digesta-bot idea: SBOM diff

[imjasonh]

This downloads the SBOM attestation and massages it into a simple list of package@versions for an image that has them.

function packages() {
  cosign download attestation \
    $(crane digest --full-ref --platform=${2:-linux/amd64} $1) \
    --predicate-type="https://spdx.dev/Document" | \
      jq -r '.payload' | base64 -d | \
      jq -r '.predicate.packages[] | ("\(.name) \(.versionInfo)")' | \
      grep -v sha256: | sort | uniq
}

example:

$ packages cgr.dev/chainguard/busybox:latest-glibc
busybox 1.36.1-r0
ca-certificates-bundle 20230506-r0
glibc 2.37-r6
glibc-locale-posix 2.37-r7
ld-linux 2.37-r7
wolfi-baselayout 20230201-r3

It could be cool for digesta-bot to include any package diffs in the description of the PR it opens with changes.

$ old=cgr.dev/chainguard/busybox@sha256:dda91f4fc322187003a093a60a7322604462cbf314d8c0ebfc3d4d075c8d7efe
$ new=cgr.dev/chainguard/busybox:latest-glibc
$ diff <(packages $old) <(packages $new)
1c1
< busybox 1.36.0-r5
---
> busybox 1.36.1-r0
3d2
< github.com/chainguard-images/images c8a42f1fed31ee9f5e5eb91e553817ca285c589b
5,7c4,6
< glibc-locale-posix 2.37-r6
< ld-linux 2.37-r6
< wolfi-baselayout 20230201-r0
---
> glibc-locale-posix 2.37-r7
> ld-linux 2.37-r7
> wolfi-baselayout 20230201-r3

Or even if not diffing, we could list the package versions of the new image(s), which can be useful.