Generate and attach multiarch index SBOMs (only SPDX for now)

internal/cli/publish.go

@@ -126,7 +126,7 @@ func PublishCmd(ctx context.Context, outputRefs string, archs []types.Architectu
 	// The build context options is sometimes copied in the next functions. Ensure
 	// we have the directory defined and created by invoking the function early.
 	bc.Options.TempDir()
-	defer os.RemoveAll(bc.Options.TempDir())
+	// defer os.RemoveAll(bc.Options.TempDir())
 
 	bc.Logger().Printf("building tags %v", bc.Options.Tags)
 
@@ -147,6 +147,8 @@ func PublishCmd(ctx context.Context, outputRefs string, archs []types.Architectu
 	}
 
 	var finalDigest name.Digest
+	var idx coci.SignedImageIndex
+
 	for _, arch := range bc.ImageConfiguration.Archs {
 		arch := arch
 		bc := *bc
@@ -190,12 +192,12 @@ func PublishCmd(ctx context.Context, outputRefs string, archs []types.Architectu
 
 	if len(archs) > 1 {
 		if bc.Options.UseDockerMediaTypes {
-			finalDigest, err = oci.PublishDockerIndex(imgs, logrus.NewEntry(bc.Options.Log), bc.Options.Tags...)
+			finalDigest, idx, err = oci.PublishDockerIndex(imgs, logrus.NewEntry(bc.Options.Log), bc.Options.Tags...)
 			if err != nil {
 				return fmt.Errorf("failed to build Docker index: %w", err)
 			}
 		} else {
-			finalDigest, err = oci.PublishIndex(imgs, logrus.NewEntry(bc.Options.Log), bc.Options.Tags...)
+			finalDigest, idx, err = oci.PublishIndex(imgs, logrus.NewEntry(bc.Options.Log), bc.Options.Tags...)
 			if err != nil {
 				return fmt.Errorf("failed to build OCI index: %w", err)
 			}
@@ -226,6 +228,16 @@ func PublishCmd(ctx context.Context, outputRefs string, archs []types.Architectu
 				return fmt.Errorf("attaching sboms to %s image: %w", arch, err)
 			}
 		}
+
+		if err := bc.GenerateIndexSBOM(finalDigest, imgs); err != nil {
+			return fmt.Errorf("generating index SBOM: %w", err)
+		}
+
+		if _, err := oci.PostAttachSBOM(
+			idx, sbompath, bc.Options.SBOMFormats, types.Architecture{}, bc.Logger(), bc.Options.Tags...,
+		); err != nil {
+			return fmt.Errorf("attaching sboms to index: %w", err)
+		}
 	}
 
 	// If provided, this is the name of the file to write digest referenced into

pkg/build/build.go

@@ -23,6 +23,7 @@ import (
 	"strconv"
 	"time"
 
+	"github.com/google/go-containerregistry/pkg/name"
 	"github.com/hashicorp/go-multierror"
 	coci "github.com/sigstore/cosign/pkg/oci"
 	"github.com/sirupsen/logrus"
@@ -66,6 +67,10 @@ func (bc *Context) GenerateImageSBOM(arch types.Architecture, img coci.SignedIma
 	return bc.impl.GenerateSBOM(&opts)
 }
 
+func (bc *Context) GenerateIndexSBOM(indexDigest name.Digest, imgs map[types.Architecture]coci.SignedImage) error {
+	return bc.impl.GenerateIndexSBOM(&bc.Options, indexDigest, imgs)
+}
+
 func (bc *Context) GenerateSBOM() error {
 	return bc.impl.GenerateSBOM(&bc.Options)
 }

pkg/build/build_implementation.go

@@ -15,13 +15,18 @@
 package build
 
 import (
+	"errors"
 	"fmt"
 	"os"
 	"path/filepath"
 	"runtime"
 
