Merge pull request #1736 from luhring/sbom-dir-src-log-warn

luhring · web-flow · commit 52550872392b · 2025-08-26T17:25:27.000-04:00
chore(sbom): resolve warning for directory source
diff --git a/pkg/sbom/sbom.go b/pkg/sbom/sbom.go
@@ -116,18 +116,31 @@ func Generate(ctx context.Context, inputFilePath string, f io.Reader, distroID s
 	}
 	log.Debug("synthesized APK package for SBOM", "name", apkPackage.Name, "version", apkPackage.Version, "id", string(apkPackage.ID()))
 
+	syft.SetLogger(anchorelogger.NewSlogAdapter(log.Base()))
+
+	apkPackageMetadata, ok := apkPackage.Metadata.(pkg.ApkDBEntry)
+	if !ok {
+		return nil, fmt.Errorf("expected APK package metadata to be of type pkg.ApkDBEntry, got %T", apkPackage.Metadata)
+	}
+
+	// Syft logs a scary (but inconsequential) warning if we don't supply an "alias" -- an explicit way to identify the directory source.
+	alias := source.Alias{
+		Name:     fmt.Sprintf("%s/%s", apkPackageMetadata.Architecture, apkPackageMetadata.Package),
+		Version:  apkPackageMetadata.Version,
+		Supplier: "chainguard",
+	}
+
 	src, err := directorysource.New(
 		directorysource.Config{
-			Path: tempDir,
+			Path:  tempDir,
+			Alias: alias,
 		},
 	)
 	if err != nil {
 		return nil, fmt.Errorf("failed to create source from directory: %w", err)
 	}
 	log.Debug("created Syft source from directory", "description", src.Describe())
 
-	syft.SetLogger(anchorelogger.NewSlogAdapter(log.Base()))
-
 	cfg := syft.DefaultCreateSBOMConfig().WithCatalogerSelection(
 		pkgcataloging.NewSelectionRequest().WithDefaults(
 			pkgcataloging.ImageTag,
diff --git a/pkg/sbom/testdata/goldenfiles/aarch64/crane-0.19.1-r6.apk.syft.json b/pkg/sbom/testdata/goldenfiles/aarch64/crane-0.19.1-r6.apk.syft.json
@@ -786,6 +786,7 @@
     "id": "(redacted for determinism)",
     "name": "crane",
     "version": "0.19.1-r6",
+    "supplier": "chainguard",
     "type": "directory",
     "metadata": {
       "path": "testdata/apks/aarch64/crane-0.19.1-r6.apk"
diff --git a/pkg/sbom/testdata/goldenfiles/aarch64/jenkins-2.461-r0.apk.syft.json b/pkg/sbom/testdata/goldenfiles/aarch64/jenkins-2.461-r0.apk.syft.json
@@ -115116,6 +115116,7 @@
     "id": "(redacted for determinism)",
     "name": "jenkins",
     "version": "2.461-r0",
+    "supplier": "chainguard",
     "type": "directory",
     "metadata": {
       "path": "testdata/apks/aarch64/jenkins-2.461-r0.apk"
diff --git a/pkg/sbom/testdata/goldenfiles/aarch64/jruby-9.4-9.4.7.0-r0.apk.syft.json b/pkg/sbom/testdata/goldenfiles/aarch64/jruby-9.4-9.4.7.0-r0.apk.syft.json
@@ -98163,6 +98163,7 @@
     "id": "(redacted for determinism)",
     "name": "jruby-9.4",
     "version": "9.4.7.0-r0",
+    "supplier": "chainguard",
     "type": "directory",
     "metadata": {
       "path": "testdata/apks/aarch64/jruby-9.4-9.4.7.0-r0.apk"
diff --git a/pkg/sbom/testdata/goldenfiles/aarch64/openjdk-21-21.0.3-r3.apk.syft.json b/pkg/sbom/testdata/goldenfiles/aarch64/openjdk-21-21.0.3-r3.apk.syft.json
