exporter: ensure spdx order prioritizes primary sbom

If we have any SBOMs that are notated as primary, then we should ensure that they appear before the others in the list of attestations. This ensures that clients should be able to naively take the "first" SBOM, to get the most relevant one that applies to the main rootfs. Signed-off-by: Justin Chadwell <[email protected]>
tonistiigi · Jan 9, 2023 · eabeb4f · eabeb4f
1 parent e86ba94
commit eabeb4f
Showing 1 changed file with 28 additions and 0 deletions.
diff --git a/exporter/attestation/unbundle.go b/exporter/attestation/unbundle.go
@@ -81,13 +81,41 @@ func Unbundle(ctx context.Context, s session.Group, bundled []exporter.Attestati
 	for _, atts := range unbundled {
 		joined = append(joined, atts...)
 	}
+	joined = sort(joined)
 
 	if err := Validate(joined); err != nil {
 		return nil, err
 	}
 	return joined, nil
 }
 
+func sort(atts []exporter.Attestation) []exporter.Attestation {
+	isCore := make([]bool, len(atts))
+	for i, att := range atts {
+		name, ok := att.Metadata[result.AttestationSBOMCore]
+		if !ok {
+			continue
+		}
+		if n, _, _ := strings.Cut(att.Path, "."); n != string(name) {
+			continue
+		}
+		isCore[i] = true
+	}
+
+	result := make([]exporter.Attestation, 0, len(atts))
+	for i, att := range atts {
+		if isCore[i] {
+			result = append(result, att)
+		}
+	}
+	for i, att := range atts {
+		if !isCore[i] {
+			result = append(result, att)
+		}
+	}
+	return result
+}
+
 func unbundle(ctx context.Context, root string, bundle exporter.Attestation) ([]exporter.Attestation, error) {
 	dir, err := fs.RootPath(root, bundle.Path)
 	if err != nil {