fix(sbom): deduplicate SBOM packages by ID #1366

luhring · 2024-10-24T19:29:52Z

In chainguard-dev/melange#1474, we updated our SBOMs to have distinct SPDX packages for the APK itself, vs. the build config used to produce it, vs. the upstream source(s) pulled in for the build. This helps us produce more idiomatic and descriptive SPDX data.

But this caused a problem downstream in apko — when we aggregate APKs' SBOMs, and specifically their SPDX packages, into a single list of SPDX packages for the image, we end up with duplicate package IDs when multiple APKs were build from the same build config or the same upstream source.

This PR adds tests to catch this case, and it fixes the duplicate package issue by dropping subsequent instances of a given package ID.

It also further improves on the existing SBOM-related tests.

Signed-off-by: Dan Luhring <dluhring@chainguard.dev>

jdolitsky · 2024-10-24T19:36:17Z

pkg/sbom/generator/spdx/spdx.go

@@ -137,6 +138,18 @@ func (sx *SPDX) Generate(opts *options.Options, path string) error {
 		}
 	}

+	dedupedPackages := make([]Package, 0, len(doc.Packages))
+	seenIDs := make(map[string]struct{})


fix(sbom): deduplicate SBOM packages by ID

a016065

Signed-off-by: Dan Luhring <dluhring@chainguard.dev>

jdolitsky reviewed Oct 24, 2024

View reviewed changes

jdolitsky approved these changes Oct 24, 2024

View reviewed changes

luhring merged commit 395e822 into chainguard-dev:main Oct 24, 2024
24 checks passed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix(sbom): deduplicate SBOM packages by ID #1366

fix(sbom): deduplicate SBOM packages by ID #1366

luhring commented Oct 24, 2024

jdolitsky Oct 24, 2024

fix(sbom): deduplicate SBOM packages by ID #1366

fix(sbom): deduplicate SBOM packages by ID #1366

Conversation

luhring commented Oct 24, 2024

jdolitsky Oct 24, 2024

Choose a reason for hiding this comment