@@ -196,6 +196,7 @@
     "id": "(redacted for determinism)",
     "name": "openjdk-21",
     "version": "21.0.3-r3",
+    "supplier": "chainguard",
     "type": "directory",
     "metadata": {
       "path": "testdata/apks/aarch64/openjdk-21-21.0.3-r3.apk"
diff --git a/pkg/sbom/testdata/goldenfiles/aarch64/openssl-3.3.0-r8.apk.syft.json b/pkg/sbom/testdata/goldenfiles/aarch64/openssl-3.3.0-r8.apk.syft.json
@@ -128,6 +128,7 @@
     "id": "(redacted for determinism)",
     "name": "openssl",
     "version": "3.3.0-r8",
+    "supplier": "chainguard",
     "type": "directory",
     "metadata": {
       "path": "testdata/apks/aarch64/openssl-3.3.0-r8.apk"
diff --git a/pkg/sbom/testdata/goldenfiles/aarch64/perl-yaml-syck-1.34-r3.apk.syft.json b/pkg/sbom/testdata/goldenfiles/aarch64/perl-yaml-syck-1.34-r3.apk.syft.json
@@ -171,6 +171,7 @@
     "id": "(redacted for determinism)",
     "name": "perl-yaml-syck",
     "version": "1.34-r3",
+    "supplier": "chainguard",
     "type": "directory",
     "metadata": {
       "path": "testdata/apks/aarch64/perl-yaml-syck-1.34-r3.apk"
diff --git a/pkg/sbom/testdata/goldenfiles/aarch64/php-odbc-8.2.11-r1.apk.syft.json b/pkg/sbom/testdata/goldenfiles/aarch64/php-odbc-8.2.11-r1.apk.syft.json
@@ -132,6 +132,7 @@
     "id": "(redacted for determinism)",
     "name": "php-odbc",
     "version": "8.2.11-r1",
+    "supplier": "chainguard",
     "type": "directory",
     "metadata": {
       "path": "testdata/apks/aarch64/php-odbc-8.2.11-r1.apk"
diff --git a/pkg/sbom/testdata/goldenfiles/aarch64/powershell-7.4.1-r0.apk.syft.json b/pkg/sbom/testdata/goldenfiles/aarch64/powershell-7.4.1-r0.apk.syft.json
@@ -5549,6 +5549,7 @@
     "id": "(redacted for determinism)",
     "name": "powershell",
     "version": "7.4.1-r0",
+    "supplier": "chainguard",
     "type": "directory",
     "metadata": {
       "path": "testdata/apks/aarch64/powershell-7.4.1-r0.apk"
diff --git a/pkg/sbom/testdata/goldenfiles/aarch64/py3-poetry-core-1.9.0-r1.apk.syft.json b/pkg/sbom/testdata/goldenfiles/aarch64/py3-poetry-core-1.9.0-r1.apk.syft.json
@@ -2495,6 +2495,7 @@
     "id": "(redacted for determinism)",
     "name": "py3-poetry-core",
     "version": "1.9.0-r1",
+    "supplier": "chainguard",
     "type": "directory",
     "metadata": {
       "path": "testdata/apks/aarch64/py3-poetry-core-1.9.0-r1.apk"
diff --git a/pkg/sbom/testdata/goldenfiles/aarch64/python-3.11-base-3.11.9-r6.apk.syft.json b/pkg/sbom/testdata/goldenfiles/aarch64/python-3.11-base-3.11.9-r6.apk.syft.json
@@ -5389,6 +5389,7 @@
     "id": "(redacted for determinism)",
     "name": "python-3.11-base",
     "version": "3.11.9-r6",
+    "supplier": "chainguard",
     "type": "directory",
     "metadata": {
       "path": "testdata/apks/aarch64/python-3.11-base-3.11.9-r6.apk"
