Plumb through creationTime, drop extraction

internal/sbom/spdx.go

@@ -50,7 +50,7 @@ func ociRef(path string, imgDigest v1.Hash, qual ...qualifier) string {
 
 const dateFormat = "2006-01-02T15:04:05Z"
 
-func GenerateImageSPDX(koVersion string, mod []byte, img oci.SignedImage) ([]byte, error) {
+func GenerateImageSPDX(koVersion string, mod []byte, created time.Time, img oci.SignedImage) ([]byte, error) {
 	var err error
 	mod, err = massageGoVersionM(mod)
 	if err != nil {
@@ -66,12 +66,8 @@ func GenerateImageSPDX(koVersion string, mod []byte, img oci.SignedImage) ([]byt
 	if err != nil {
 		return nil, err
 	}
-	cfg, err := img.ConfigFile()
-	if err != nil {
-		return nil, err
-	}
 
-	doc, imageID := starterDocument(koVersion, cfg.Created.Time, imgDigest)
+	doc, imageID := starterDocument(koVersion, created, imgDigest)
 
 	// image -> main package -> transitive deps
 	doc.Packages = make([]Package, 0, 2+len(bi.Deps))
@@ -197,18 +193,13 @@ func extractDate(sii oci.SignedImageIndex) (*time.Time, error) {
 	return nil, errors.New("unable to extract date, no imaged found")
 }
 
-func GenerateIndexSPDX(koVersion string, sii oci.SignedImageIndex) ([]byte, error) {
+func GenerateIndexSPDX(koVersion string, created time.Time, sii oci.SignedImageIndex) ([]byte, error) {
 	indexDigest, err := sii.Digest()
 	if err != nil {
 		return nil, err
 	}
 
-	date, err := extractDate(sii)
-	if err != nil {
-		return nil, err
-	}
-
-	doc, indexID := starterDocument(koVersion, *date, indexDigest)
+	doc, indexID := starterDocument(koVersion, created, indexDigest)
 	doc.Packages = []Package{{
 		ID:               indexID,
 		Name:             indexDigest.String(),

pkg/build/gobuild.go

@@ -34,6 +34,7 @@ import (
 	"strconv"
 	"strings"
 	"text/template"
+	"time"
 
 	"github.com/containerd/stargz-snapshotter/estargz"
 	"github.com/google/go-containerregistry/pkg/name"
@@ -63,7 +64,7 @@ type GetBase func(context.Context, string) (name.Reference, Result, error)
 
 type builder func(context.Context, string, string, v1.Platform, Config) (string, error)
 
-type sbomber func(context.Context, string, string, oci.SignedEntity) ([]byte, types.MediaType, error)
+type sbomber func(context.Context, string, string, time.Time, oci.SignedEntity) ([]byte, types.MediaType, error)
 
 type platformMatcher struct {
 	spec      []string
@@ -301,7 +302,7 @@ func build(ctx context.Context, ip string, dir string, platform v1.Platform, con
 	return file, nil
 }
 
-func goversionm(ctx context.Context, file string, appPath string, se oci.SignedEntity) ([]byte, types.MediaType, error) {
+func goversionm(ctx context.Context, file string, appPath string, _ time.Time, se oci.SignedEntity) ([]byte, types.MediaType, error) {
 	switch se.(type) {
 	case oci.SignedImage:
 		sbom := bytes.NewBuffer(nil)
@@ -325,22 +326,22 @@ func goversionm(ctx context.Context, file string, appPath string, se oci.SignedE
 }
 
 func spdx(version string) sbomber {
-	return func(ctx context.Context, file string, appPath string, se oci.SignedEntity) ([]byte, types.MediaType, error) {
+	return func(ctx context.Context, file string, appPath string, created time.Time, se oci.SignedEntity) ([]byte, types.MediaType, error) {
 		switch obj := se.(type) {
 		case oci.SignedImage:
-			b, _, err := goversionm(ctx, file, appPath, obj)
+			b, _, err := goversionm(ctx, file, appPath, created, obj)
 			if err != nil {
 				return nil, "", err
 			}
 
-			b, err = sbom.GenerateImageSPDX(version, b, obj)
+			b, err = sbom.GenerateImageSPDX(version, b, created, obj)
 			if err != nil {
 				return nil, "", err
 			}
 			return b, ctypes.SPDXJSONMediaType, nil
 
 		case oci.SignedImageIndex:
-			b, err := sbom.GenerateIndexSPDX(version, obj)
+			b, err := sbom.GenerateIndexSPDX(version, created, obj)
 			return b, ctypes.SPDXJSONMediaType, err
 
 		default:
@@ -350,10 +351,10 @@ func spdx(version string) sbomber {
 }
 
 func cycloneDX() sbomber {
-	return func(ctx context.Context, file string, appPath string, se oci.SignedEntity) ([]byte, types.MediaType, error) {
+	return func(ctx context.Context, file string, appPath string, created time.Time, se oci.SignedEntity) ([]byte, types.MediaType, error) {
 		switch obj := se.(type) {
 		case oci.SignedImage:
-			b, _, err := goversionm(ctx, file, appPath, obj)
+			b, _, err := goversionm(ctx, file, appPath, created, obj)
 			if err != nil {
 				return nil, "", err
 			}
@@ -832,7 +833,7 @@ func (g *gobuild) buildOne(ctx context.Context, refStr string, base v1.Image, pl
 	si := signed.Image(image)
 
 	if g.sbom != nil {
-		sbom, mt, err := g.sbom(ctx, file, appPath, si)
+		sbom, mt, err := g.sbom(ctx, file, appPath, g.creationTime.Time, si)
 		if err != nil {
 			return nil, err
 		}
@@ -1017,7 +1018,7 @@ func (g *gobuild) buildAll(ctx context.Context, ref string, baseIndex v1.ImageIn
 		adds...)
 
 	if g.sbom != nil {
-		sbom, mt, err := g.sbom(ctx, "", "", idx)
+		sbom, mt, err := g.sbom(ctx, "", "", g.creationTime.Time, idx)
 		if err != nil {
 			return nil, err
 		}

pkg/build/gobuild_test.go

@@ -399,7 +399,7 @@ func nilGetBase(context.Context, string) (name.Reference, Result, error) {
 const wantSBOM = "This is our fake SBOM"
 
 // A helper method we use to substitute for the default "build" method.
-func fauxSBOM(context.Context, string, string, oci.SignedEntity) ([]byte, types.MediaType, error) {
+func fauxSBOM(context.Context, string, string, time.Time, oci.SignedEntity) ([]byte, types.MediaType, error) {
 	return []byte(wantSBOM), "application/vnd.garbage", nil
 }
 

pkg/commands/deps.go

@@ -135,7 +135,12 @@ If the image was not built using ko, or if it was built without embedding depend
 					1)
 				switch sbomType {
 				case "spdx":
-					b, err := sbom.GenerateImageSPDX(Version, mod, signed.Image(img))
+					cfg, err := img.ConfigFile()
+					if err != nil {
+						return err
+					}
+
+					b, err := sbom.GenerateImageSPDX(Version, mod, cfg.Created.Time, signed.Image(img))
 					if err != nil {
 						return err
 					}