From 9f8c03d1fdae8cc8b55569d57a82770d8f65b5c1 Mon Sep 17 00:00:00 2001
From: dervoeti <lukas.voetmand@stackable.tech>
Date: Thu, 17 Oct 2024 10:25:47 +0200
Subject: [PATCH 1/6] fix: make PURLs use oci type

---
 publish-image/action.yml | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/publish-image/action.yml b/publish-image/action.yml
index 4564812..fa6af8b 100644
--- a/publish-image/action.yml
+++ b/publish-image/action.yml
@@ -110,8 +110,13 @@ runs:
         DIGEST=${IMAGE_REPO_DIGEST#*@}
 
         # Construct the package url (purl)
-        # TODO (@Techassi): Can we use 'oci' instead of 'docker' as the type?
-        PURL="pkg:docker/$IMAGE_REPOSITORY@$DIGEST?repository_url=$REGISTRY_URI"
+        URLENCODED_DIGEST=$(echo "$DIGEST" | sed 's/:/%3A/g')
+        URLENCODED_IMAGE_REPOSITORY=$(echo "$IMAGE_REPOSITORY" | sed 's/\//%2F/g')
+        # Last item, split by /
+        IMAGE_NAME=$(echo "$IMAGE_REPOSITORY" | awk -F'/' '{print $NF}')
+        # Obtain architecture from container image
+        ARCH=$(docker inspect --format='{{index .Architecture}}' "${IMAGE_REPO_DIGEST}")
+        PURL="pkg:oci/$IMAGE_NAME@$URLENCODED_DIGEST?arch=${ARCH}&repository_url=${REGISTRY_URI}%2F${URLENCODED_IMAGE_REPOSITORY}"
 
         # Get metadata from the image
         # NOTE (@Techassi): Maybe we should run this command only once

From 17f506e9d5908589acc60234dd7dee81966e0fc2 Mon Sep 17 00:00:00 2001
From: dervoeti <lukas.voetmand@stackable.tech>
Date: Fri, 18 Oct 2024 11:08:56 +0200
Subject: [PATCH 2/6] fix: use product name as source name in syft / SBOMs

---
 publish-image/action.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/publish-image/action.yml b/publish-image/action.yml
index fa6af8b..e85f000 100644
--- a/publish-image/action.yml
+++ b/publish-image/action.yml
@@ -128,7 +128,7 @@ runs:
           --output cyclonedx-json@1.5=sbom_raw.json \
           --select-catalogers "-cargo-auditable-binary-cataloger,+sbom-cataloger" \
           --scope all-layers \
-          --source-name "$IMAGE_REPOSITORY" \
+          --source-name "$IMAGE_NAME" \
           --source-version "$IMAGE_MANIFEST_TAG" "${IMAGE_REPO_DIGEST}"
 
         # Merge SBOM components using https://github.com/stackabletech/mergebom

From ea90853a10e7b3ee08e38b1bff9e7c7e0929f12b Mon Sep 17 00:00:00 2001
From: dervoeti <lukas.voetmand@stackable.tech>
Date: Mon, 21 Oct 2024 09:37:59 +0200
Subject: [PATCH 3/6] fix: addressed review comments

---
 publish-image/action.yml | 22 ++++++++++++++--------
 1 file changed, 14 insertions(+), 8 deletions(-)

diff --git a/publish-image/action.yml b/publish-image/action.yml
index e85f000..7fdb536 100644
--- a/publish-image/action.yml
+++ b/publish-image/action.yml
@@ -109,14 +109,20 @@ runs:
         # Extract the digest from the image repo digest (right side of '@')
         DIGEST=${IMAGE_REPO_DIGEST#*@}
 