diff --git a/pkg/sbom/testdata/goldenfiles/aarch64/terraform-1.5.7-r12.apk.syft.json b/pkg/sbom/testdata/goldenfiles/aarch64/terraform-1.5.7-r12.apk.syft.json
@@ -5960,6 +5960,7 @@
     "id": "(redacted for determinism)",
     "name": "terraform",
     "version": "1.5.7-r12",
+    "supplier": "chainguard",
     "type": "directory",
     "metadata": {
       "path": "testdata/apks/aarch64/terraform-1.5.7-r12.apk"
diff --git a/pkg/sbom/testdata/goldenfiles/aarch64/thanos-0.32-0.32.5-r4.apk.syft.json b/pkg/sbom/testdata/goldenfiles/aarch64/thanos-0.32-0.32.5-r4.apk.syft.json
@@ -7825,6 +7825,7 @@
     "id": "(redacted for determinism)",
     "name": "thanos-0.32",
     "version": "0.32.5-r4",
+    "supplier": "chainguard",
     "type": "directory",
     "metadata": {
       "path": "testdata/apks/aarch64/thanos-0.32-0.32.5-r4.apk"
diff --git a/pkg/sbom/testdata/goldenfiles/x86_64/crane-0.19.1-r6.apk.syft.json b/pkg/sbom/testdata/goldenfiles/x86_64/crane-0.19.1-r6.apk.syft.json
@@ -790,6 +790,7 @@
     "id": "(redacted for determinism)",
     "name": "crane",
     "version": "0.19.1-r6",
+    "supplier": "chainguard",
     "type": "directory",
     "metadata": {
       "path": "testdata/apks/x86_64/crane-0.19.1-r6.apk"
diff --git a/pkg/sbom/testdata/goldenfiles/x86_64/jenkins-2.461-r0.apk.syft.json b/pkg/sbom/testdata/goldenfiles/x86_64/jenkins-2.461-r0.apk.syft.json
@@ -115116,6 +115116,7 @@
     "id": "(redacted for determinism)",
     "name": "jenkins",
     "version": "2.461-r0",
+    "supplier": "chainguard",
     "type": "directory",
     "metadata": {
       "path": "testdata/apks/x86_64/jenkins-2.461-r0.apk"
diff --git a/pkg/sbom/testdata/goldenfiles/x86_64/jruby-9.4-9.4.7.0-r0.apk.syft.json b/pkg/sbom/testdata/goldenfiles/x86_64/jruby-9.4-9.4.7.0-r0.apk.syft.json
@@ -98163,6 +98163,7 @@
     "id": "(redacted for determinism)",
     "name": "jruby-9.4",
     "version": "9.4.7.0-r0",
+    "supplier": "chainguard",
     "type": "directory",
     "metadata": {
       "path": "testdata/apks/x86_64/jruby-9.4-9.4.7.0-r0.apk"
diff --git a/pkg/sbom/testdata/goldenfiles/x86_64/openjdk-21-21.0.3-r3.apk.syft.json b/pkg/sbom/testdata/goldenfiles/x86_64/openjdk-21-21.0.3-r3.apk.syft.json
@@ -196,6 +196,7 @@
     "id": "(redacted for determinism)",
     "name": "openjdk-21",
     "version": "21.0.3-r3",
+    "supplier": "chainguard",
     "type": "directory",
     "metadata": {
       "path": "testdata/apks/x86_64/openjdk-21-21.0.3-r3.apk"
diff --git a/pkg/sbom/testdata/goldenfiles/x86_64/openssl-3.3.0-r8.apk.syft.json b/pkg/sbom/testdata/goldenfiles/x86_64/openssl-3.3.0-r8.apk.syft.json
@@ -128,6 +128,7 @@
     "id": "(redacted for determinism)",
     "name": "openssl",
     "version": "3.3.0-r8",
+    "supplier": "chainguard",
     "type": "directory",
     "metadata": {
       "path": "testdata/apks/x86_64/openssl-3.3.0-r8.apk"
