fix: make SBOM generation work in a multi-step build

Also make CLI sample automatically find SBOM step as well.

Fix Pkgfile path in the comments.

Signed-off-by: Dmitrii Sharshakov <[email protected]>

Author: dsseng

cmd/bldr/cmd/sbom.go

@@ -41,7 +41,16 @@ and outputs a Software Bill of Materials (SBOM) for it in SPDX format.
 
 		pkg := graph.Root.Pkg
 
-		sbomDoc, err := sbom.CreatePackageSBOM(pkg)
+		sbomMetadata := pkg.Steps[0].SBOM
+		for _, step := range pkg.Steps {
+			if step.SBOM.OutputPath != "" {
+				sbomMetadata = step.SBOM
+
+				break
+			}
+		}
+
+		sbomDoc, err := sbom.CreatePackageSBOM(pkg, sbomMetadata)
 		if err != nil {
 			log.Fatalf("failed to create SBOM for package %q: %v", pkg.Name, err)
 		}

internal/pkg/convert/node.go

@@ -344,7 +344,7 @@ func (node *NodeLLB) stepSBOM(root llb.State, step v1alpha2.Step) llb.State {
 		return root
 	}
 
-	sbomDoc, err := sbom.CreatePackageSBOM(node.Pkg)
+	sbomDoc, err := sbom.CreatePackageSBOM(node.Pkg, step.SBOM)
 	if err != nil {
 		return root
 	}

internal/pkg/integration/testdata/sbom/final/ref.json

@@ -3,7 +3,7 @@
  "dataLicense": "CC0-1.0",
  "SPDXID": "SPDXRef-DOCUMENT",
  "name": "sidero-pkgs-pkg",
- "documentNamespace": "https://anchore.com/bldr/dir/sidero-pkgs-pkg-a8cdf0e2-4206-53f6-8d4e-0aa423d0c72c",
+ "documentNamespace": "https://anchore.com/bldr/dir/sidero-pkgs-pkg-fc5b1a23-fa78-5de5-ba21-bb3ed393d708",
  "creationInfo": {
   "licenseListVersion": "3.25",
   "creators": [
@@ -15,12 +15,12 @@
  "packages": [
   {
    "name": "pkg",
-   "SPDXID": "SPDXRef-Package-bldr-package-pkg-aa88761304262ca3",
+   "SPDXID": "SPDXRef-Package-bldr-package-pkg-b34b3a9a3be1820f",
    "versionInfo": "2.1.2",
    "supplier": "NOASSERTION",
    "downloadLocation": "NOASSERTION",
    "filesAnalyzed": false,
-   "sourceInfo": "acquired package info from the following paths: //pkg/Pkgfile",
+   "sourceInfo": "acquired package info from the following paths: /Pkgfile",
    "licenseConcluded": "NOASSERTION",
    "licenseDeclared": "Apache-2.0",
    "copyrightText": "NOASSERTION",
@@ -53,7 +53,7 @@
  "relationships": [
   {
    "spdxElementId": "SPDXRef-DocumentRoot-Directory-sidero-pkgs-pkg",
-   "relatedSpdxElement": "SPDXRef-Package-bldr-package-pkg-aa88761304262ca3",
+   "relatedSpdxElement": "SPDXRef-Package-bldr-package-pkg-b34b3a9a3be1820f",
    "relationshipType": "CONTAINS"
   },
   {

internal/pkg/sbom/sbom.go

@@ -65,10 +65,7 @@ func addPkgSources(sbomDoc *sbom.SBOM, bldrPkg *v1alpha2.Pkg, syftPkg pkg.Packag
 }
 
 // CreatePackageSBOM populates an SBOM document with data from the provided package.
-func CreatePackageSBOM(bldrPkg *v1alpha2.Pkg) (*sbom.SBOM, error) {
-	// Sample. Actually we would get metadata when instructed to generate SBOM
-	sbomMetadata := bldrPkg.Steps[0].SBOM
-
+func CreatePackageSBOM(bldrPkg *v1alpha2.Pkg, sbomMetadata v1alpha2.SBOMStep) (*sbom.SBOM, error) {
 	cpes, err := parseCPEs(sbomMetadata.CPEs)
 	if err != nil {
 		return nil, err
@@ -99,7 +96,7 @@ func CreatePackageSBOM(bldrPkg *v1alpha2.Pkg) (*sbom.SBOM, error) {
 		Type:    pkg.Type("bldr-package"),
 		FoundBy: "bldr",
 		Locations: file.NewLocationSet(
-			file.NewLocation("/" + bldrPkg.BaseDir + "/Pkgfile"),
+			file.NewLocation("/Pkgfile"),
 		),
 		CPEs:     cpes,
 		Licenses: pkg.NewLicenseSet(pkg.NewLicensesFromValues(sbomMetadata.Licenses...)...),