chore: merge SBOM packages and remove old SBOM's

cezar-r · cezar-r · commit e964ba450601 · 2025-09-23T23:14:12.000Z
diff --git a/twoliter/embedded/rpm2img b/twoliter/embedded/rpm2img
@@ -256,6 +256,16 @@ printf "%s\n" "${INVENTORY_DATA}" >"${ROOT_MOUNT}/usr/share/bottlerocket/applica
 # can access the inventory without needed to dig into the generated image.
 printf "%s\n" "${INVENTORY_DATA}" >"${OUTPUT_DIR}/application-inventory.json"
 
+# Merge SBOM's into a single json file
+KIT_SBOMS_DIR="${ROOT_MOUNT}/usr/share/sboms"
+IMAGE_SBOM_DIR="${ROOT_MOUNT}/usr/share/bottlerocket/sbom"
+mkdir -p "${IMAGE_SBOM_DIR}"
+for format in "spdx" "cyclonedx"; do
+  find "${KIT_SBOMS_DIR}" -name "*-${format}.json" -type f -exec sbomtool merge --output "${IMAGE_SBOM_DIR}/image-${format}.json" {} \+
+done
+# Clean up old SBOM packages
+rm -rf "${KIT_SBOMS_DIR}"
+
 # Regenerate module dependencies, if possible.
 KMOD_DIR="${ROOT_MOUNT}/lib/modules"
 # First decompress the kernel modules, so they can be recompressed by EROFS.