diff --git a/pkg/sbom/testdata/goldenfiles/x86_64/perl-yaml-syck-1.34-r3.apk.syft.json b/pkg/sbom/testdata/goldenfiles/x86_64/perl-yaml-syck-1.34-r3.apk.syft.json
@@ -171,6 +171,7 @@
     "id": "(redacted for determinism)",
     "name": "perl-yaml-syck",
     "version": "1.34-r3",
+    "supplier": "chainguard",
     "type": "directory",
     "metadata": {
       "path": "testdata/apks/x86_64/perl-yaml-syck-1.34-r3.apk"
diff --git a/pkg/sbom/testdata/goldenfiles/x86_64/php-odbc-8.2.11-r1.apk.syft.json b/pkg/sbom/testdata/goldenfiles/x86_64/php-odbc-8.2.11-r1.apk.syft.json
@@ -131,6 +131,7 @@
     "id": "(redacted for determinism)",
     "name": "php-odbc",
     "version": "8.2.11-r1",
+    "supplier": "chainguard",
     "type": "directory",
     "metadata": {
       "path": "testdata/apks/x86_64/php-odbc-8.2.11-r1.apk"
diff --git a/pkg/sbom/testdata/goldenfiles/x86_64/powershell-7.4.1-r0.apk.syft.json b/pkg/sbom/testdata/goldenfiles/x86_64/powershell-7.4.1-r0.apk.syft.json
@@ -5549,6 +5549,7 @@
     "id": "(redacted for determinism)",
     "name": "powershell",
     "version": "7.4.1-r0",
+    "supplier": "chainguard",
     "type": "directory",
     "metadata": {
       "path": "testdata/apks/x86_64/powershell-7.4.1-r0.apk"
diff --git a/pkg/sbom/testdata/goldenfiles/x86_64/py3-poetry-core-1.9.0-r1.apk.syft.json b/pkg/sbom/testdata/goldenfiles/x86_64/py3-poetry-core-1.9.0-r1.apk.syft.json
@@ -2495,6 +2495,7 @@
     "id": "(redacted for determinism)",
     "name": "py3-poetry-core",
     "version": "1.9.0-r1",
+    "supplier": "chainguard",
     "type": "directory",
     "metadata": {
       "path": "testdata/apks/x86_64/py3-poetry-core-1.9.0-r1.apk"
diff --git a/pkg/sbom/testdata/goldenfiles/x86_64/python-3.11-base-3.11.9-r6.apk.syft.json b/pkg/sbom/testdata/goldenfiles/x86_64/python-3.11-base-3.11.9-r6.apk.syft.json
@@ -5389,6 +5389,7 @@
     "id": "(redacted for determinism)",
     "name": "python-3.11-base",
     "version": "3.11.9-r6",
+    "supplier": "chainguard",
     "type": "directory",
     "metadata": {
       "path": "testdata/apks/x86_64/python-3.11-base-3.11.9-r6.apk"
diff --git a/pkg/sbom/testdata/goldenfiles/x86_64/terraform-1.5.7-r12.apk.syft.json b/pkg/sbom/testdata/goldenfiles/x86_64/terraform-1.5.7-r12.apk.syft.json
@@ -5964,6 +5964,7 @@
     "id": "(redacted for determinism)",
     "name": "terraform",
     "version": "1.5.7-r12",
+    "supplier": "chainguard",
     "type": "directory",
     "metadata": {
       "path": "testdata/apks/x86_64/terraform-1.5.7-r12.apk"
diff --git a/pkg/sbom/testdata/goldenfiles/x86_64/thanos-0.32-0.32.5-r4.apk.syft.json b/pkg/sbom/testdata/goldenfiles/x86_64/thanos-0.32-0.32.5-r4.apk.syft.json
@@ -7829,6 +7829,7 @@
     "id": "(redacted for determinism)",
     "name": "thanos-0.32",
     "version": "0.32.5-r4",
+    "supplier": "chainguard",
     "type": "directory",
     "metadata": {
       "path": "testdata/apks/x86_64/thanos-0.32-0.32.5-r4.apk"