-        # Construct the package url (purl)
-        URLENCODED_DIGEST=$(echo "$DIGEST" | sed 's/:/%3A/g')
-        URLENCODED_IMAGE_REPOSITORY=$(echo "$IMAGE_REPOSITORY" | sed 's/\//%2F/g')
+        # URL encode the digest and image repository, needed for the purl
+        URLENCODED_DIGEST=$(echo "$DIGEST" | jq -Rr @uri)
+        URLENCODED_IMAGE_REPOSITORY=$(echo "$IMAGE_REPOSITORY" | jq -Rr @uri)
         # Last item, split by /
-        IMAGE_NAME=$(echo "$IMAGE_REPOSITORY" | awk -F'/' '{print $NF}')
-        # Obtain architecture from container image
-        ARCH=$(docker inspect --format='{{index .Architecture}}' "${IMAGE_REPO_DIGEST}")
-        PURL="pkg:oci/$IMAGE_NAME@$URLENCODED_DIGEST?arch=${ARCH}&repository_url=${REGISTRY_URI}%2F${URLENCODED_IMAGE_REPOSITORY}"
+        # Example: sdp/kafka -> kafka
+        SOURCE_NAME=$(echo "$IMAGE_REPOSITORY" | awk -F'/' '{print $NF}')
+        # Extract architecture from image tag
+        ARCH=$(echo "$IMAGE_MANIFEST_TAG" | awk -F'-' '{print $NF}')
+        if [ "$ARCH" != "amd64" ] && [ "$ARCH" != "arm64" ]; then
+          echo "Invalid architecture obtained from image tag. IMAGE_MANIFEST_TAG: $IMAGE_MANIFEST_TAG, ARCH: $ARCH"
+          exit 1
+        fi
+        # Construct the package url (purl)
+        PURL="pkg:oci/$SOURCE_NAME@$URLENCODED_DIGEST?arch=${ARCH}&repository_url=${REGISTRY_URI}%2F${URLENCODED_IMAGE_REPOSITORY}"
 
         # Get metadata from the image
         # NOTE (@Techassi): Maybe we should run this command only once
@@ -128,7 +134,7 @@ runs:
           --output cyclonedx-json@1.5=sbom_raw.json \
           --select-catalogers "-cargo-auditable-binary-cataloger,+sbom-cataloger" \
           --scope all-layers \
-          --source-name "$IMAGE_NAME" \
+          --source-name "$SOURCE_NAME" \
           --source-version "$IMAGE_MANIFEST_TAG" "${IMAGE_REPO_DIGEST}"
 
         # Merge SBOM components using https://github.com/stackabletech/mergebom

From e3c41b6b6ea1f0b229195b6911afa46fa55bd281 Mon Sep 17 00:00:00 2001
From: dervoeti <lukas.voetmand@stackable.tech>
Date: Mon, 21 Oct 2024 10:49:52 +0200
Subject: [PATCH 4/6] fix: addressed comments from @NickLarsenNZ

---
 publish-image/action.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/publish-image/action.yml b/publish-image/action.yml
index 7fdb536..a29657b 100644
--- a/publish-image/action.yml
+++ b/publish-image/action.yml
@@ -110,8 +110,8 @@ runs:
         DIGEST=${IMAGE_REPO_DIGEST#*@}
 
         # URL encode the digest and image repository, needed for the purl
-        URLENCODED_DIGEST=$(echo "$DIGEST" | jq -Rr @uri)
-        URLENCODED_IMAGE_REPOSITORY=$(echo "$IMAGE_REPOSITORY" | jq -Rr @uri)
+        URLENCODED_DIGEST=$(jq -rn --arg input "$DIGEST" '$input | @uri')
+        URLENCODED_IMAGE_REPOSITORY=$(jq -rn --arg input "$IMAGE_REPOSITORY" '$input | @uri')
         # Last item, split by /
         # Example: sdp/kafka -> kafka
         SOURCE_NAME=$(echo "$IMAGE_REPOSITORY" | awk -F'/' '{print $NF}')
@@ -122,7 +122,7 @@ runs:
           exit 1
         fi
         # Construct the package url (purl)
-        PURL="pkg:oci/$SOURCE_NAME@$URLENCODED_DIGEST?arch=${ARCH}&repository_url=${REGISTRY_URI}%2F${URLENCODED_IMAGE_REPOSITORY}"
+        PURL="pkg:oci/{$SOURCE_NAME}@{$URLENCODED_DIGEST}?arch=${ARCH}&repository_url=${REGISTRY_URI}%2F${URLENCODED_IMAGE_REPOSITORY}"
 
