chainguard-dev · wlynch · Jan 8, 2026 · Jan 8, 2026
diff --git a/pkg/build/sbom.go b/pkg/build/sbom.go
@@ -125,7 +125,7 @@ func (bc *Context) GenerateImageSBOM(ctx context.Context, arch types.Architectur
 	s.ImageInfo.Arch = arch
 
 	var sboms = make([]types.SBOM, 0)
-	generators := generator.Generators(bc.fs)
+	generators := generator.Generators()
 	for _, format := range s.Formats {
 		gen, ok := generators[format]
 		if !ok {
@@ -238,7 +238,7 @@ func GenerateIndexSBOM(ctx context.Context, o options.Options, ic types.ImageCon
 		return archs[i].String() < archs[j].String()
 	})
 
-	generators := generator.Generators(nil)
+	generators := generator.Generators()
 	var sboms = make([]types.SBOM, 0, len(generators))
 	for _, format := range s.Formats {
 		gen, ok := generators[format]

diff --git a/pkg/sbom/generator/generator.go b/pkg/sbom/generator/generator.go
@@ -17,8 +17,6 @@ package generator
 import (
 	"context"
 
-	apkfs "chainguard.dev/apko/pkg/apk/fs"
-
 	"chainguard.dev/apko/pkg/sbom/generator/spdx"
 	"chainguard.dev/apko/pkg/sbom/options"
 )
@@ -30,11 +28,11 @@ type Generator interface {
 	GenerateIndex(*options.Options, string) error
 }
 
-func Generators(fsys apkfs.FullFS) map[string]Generator {
+func Generators() map[string]Generator {
 	generators := map[string]Generator{}
 
-	sx := spdx.New(fsys)
-	generators[sx.Key()] = &sx
+	sx := spdx.New()
+	generators[sx.Key()] = sx
 
 	return generators
 }
diff --git a/pkg/sbom/generator/spdx/spdx.go b/pkg/sbom/generator/spdx/spdx.go
@@ -46,11 +46,10 @@ const (
 )
 
 type SPDX struct {
-	fs apkfs.FullFS
 }
 
-func New(fs apkfs.FullFS) SPDX {
-	return SPDX{fs}
+func New() *SPDX {
+	return &SPDX{}
 }
 
 func (sx *SPDX) Key() string {
@@ -198,7 +197,7 @@ func locateApkSBOM(fsys apkfs.FullFS, ipkg *apk.InstalledPackage) (string, error
 
 func (sx *SPDX) ProcessInternalApkSBOM(opts *options.Options, doc *Document, ipkg *apk.InstalledPackage) error {
 	// Check if apk installed an SBOM
-	path, err := locateApkSBOM(sx.fs, ipkg)
+	path, err := locateApkSBOM(opts.FS, ipkg)
 	if err != nil {
 		return fmt.Errorf("inspecting FS for internal apk SBOM: %w", err)
 	}
@@ -333,7 +332,7 @@ func mergeLicensingInfos(sourceDoc, targetDoc *Document) error {
 // ParseInternalSBOM opens an SBOM inside apks and
 func (sx *SPDX) ParseInternalSBOM(opts *options.Options, path string) (*Document, error) {
 	internalSBOM := &Document{}
-	data, err := sx.fs.ReadFile(path)
+	data, err := opts.FS.ReadFile(path)
 	if err != nil {
 		return nil, fmt.Errorf("opening sbom file %s: %w", path, err)
 	}

diff --git a/pkg/sbom/generator/spdx/spdx_test.go b/pkg/sbom/generator/spdx/spdx_test.go
@@ -33,43 +33,45 @@ import (
 	"chainguard.dev/apko/pkg/sbom/options"
 )
 
