fix: make PURLs use oci type / fixed SBOM component name (#11)

* fix: make PURLs use oci type * fix: use product name as source name in syft / SBOMs * fix: addressed review comments * fix: addressed comments from @NickLarsenNZ * chore: removed unnecessary curly braces * fix: curly braces syntax Co-authored-by: Nick <[email protected]> --------- Co-authored-by: Nick <[email protected]>
stackabletech · Oct 22, 2024 · 0c5dbc4 · 0c5dbc4
1 parent 0ffa976
commit 0c5dbc4
Showing 1 changed file with 17 additions and 6 deletions.
diff --git a/publish-image/action.yml b/publish-image/action.yml
@@ -109,22 +109,33 @@ runs:
         # Extract the digest from the image repo digest (right side of '@')
         DIGEST=${IMAGE_REPO_DIGEST#*@}
 
+        # URL encode the digest and image repository, needed for the purl
+        URLENCODED_DIGEST=$(jq -rn --arg input "$DIGEST" '$input | @uri')
+        URLENCODED_IMAGE_REPOSITORY=$(jq -rn --arg input "$IMAGE_REPOSITORY" '$input | @uri')
+        # Last item, split by /
+        # Example: sdp/kafka -> kafka
+        SOURCE_NAME=$(echo "$IMAGE_REPOSITORY" | awk -F'/' '{print $NF}')
+        # Extract architecture from image tag
+        ARCH=$(echo "$IMAGE_MANIFEST_TAG" | awk -F'-' '{print $NF}')
+        if [ "$ARCH" != "amd64" ] && [ "$ARCH" != "arm64" ]; then
+          echo "Invalid architecture obtained from image tag. IMAGE_MANIFEST_TAG: $IMAGE_MANIFEST_TAG, ARCH: $ARCH"
+          exit 1
+        fi
         # Construct the package url (purl)
-        # TODO (@Techassi): Can we use 'oci' instead of 'docker' as the type?
-        PURL="pkg:docker/$IMAGE_REPOSITORY@$DIGEST?repository_url=$REGISTRY_URI"
+        PURL="pkg:oci/${SOURCE_NAME}@${URLENCODED_DIGEST}?arch=${ARCH}&repository_url=${REGISTRY_URI}%2F${URLENCODED_IMAGE_REPOSITORY}"
 
         # Get metadata from the image
         # NOTE (@Techassi): Maybe we should run this command only once
-        IMAGE_METADATA_DESCRIPTION=$(docker inspect --format='{{.Config.Labels.description}}' "${IMAGE_REPO_DIGEST}")
-        IMAGE_METADATA_NAME=$(docker inspect --format='{{.Config.Labels.name}}' "${IMAGE_REPO_DIGEST}")
+        IMAGE_METADATA_DESCRIPTION=$(docker inspect --format='{{.Config.Labels.description}}' "$IMAGE_REPO_DIGEST")
+        IMAGE_METADATA_NAME=$(docker inspect --format='{{.Config.Labels.name}}' "$IMAGE_REPO_DIGEST")
 
         # Generate the SBOM
         syft scan \
           --output [email protected]=sbom_raw.json \
           --select-catalogers "-cargo-auditable-binary-cataloger,+sbom-cataloger" \
           --scope all-layers \
-          --source-name "$IMAGE_REPOSITORY" \
-          --source-version "$IMAGE_MANIFEST_TAG" "${IMAGE_REPO_DIGEST}"
+          --source-name "$SOURCE_NAME" \
+          --source-version "$IMAGE_MANIFEST_TAG" "$IMAGE_REPO_DIGEST"
 
         # Merge SBOM components using https://github.com/stackabletech/mergebom
         curl --fail -L -o mergebom https://repo.stackable.tech/repository/packages/mergebom/stable-$(uname -m)