262a25bc2a4eb6b5367b83fb5
     # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
     # the cluster will set imagePullPolicy to IfNotPresent
     # also per direction from Ralph Bean, we want to use image digest based tags to use a cue to automation like dependabot or renovatebot to periodially submit pull requests that update the digest as new images are released.
@@ -26,19 +26,49 @@ spec:
       value: $(params.IMAGE_URL)
     script: |
       #!/busybox/sh
-      status=-1
-      max_try=5
-      wait_sec=2
-      for run in $(seq 1 $max_try); do
-        status=0
-        cosign download sbom $IMAGE_URL 2>>err
-        status=$?
-        if [ "$status" -eq 0 ]; then
-          break
-        fi
-        sleep $wait_sec
-      done
-      if [ "$status" -ne 0 ]; then
+      IMAGE_URL=$1
+
+      download_sbom_with_retry() {
+        status=-1
+        max_try=5
+        wait_sec=2
+
+        PLATFORM_ARG="$1"
+        for run in $(seq 1 $max_try); do
+          status=0
+          cosign download sbom $PLATFORM_ARG $IMAGE_URL 2>>err
+          status=$?
+          if [ "$status" -eq 0 ]; then
+            break
+          fi
+          sleep $wait_sec
+        done
+        if [ "$status" -ne 0 ]; then
           echo "Failed to get SBOM after ${max_try} tries" >&2
           cat err >&2
+        fi
+      }
+      echo "Inspecting image ${IMAGE_URL}"
+
+      RAW_OUTPUT=$(skopeo inspect --no-tags --raw docker://${IMAGE_URL})
+      if [ $(jq -r '.mediaType' <<< $RAW_OUTPUT) == "application/vnd.oci.image.manifest.v1+json" ] ; then
+        ARCHES=""
+      else
+        # Multi arch
+        ARCHES=$(jq -r '.manifests[].platform.architecture' <<< $RAW_OUTPUT)
+      fi
+
+      if [ -z "${ARCHES}" ] ; then
+        # single arch image
+        echo ""
+        echo "Single arch image"
+        echo ""
+        download_sbom_with_retry ""
+      else
+        for arch in $ARCHES; do
+          echo ""
+          echo "Arch: $arch"
+          echo ""
+          download_sbom_with_retry " --platform=linux/$arch "
+        done
       fi