Fix: Incorporate platform architecture (#1029)

mattmoor · web-flow · commit c6dc504a60bb · 2023-05-01T10:32:09.000-04:00
🐛 Right now `--sbom-dir` with a multi-arch build just writes the same file over and over.

This loosely follows the lead of apko which uses the form `sbom-{arch}.{form}.json`, but we are going with: `{app}-{platform}.{form}.json`.

It is notable that `{platform}` is a superset of `{arch}` and we sanitize the string encoding replacing the `/` and `:` characters with `-`.

/kind bug
diff --git a/.github/workflows/e2e.yaml b/.github/workflows/e2e.yaml
@@ -40,7 +40,13 @@ jobs:
 
         # Check that using sbom-dir works.
         KO_DOCKER_REPO=""  go run ./ build -t test --push=false --sbom-dir ./sbom-data ./test
-        jq . ./sbom-data/test.spdx.json
+        jq . ./sbom-data/test-linux-amd64.spdx.json
+
+        # Check that using sbom-dir works for multi-arch
+        KO_DOCKER_REPO=""  go run ./ build --platform=linux/amd64,linux/arm64 -t test --push=false --sbom-dir ./sbom-data2 ./test
+        jq . ./sbom-data2/test-index.spdx.json
+        jq . ./sbom-data2/test-linux-amd64.spdx.json
+        jq . ./sbom-data2/test-linux-arm64.spdx.json
 
         export PLATFORM=${GOOS}/${GOARCH}
 
diff --git a/pkg/build/gobuild.go b/pkg/build/gobuild.go
@@ -356,7 +356,7 @@ func spdx(version string) sbomber {
 	return func(ctx context.Context, file string, appPath string, appFileName string, se oci.SignedEntity, dir string) ([]byte, types.MediaType, error) {
 		switch obj := se.(type) {
 		case oci.SignedImage:
-			b, _, err := goversionm(ctx, file, appPath, appFileName, obj, "")
+			b, _, err := goversionm(ctx, file, appPath, "", obj, "")
 			if err != nil {
 				return nil, "", err
 			}
@@ -933,7 +933,9 @@ func (g *gobuild) buildOne(ctx context.Context, refStr string, base v1.Image, pl
 	si := signed.Image(image)
 
 	if g.sbom != nil {
-		sbom, mt, err := g.sbom(ctx, file, appPath, appFileName, si, g.sbomDir)
+		// Construct a path-safe encoding of platform.
+		pf := strings.ReplaceAll(strings.ReplaceAll(platform.String(), "/", "-"), ":", "-")
+		sbom, mt, err := g.sbom(ctx, file, appPath, fmt.Sprintf("%s-%s", appFileName, pf), si, g.sbomDir)
 		if err != nil {
 			return nil, err
 		}
@@ -1138,7 +1140,9 @@ func (g *gobuild) buildAll(ctx context.Context, ref string, baseRef name.Referen
 		adds...)
 
 	if g.sbom != nil {
-		sbom, mt, err := g.sbom(ctx, "", "", "", idx, g.sbomDir)
+		ref := newRef(ref)
+		appFileName := appFilename(ref.Path())
+		sbom, mt, err := g.sbom(ctx, "", "", fmt.Sprintf("%s-index", appFileName), idx, g.sbomDir)
 		if err != nil {
 			return nil, err
 		}
