exporter: ensure spdx order prioritizes primary sbom

If we have any SBOMs that are notated as primary, then we should ensure that they appear before the others in the list of attestations. This ensures that clients should be able to naively take the "first" SBOM, to get the most relevant one that applies to the main rootfs. Signed-off-by: Justin Chadwell <me@jedevc.com> (cherry picked from commit eabeb4f)
moby · Jan 9, 2023 · b3bc97c · b3bc97c
1 parent d83d496
commit b3bc97c
Showing 1 changed file with 28 additions and 0 deletions.
diff --git a/exporter/attestation/unbundle.go b/exporter/attestation/unbundle.go
@@ -81,13 +81,41 @@ func Unbundle(ctx context.Context, s session.Group, bundled []exporter.Attestati
 	for _, atts := range unbundled {
 		joined = append(joined, atts...)
 	}
+	joined = sort(joined)
 
 	if err := Validate(joined); err != nil {
 		return nil, err
 	}
 	return joined, nil
 }
 
+func sort(atts []exporter.Attestation) []exporter.Attestation {
+	isCore := make([]bool, len(atts))
+	for i, att := range atts {
+		name, ok := att.Metadata[result.AttestationSBOMCore]
+		if !ok {
+			continue
+		}
+		if n, _, _ := strings.Cut(att.Path, "."); n != string(name) {
+			continue
+		}
+		isCore[i] = true
+	}
+
+	result := make([]exporter.Attestation, 0, len(atts))
+	for i, att := range atts {
+		if isCore[i] {
+			result = append(result, att)
+		}
+	}
+	for i, att := range atts {
+		if !isCore[i] {
+			result = append(result, att)
+		}
+	}
+	return result
+}
+
 func unbundle(ctx context.Context, root string, bundle exporter.Attestation) ([]exporter.Attestation, error) {
 	dir, err := fs.RootPath(root, bundle.Path)
 	if err != nil {