Fix: Incorporate platform architecture (#1029)

🐛 Right now `--sbom-dir` with a multi-arch build just writes the same file over and over. This loosely follows the lead of apko which uses the form `sbom-{arch}.{form}.json`, but we are going with: `{app}-{platform}.{form}.json`. It is notable that `{platform}` is a superset of `{arch}` and we sanitize the string encoding replacing the `/` and `:` characters with `-`. /kind bug
ko-build · May 1, 2023 · c6dc504 · c6dc504
1 parent c70c4c1
commit c6dc504
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 4 deletions.
diff --git a/.github/workflows/e2e.yaml b/.github/workflows/e2e.yaml
@@ -40,7 +40,13 @@ jobs:
 
         # Check that using sbom-dir works.
         KO_DOCKER_REPO=""  go run ./ build -t test --push=false --sbom-dir ./sbom-data ./test
-        jq . ./sbom-data/test.spdx.json
+        jq . ./sbom-data/test-linux-amd64.spdx.json
+
+        # Check that using sbom-dir works for multi-arch
+        KO_DOCKER_REPO=""  go run ./ build --platform=linux/amd64,linux/arm64 -t test --push=false --sbom-dir ./sbom-data2 ./test
+        jq . ./sbom-data2/test-index.spdx.json
+        jq . ./sbom-data2/test-linux-amd64.spdx.json
+        jq . ./sbom-data2/test-linux-arm64.spdx.json
 
         export PLATFORM=${GOOS}/${GOARCH}
 

diff --git a/pkg/build/gobuild.go b/pkg/build/gobuild.go
@@ -356,7 +356,7 @@ func spdx(version string) sbomber {
 	return func(ctx context.Context, file string, appPath string, appFileName string, se oci.SignedEntity, dir string) ([]byte, types.MediaType, error) {
 		switch obj := se.(type) {
 		case oci.SignedImage:
-			b, _, err := goversionm(ctx, file, appPath, appFileName, obj, "")
+			b, _, err := goversionm(ctx, file, appPath, "", obj, "")
 			if err != nil {
 				return nil, "", err
 			}
@@ -933,7 +933,9 @@ func (g *gobuild) buildOne(ctx context.Context, refStr string, base v1.Image, pl
 	si := signed.Image(image)
 
 	if g.sbom != nil {
-		sbom, mt, err := g.sbom(ctx, file, appPath, appFileName, si, g.sbomDir)
+		// Construct a path-safe encoding of platform.
+		pf := strings.ReplaceAll(strings.ReplaceAll(platform.String(), "/", "-"), ":", "-")
+		sbom, mt, err := g.sbom(ctx, file, appPath, fmt.Sprintf("%s-%s", appFileName, pf), si, g.sbomDir)
 		if err != nil {
 			return nil, err
 		}
@@ -1138,7 +1140,9 @@ func (g *gobuild) buildAll(ctx context.Context, ref string, baseRef name.Referen
 		adds...)
 
 	if g.sbom != nil {
-		sbom, mt, err := g.sbom(ctx, "", "", "", idx, g.sbomDir)
+		ref := newRef(ref)
+		appFileName := appFilename(ref.Path())
+		sbom, mt, err := g.sbom(ctx, "", "", fmt.Sprintf("%s-index", appFileName), idx, g.sbomDir)
 		if err != nil {
 			return nil, err
 		}