 	"github.com/google/go-containerregistry/pkg/name"
+	v1 "github.com/google/go-containerregistry/pkg/v1"
 	v1tar "github.com/google/go-containerregistry/pkg/v1/tarball"
+	ggcrtypes "github.com/google/go-containerregistry/pkg/v1/types"
+	coci "github.com/sigstore/cosign/pkg/oci"
+	"sigs.k8s.io/release-utils/hash"
 
 	chainguardAPK "chainguard.dev/apko/pkg/apk"
 	"chainguard.dev/apko/pkg/build/types"
@@ -30,6 +35,7 @@ import (
 	"chainguard.dev/apko/pkg/options"
 	"chainguard.dev/apko/pkg/s6"
 	"chainguard.dev/apko/pkg/sbom"
+	soptions "chainguard.dev/apko/pkg/sbom/options"
 	"chainguard.dev/apko/pkg/tarball"
 )
 
@@ -47,6 +53,7 @@ type buildImplementation interface {
 	ValidateImageConfiguration(*types.ImageConfiguration) error
 	BuildImage(*options.Options, *types.ImageConfiguration, *exec.Executor, *s6.Context) error
 	WriteSupervisionTree(*s6.Context, *types.ImageConfiguration) error
+	GenerateIndexSBOM(*options.Options, name.Digest, map[types.Architecture]coci.SignedImage) error
 }
 
 type defaultBuildImplementation struct{}
@@ -209,3 +216,78 @@ func buildImage(
 
 	return nil
 }
+
+func (di *defaultBuildImplementation) GenerateIndexSBOM(
+	o *options.Options, indexDigest name.Digest, imgs map[types.Architecture]coci.SignedImage,
+) error {
+	if len(o.SBOMFormats) == 0 {
+		o.Logger().Warnf("skipping index SBOM generation")
+		return nil
+	}
+
+	s := sbom.NewWithWorkDir(o.WorkDir, o.Arch)
+	// Parse the image reference
+	if len(o.Tags) > 0 {
+		tag, err := name.NewTag(o.Tags[0])
+		if err != nil {
+			return fmt.Errorf("parsing tag %s: %w", o.Tags[0], err)
+		}
+		s.Options.ImageInfo.Tag = tag.TagStr()
+		s.Options.ImageInfo.Name = tag.String()
+	}
+
+	o.Logger().Infof("Generating index SBOM")
+
+	// Add the image digest
+	h, err := v1.NewHash(indexDigest.DigestStr())
+	if err != nil {
+		return errors.New("getting index hash")
+	}
+	s.Options.ImageInfo.IndexDigest = h
+	s.Options.ImageInfo.SourceDateEpoch = o.SourceDateEpoch
+	s.Options.Formats = o.SBOMFormats
+	s.Options.OutputDir = o.TempDir()
+	if o.SBOMPath != "" {
+		s.Options.OutputDir = o.SBOMPath
+	}
+	s.Options.ImageInfo.IndexMediaType = ggcrtypes.OCIImageIndex
+	if o.UseDockerMediaTypes {
+		s.Options.ImageInfo.IndexMediaType = ggcrtypes.DockerManifestList
+	}
+	var ext string
+	switch o.SBOMFormats[0] {
+	case "spdx":
+		ext = "spdx.json"
+	case "cyclonedx":
+		ext = "cdx"
+	case "idb":
+		ext = "idb"
+	}
+
+	// Load the images data into the SBOM generator options
+	for arch, i := range imgs {
+		sbomHash, err := hash.SHA256ForFile(filepath.Join(s.Options.OutputDir, fmt.Sprintf("sbom-%s.%s", arch.ToAPK(), ext)))
+		if err != nil {
+			return fmt.Errorf("checksumming %s SBOM: %w", arch, err)
+		}
+
+		d, err := i.Digest()
+		if err != nil {
+			return fmt.Errorf("getting arch image digest: %w", err)
+		}
+
+		s.Options.ImageInfo.Images = append(
+			s.Options.ImageInfo.Images,
+			soptions.ArchImageInfo{
+				Digest:     d,
+				Arch:       arch,
+				SBOMDigest: sbomHash,
+			})
+	}
+
+	if _, err := s.GenerateIndex(); err != nil {
+		return fmt.Errorf("generting index SBOM: %w", err)
+	}
+
+	return nil
+}