@@ -109,14 +109,20 @@ runs:
109109 # Extract the digest from the image repo digest (right side of '@')
110110 DIGEST=${IMAGE_REPO_DIGEST#*@}
111111
112- # Construct the package url ( purl)
113- URLENCODED_DIGEST=$(echo "$DIGEST" | sed 's/:/%3A/g' )
114- URLENCODED_IMAGE_REPOSITORY=$(echo "$IMAGE_REPOSITORY" | sed 's/\//%2F/g' )
112+ # URL encode the digest and image repository, needed for the purl
113+ URLENCODED_DIGEST=$(echo "$DIGEST" | jq -Rr @uri )
114+ URLENCODED_IMAGE_REPOSITORY=$(echo "$IMAGE_REPOSITORY" | jq -Rr @uri )
115115 # Last item, split by /
116- IMAGE_NAME=$(echo "$IMAGE_REPOSITORY" | awk -F'/' '{print $NF}')
117- # Obtain architecture from container image
118- ARCH=$(docker inspect --format='{{index .Architecture}}' "${IMAGE_REPO_DIGEST}")
119- PURL="pkg:oci/$IMAGE_NAME@$URLENCODED_DIGEST?arch=${ARCH}&repository_url=${REGISTRY_URI}%2F${URLENCODED_IMAGE_REPOSITORY}"
116+ # Example: sdp/kafka -> kafka
117+ SOURCE_NAME=$(echo "$IMAGE_REPOSITORY" | awk -F'/' '{print $NF}')
118+ # Extract architecture from image tag
119+ ARCH=$(echo "$IMAGE_MANIFEST_TAG" | awk -F'-' '{print $NF}')
120+ if [ "$ARCH" != "amd64" ] && [ "$ARCH" != "arm64" ]; then
121+ echo "Invalid architecture obtained from image tag. IMAGE_MANIFEST_TAG: $IMAGE_MANIFEST_TAG, ARCH: $ARCH"
122+ exit 1
123+ fi
124+ # Construct the package url (purl)
125+ PURL="pkg:oci/$SOURCE_NAME@$URLENCODED_DIGEST?arch=${ARCH}&repository_url=${REGISTRY_URI}%2F${URLENCODED_IMAGE_REPOSITORY}"
120126
121127 # Get metadata from the image
122128 # NOTE (@Techassi): Maybe we should run this command only once
@@ -128,7 +134,7 @@ runs:
128134 --output [email protected] =sbom_raw.json \ 129135 --select-catalogers "-cargo-auditable-binary-cataloger,+sbom-cataloger" \
130136 --scope all-layers \
131- --source-name "$IMAGE_NAME " \
137+ --source-name "$SOURCE_NAME " \
132138 --source-version "$IMAGE_MANIFEST_TAG" "${IMAGE_REPO_DIGEST}"
133139
134140 # Merge SBOM components using https://github.com/stackabletech/mergebom
0 commit comments