         # Get metadata from the image
         # NOTE (@Techassi): Maybe we should run this command only once

From 0347d7df14fb93b6d60e079dcbaf9c0d64bef263 Mon Sep 17 00:00:00 2001
From: dervoeti <lukas.voetmand@stackable.tech>
Date: Tue, 22 Oct 2024 15:13:15 +0200
Subject: [PATCH 5/6] chore: removed unnecessary curly braces

---
 publish-image/action.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/publish-image/action.yml b/publish-image/action.yml
index a29657b..b0203f4 100644
--- a/publish-image/action.yml
+++ b/publish-image/action.yml
@@ -126,8 +126,8 @@ runs:
 
         # Get metadata from the image
         # NOTE (@Techassi): Maybe we should run this command only once
-        IMAGE_METADATA_DESCRIPTION=$(docker inspect --format='{{.Config.Labels.description}}' "${IMAGE_REPO_DIGEST}")
-        IMAGE_METADATA_NAME=$(docker inspect --format='{{.Config.Labels.name}}' "${IMAGE_REPO_DIGEST}")
+        IMAGE_METADATA_DESCRIPTION=$(docker inspect --format='{{.Config.Labels.description}}' "$IMAGE_REPO_DIGEST")
+        IMAGE_METADATA_NAME=$(docker inspect --format='{{.Config.Labels.name}}' "$IMAGE_REPO_DIGEST")
 
         # Generate the SBOM
         syft scan \
@@ -135,7 +135,7 @@ runs:
           --select-catalogers "-cargo-auditable-binary-cataloger,+sbom-cataloger" \
           --scope all-layers \
           --source-name "$SOURCE_NAME" \
-          --source-version "$IMAGE_MANIFEST_TAG" "${IMAGE_REPO_DIGEST}"
+          --source-version "$IMAGE_MANIFEST_TAG" "$IMAGE_REPO_DIGEST"
 
         # Merge SBOM components using https://github.com/stackabletech/mergebom
         curl --fail -L -o mergebom https://repo.stackable.tech/repository/packages/mergebom/stable-$(uname -m)

From d96caa8454fcc660e52bbc5f706ba4e32e70c545 Mon Sep 17 00:00:00 2001
From: Lukas Voetmand <lukas@luvosys.de>
Date: Tue, 22 Oct 2024 15:25:26 +0200
Subject: [PATCH 6/6] fix: curly braces syntax

Co-authored-by: Nick <10092581+NickLarsenNZ@users.noreply.github.com>
---
 publish-image/action.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/publish-image/action.yml b/publish-image/action.yml
index b0203f4..063a534 100644
--- a/publish-image/action.yml
+++ b/publish-image/action.yml
@@ -122,7 +122,7 @@ runs:
           exit 1
         fi
         # Construct the package url (purl)
-        PURL="pkg:oci/{$SOURCE_NAME}@{$URLENCODED_DIGEST}?arch=${ARCH}&repository_url=${REGISTRY_URI}%2F${URLENCODED_IMAGE_REPOSITORY}"
+        PURL="pkg:oci/${SOURCE_NAME}@${URLENCODED_DIGEST}?arch=${ARCH}&repository_url=${REGISTRY_URI}%2F${URLENCODED_IMAGE_REPOSITORY}"
 
         # Get metadata from the image
         # NOTE (@Techassi): Maybe we should run this command only once