chore: merge SBOM packages and remove old SBOM's

cezar-r · cezar-r · commit d289cc82e8b5 · 2025-09-24T17:55:13.000Z
diff --git a/twoliter/embedded/rpm2img b/twoliter/embedded/rpm2img
@@ -256,6 +256,19 @@ printf "%s\n" "${INVENTORY_DATA}" >"${ROOT_MOUNT}/usr/share/bottlerocket/applica
 # can access the inventory without needed to dig into the generated image.
 printf "%s\n" "${INVENTORY_DATA}" >"${OUTPUT_DIR}/application-inventory.json"
 
+# Merge SBOM's into a single json file
+KIT_SBOMS_DIR="${ROOT_MOUNT}/usr/share/sboms"
+# Only process SBOMs if the directory exists.
+if [ -d "${KIT_SBOMS_DIR}" ]; then
+  IMAGE_SBOM_DIR="${ROOT_MOUNT}/usr/share/bottlerocket/sbom"
+  mkdir -p "${IMAGE_SBOM_DIR}"
+  for format in "spdx" "cyclonedx"; do
+    find "${KIT_SBOMS_DIR}" -name "*-${format}.json" -type f -exec sbomtool merge --output "${IMAGE_SBOM_DIR}/image-${format}.json" {} \+
+  done
+  # Clean up old SBOM packages
+  rm -rf "${KIT_SBOMS_DIR}"
+fi
+
 # Regenerate module dependencies, if possible.
 KMOD_DIR="${ROOT_MOUNT}/lib/modules"
 # First decompress the kernel modules, so they can be recompressed by EROFS.
