fix: support SBOM generation with OCI layout export #291
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
6 tasks
leodido
force-pushed
the
ldd/fix-oci-container-extract
branch
from
44c5410 to
6add4dd
Compare
leodido
force-pushed
the
ldd/sbom-oci-layout
branch
from
0c347c7 to
1843ce1
Compare
When exportToCache is enabled, Docker images are exported in OCI layout format (image.tar) and never loaded into Docker daemon. SBOM generation was failing because it tried to inspect the Docker daemon. This fix detects OCI layout export and uses Syft's oci-archive source provider to scan the image.tar directly, enabling SBOM generation for all three formats (CycloneDX, SPDX, Syft) in SLSA L3 compliant builds. Co-authored-by: Ona <no-reply@ona.com>
Add comprehensive integration test that verifies SBOM generation works correctly for both Docker daemon and OCI layout export paths. The test validates: - Build succeeds without errors for both exportToCache modes - All 3 SBOM formats are generated (CycloneDX, SPDX, Syft) - SBOM files are valid JSON with expected structure - Format-specific fields are present (bomFormat, spdxVersion) Includes git repository initialization with fixed timestamps for deterministic test results, following existing test patterns. Co-authored-by: Ona <no-reply@ona.com>
leodido
force-pushed
the
ldd/sbom-oci-layout
branch
from
1843ce1 to
372a050
Compare
…ation The test was failing in CI because it tried to run git commands without first initializing a git repository. This adds the missing git init and git config steps, following the same pattern as other integration tests. Also adds GIT_CONFIG_GLOBAL and GIT_CONFIG_SYSTEM environment variables to ensure tests work in CI environments where global git config might not be available. Fixes integration test failures in CI. Co-authored-by: Ona <no-reply@ona.com>
7 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
This PR fixes SBOM generation for Docker packages when
exportToCache: trueis enabled. Previously, SBOM generation would fail because it tried to inspect the Docker daemon, but with OCI layout export, the image only exists asimage.tarand is never loaded into the daemon.Problem
When building Docker packages with OCI layout export enabled (
exportToCache: true):image.tarin OCI layout formatSolution
Modified
pkg/leeway/sbom.goto:cfg.ExportToCache == true)oci-archivesource provider to scan the OCI archive directlyTesting
Added integration test
TestDockerPackage_SBOM_OCI_Integrationthat verifies:Test Results
Files Changed
pkg/leeway/sbom.go- Added OCI layout detection and oci-archive source handlingpkg/leeway/build_integration_test.go- Added comprehensive integration testRelated
Checklist