Use existing multi-image tars when generating SBOMs during package cr…

…eate
zarf-dev · Apr 14, 2022 · 29440c7 · 29440c7
1 parent 4cd0da2
commit 29440c7
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 5 deletions.
diff --git a/src/internal/packager/create.go b/src/internal/packager/create.go
@@ -53,7 +53,7 @@ func Create() {
 		// Load seed images into their own happy little tarball for ease of import on init
 		pulledImages := images.PullAll([]string{seedImage}, tempPath.seedImage)
 		_ = utils.CreateDirectory(tempPath.sboms, 0700)
-		sbom.CatalogImages(pulledImages, tempPath.sboms)
+		sbom.CatalogImages(pulledImages, tempPath.sboms, tempPath.seedImage)
 	}
 
 	var combinedImageList []string
@@ -68,7 +68,7 @@ func Create() {
 		uniqueList := removeDuplicates(combinedImageList)
 		pulledImages := images.PullAll(uniqueList, tempPath.images)
 		_ = utils.CreateDirectory(tempPath.sboms, 0700)
-		sbom.CatalogImages(pulledImages, tempPath.sboms)
+		sbom.CatalogImages(pulledImages, tempPath.sboms, tempPath.images)
 	}
 
 	_ = os.RemoveAll(packageName)

diff --git a/src/internal/sbom/catalog.go b/src/internal/sbom/catalog.go
@@ -10,11 +10,12 @@ import (
 	"github.com/defenseunicorns/zarf/src/internal/message"
 	"github.com/google/go-containerregistry/pkg/name"
 	v1 "github.com/google/go-containerregistry/pkg/v1"
+	"github.com/google/go-containerregistry/pkg/v1/tarball"
 	"github.com/testifysec/witness/pkg/attestation"
 	"github.com/testifysec/witness/pkg/attestation/syft"
 )
 
-func CatalogImages(tagToImage map[name.Tag]v1.Image, sbomDir string) {
+func CatalogImages(tagToImage map[name.Tag]v1.Image, sbomDir, tarPath string) {
 	imageCount := len(tagToImage)
 	spinner := message.NewProgressSpinner("Creating SBOMs for %d images.", imageCount)
 	defer spinner.Stop()
@@ -26,9 +27,14 @@ func CatalogImages(tagToImage map[name.Tag]v1.Image, sbomDir string) {
 
 	cachePath := images.CachePath()
 	currImage := 1
-	for tag, img := range tagToImage {
+	for tag := range tagToImage {
 		spinner.Updatef("Creating image SBOMs (%d of %d): %s", currImage, imageCount, tag)
-		sbomAttestor := syft.New(syft.WithImageSource(img, cachePath, tag.String()))
+		tarballImg, err := tarball.ImageFromPath(tarPath, &tag)
+		if err != nil {
+			spinner.Fatalf(err, "Unable to open image %s", tag.String())
+		}
+
+		sbomAttestor := syft.New(syft.WithImageSource(tarballImg, cachePath, tag.String()))
 		if err := sbomAttestor.Attest(actx); err != nil {
 			spinner.Fatalf(err, "Unable to build sbom for image %s", tag.String())
 		}