-// TODO: clean this up and make consistent with the other test cases
-var testOpts = &options.Options{
-	ImageInfo: options.ImageInfo{
-		Layers: []v1.Descriptor{{}},
-	},
-	OS: options.OSInfo{
-		Name:    "unknown",
-		ID:      "unknown",
-		Version: "3.0",
-	},
-	FileName: "sbom",
-	Packages: []*apk.InstalledPackage{
-		{
-			Package: apk.Package{
-				Name:        "musl",
-				Version:     "1.2.2-r7",
-				Arch:        "x86_64",
-				Description: "the musl c library (libc) implementation",
-				License:     "MIT",
-				Origin:      "musl",
-				Maintainer:  "Pkg Author <[email protected]>",
-				Checksum: []byte{
-					0xd, 0xe6, 0xf4, 0x8c, 0xdc, 0xad, 0x92, 0xb8, 0xcf, 0x5b,
-					0x83, 0x7f, 0x78, 0xa2, 0xd9, 0xe3, 0x70, 0x70, 0x3a, 0x5c,
+func testOpts(fsys apkfs.FullFS) *options.Options {
+	return &options.Options{
+		FS: fsys,
+		ImageInfo: options.ImageInfo{
+			Layers: []v1.Descriptor{{}},
+		},
+		OS: options.OSInfo{
+			Name:    "unknown",
+			ID:      "unknown",
+			Version: "3.0",
+		},
+		FileName: "sbom",
+		Packages: []*apk.InstalledPackage{
+			{
+				Package: apk.Package{
+					Name:        "musl",
+					Version:     "1.2.2-r7",
+					Arch:        "x86_64",
+					Description: "the musl c library (libc) implementation",
+					License:     "MIT",
+					Origin:      "musl",
+					Maintainer:  "Pkg Author <[email protected]>",
+					Checksum: []byte{
+						0xd, 0xe6, 0xf4, 0x8c, 0xdc, 0xad, 0x92, 0xb8, 0xcf, 0x5b,
+						0x83, 0x7f, 0x78, 0xa2, 0xd9, 0xe3, 0x70, 0x70, 0x3a, 0x5c,
+					},
 				},
 			},
 		},
-	},
+	}
 }
 
-// TODO: clean this up and make consistent with the other test cases
 func TestGenerate(t *testing.T) {
 	dir := t.TempDir()
 	fsys := apkfs.NewMemFS()
-	sx := New(fsys)
-	path := filepath.Join(dir, testOpts.FileName+"."+sx.Ext())
-	err := sx.Generate(t.Context(), testOpts, path)
+	opts := testOpts(fsys)
+	sx := New()
+	path := filepath.Join(dir, opts.FileName+"."+sx.Ext())
+	err := sx.Generate(t.Context(), opts, path)
 	require.NoError(t, err)
 	require.FileExists(t, path)
 }
@@ -234,6 +236,7 @@ func TestSPDX_Generate(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			fsys := apkfs.NewMemFS()
+			tt.opts.FS = fsys
 			sbomDir := path.Join("var", "lib", "db", "sbom")
 			err := fsys.MkdirAll(sbomDir, 0750)
 			require.NoError(t, err)
@@ -249,7 +252,7 @@ func TestSPDX_Generate(t *testing.T) {
 				require.NoError(t, err)
 			}
 
-			sx := New(fsys)
+			sx := New()
 			imageSBOMName := fmt.Sprintf("%s.spdx.json", tt.name)
 			imageSBOMDestPath := filepath.Join(t.TempDir(), imageSBOMName)
 			err = sx.Generate(t.Context(), tt.opts, imageSBOMDestPath)
@@ -292,11 +295,12 @@ func TestReproducible(t *testing.T) {
 	// they are identical
 	dir := t.TempDir()
 	fsys := apkfs.NewMemFS()
-	sx := New(fsys)
+	opts := testOpts(fsys)
+	sx := New()
 	d := [][]byte{}
 	for i := range 2 {
 		path := filepath.Join(dir, fmt.Sprintf("sbom%d.%s", i, sx.Ext()))
-		require.NoError(t, sx.Generate(t.Context(), testOpts, path))
+		require.NoError(t, sx.Generate(t.Context(), opts, path))
 		require.FileExists(t, path)
 		data, err := os.ReadFile(path)
 		require.NoError(t, err)
@@ -317,9 +321,10 @@ func TestValidateSPDX(t *testing.T) {
 	}
 	dir := t.TempDir()
 	fsys := apkfs.NewMemFS()
-	sx := New(fsys)
-	path := filepath.Join(dir, testOpts.FileName+"."+sx.Ext())
-	err := sx.Generate(t.Context(), testOpts, path)
+	opts := testOpts(fsys)
+	sx := New()
+	path := filepath.Join(dir, opts.FileName+"."+sx.Ext())
+	err := sx.Generate(t.Context(), opts, path)
 	require.NoError(t, err)
 	require.FileExists(t, path)
 	require.NoError(t, command.New(

diff --git a/pkg/sbom/options/options.go b/pkg/sbom/options/options.go
@@ -16,7 +16,6 @@ package options
 
 import (
 	"fmt"
-	"io/fs"
 	"net/url"
 	"path/filepath"
 	"sort"
@@ -28,6 +27,7 @@ import (
 	purl "github.com/package-url/packageurl-go"
 
 	"chainguard.dev/apko/pkg/apk/apk"
+	"chainguard.dev/apko/pkg/apk/fs"
 	"chainguard.dev/apko/pkg/build/types"
 )
 
@@ -37,7 +37,7 @@ type Options struct {
 	ImageInfo ImageInfo
 
 	// Working directory,inherited from build context
-	FS fs.FS
+	FS fs.FullFS
 
 	// The reference of the generated image. Used for naming and purls
 	ImageReference string