tmp docker

corneliusludmann · corneliusludmann · commit 2273281f4b80 · 2025-04-02T19:34:04.000Z
diff --git a/pkg/leeway/sbom.go b/pkg/leeway/sbom.go
@@ -77,17 +77,27 @@ func writeSBOM(p *Package, buildctx *buildContext, builddir string) (err error)
 		return nil
 	}
 
-	// Get the source for SBOM generation
-	src, err := syft.GetSource(context.Background(), builddir, nil)
-	if err != nil {
-		return xerrors.Errorf("failed to get source for SBOM generation: %w", err)
-	}
-
 	// Create SBOM configuration
 	cfg := syft.DefaultCreateSBOMConfig()
 
-	// Generate the SBOM
-	s, err := syft.CreateSBOM(context.Background(), src, cfg)
+	// Get the source for SBOM generation based on package type
+	var s *sbom.SBOM
+	if p.Type == DockerPackage {
+		s, err = generateDockerSBOM(p, buildctx, builddir, cfg)
+	} else {
+		// For non-Docker packages, use the standard approach
+		src, err := syft.GetSource(context.Background(), builddir, nil)
+		if err != nil {
+			return xerrors.Errorf("failed to get source for SBOM generation: %w", err)
+		}
+
+		// Generate the SBOM
+		s, err = syft.CreateSBOM(context.Background(), src, cfg)
+		if err != nil {
+			return xerrors.Errorf("failed to create SBOM: %w", err)
+		}
+	}
+
 	if err != nil {
 		return xerrors.Errorf("failed to create SBOM: %w", err)
 	}
@@ -123,6 +133,61 @@ func writeSBOM(p *Package, buildctx *buildContext, builddir string) (err error)
 	return nil
 }
 
+// generateDockerSBOM generates an SBOM specifically for Docker packages
+func generateDockerSBOM(p *Package, buildctx *buildContext, builddir string, cfg interface{}) (*sbom.SBOM, error) {
+	// We need to use the same configuration type as returned by syft.DefaultCreateSBOMConfig()
+	// Based on the error message, we need to use *syft.CreateSBOMConfig
+	sbomConfig, ok := cfg.(*syft.CreateSBOMConfig)
+	if !ok {
+		return nil, xerrors.Errorf("invalid SBOM configuration type")
+	}
+
+	// Check if this is a Docker package with specified image names (pushed to registry)
+	dockerCfg, ok := p.Config.(DockerPkgConfig)
+	if !ok {
+		return nil, xerrors.Errorf("package should have Docker config")
+	}
+
+	// Get the version which is used as the image tag during build
+	version, err := p.Version()
+	if err != nil {
+		return nil, xerrors.Errorf("failed to get package version: %w", err)
+	}
+
+	if len(dockerCfg.Image) > 0 {
+		// For pushed Docker images, analyze the image directly before it's pushed
+		buildctx.Reporter.PackageBuildLog(p, false, []byte("Generating SBOM from Docker image\n"))
+
+		// Use the daemon source to analyze the Docker image directly
+		src, err := syft.GetSource(context.Background(), "docker:"+version, nil)
+		if err != nil {
+			return nil, xerrors.Errorf("failed to get Docker image source for SBOM generation: %w", err)
+		}
+
+		// Generate the SBOM from the Docker image
+		return syft.CreateSBOM(context.Background(), src, sbomConfig)
+	} else {
+		// For non-pushed Docker images, use the extracted container filesystem
+		containerDir := filepath.Join(builddir, "container", "content")
+
+		// Check if the container directory exists
+		if _, err := os.Stat(containerDir); os.IsNotExist(err) {
+			return nil, xerrors.Errorf("container directory not found at %s: %w", containerDir, err)
+		}
+
+		buildctx.Reporter.PackageBuildLog(p, false, []byte(fmt.Sprintf("Generating SBOM from extracted container filesystem at %s\n", containerDir)))
+
+		// Use the directory source to analyze the extracted container filesystem
+		src, err := syft.GetSource(context.Background(), containerDir, nil)
+		if err != nil {
+			return nil, xerrors.Errorf("failed to get container filesystem source for SBOM generation: %w", err)
+		}
+
+		// Generate the SBOM from the extracted container filesystem
+		return syft.CreateSBOM(context.Background(), src, sbomConfig)
+	}
+}
+
 // getSBOMEncoder returns the appropriate encoder and file extension for the given SBOM format
 func getSBOMEncoder(format string) (encoder sbom.FormatEncoder, fileExtension string, err error) {
 	switch format {
