From 5dac7b143a3e4ea4aaf369f9cadeab954ab63eea Mon Sep 17 00:00:00 2001 From: Chris Goller Date: Tue, 10 Oct 2023 06:43:34 -0500 Subject: [PATCH 1/2] fix(sbom): strip in-toto statement header from saved SBOM Signed-off-by: Chris Goller --- pkg/sbom/sbom.go | 46 ++++++++++++++++++++++++++++++++++++++-------- 1 file changed, 38 insertions(+), 8 deletions(-) diff --git a/pkg/sbom/sbom.go b/pkg/sbom/sbom.go index 6f23883f..eb3fd358 100644 --- a/pkg/sbom/sbom.go +++ b/pkg/sbom/sbom.go @@ -158,24 +158,54 @@ func downloadSBOM(ctx context.Context, sbom sbomOutput) error { return err } - output, err := os.OpenFile(sbom.outputPath, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0640) - if err != nil { - return err - } - defer func() { _ = output.Close() }() + // Preallocate 1MB for the buffer. This is a guess at the size of the SBOM. + inner := make([]byte, 0, 1024*1024) + buf := bytes.NewBuffer(inner) for { resp, err := r.Recv() if err != nil { if errors.Is(err, io.EOF) { - return nil + break } return err } - - _, err = output.Write(resp.Data) + _, err = buf.Write(resp.Data) if err != nil { return err } } + + // Strip the in-toto statement header and save the SBOM statement. + var statement Statement + err = json.Unmarshal(buf.Bytes(), &statement) + if err != nil { + return err + } + + octets, err := json.Marshal(statement.Predicate) + if err != nil { + return err + } + + output, err := os.OpenFile(sbom.outputPath, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0640) + if err != nil { + return err + } + + _, err = output.Write(octets) + if err != nil { + return err + } + + return output.Close() +} + +// Statement copied from in-toto-golang/in_toto but using json.RawMessage +// to avoid unmarshalling and allocating the subject and predicate. +type Statement struct { + Type string `json:"_type"` + PredicateType string `json:"predicateType"` + Subject json.RawMessage `json:"subject"` + Predicate json.RawMessage `json:"predicate"` } From 36ad211ca39bb2eb0d3aac9c36053771c2ee2889 Mon Sep 17 00:00:00 2001 From: Chris Goller Date: Tue, 10 Oct 2023 06:48:14 -0500 Subject: [PATCH 2/2] doc(sbom): clarify saving of SBOMs Signed-off-by: Chris Goller --- pkg/sbom/sbom.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/sbom/sbom.go b/pkg/sbom/sbom.go index eb3fd358..6164192e 100644 --- a/pkg/sbom/sbom.go +++ b/pkg/sbom/sbom.go @@ -176,7 +176,7 @@ func downloadSBOM(ctx context.Context, sbom sbomOutput) error { } } - // Strip the in-toto statement header and save the SBOM statement. + // Strip the in-toto statement header and save the SBOM predicate. var statement Statement err = json.Unmarshal(buf.Bytes(), &statement) if err != nil {