From 8e2bdcbbac67970155ff62174befe8f2866ee6aa Mon Sep 17 00:00:00 2001
From: Mikhail Malyshev <mike.malyshev@gmail.com>
Date: Sat, 11 Nov 2023 02:03:20 +0000
Subject: [PATCH] Merge  kernel and zfs SBOM with eve SBOM

This is a workaround for Linuxkit limitation. Currently Linuxkit ignores
*.spdx.json files in kernel container so kernel SBOM is not a part of
final SBOM.

In the near future SBOM for any container will be a part of image
metadata and manual steps to run syft won't be required

Signed-off-by: Mikhail Malyshev <mike.malyshev@gmail.com>
---
 Makefile | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/Makefile b/Makefile
index bdeeab7d69..17bc7ac22a 100644
--- a/Makefile
+++ b/Makefile
@@ -664,7 +664,11 @@ $(SBOM): $(ROOTFS_TAR) | $(INSTALLER)
 	# this all can go away, and we can read the rootfs.tar
 	# see https://github.com/anchore/syft/issues/1400
 	tar xf $< -C $(TMP_ROOTDIR) --exclude "dev/*"
-	# kernel-sbom.spdx.json is now generated in eve-kernel repo and extracted from kernel docker image into rootfs by linuxkit
+	# kernel-*.spdx.json are now generated in eve-kernel repo and are stored in docker  image.
+	# Manually extract them to unpacked rootfs.
+	# Later linuxkit will get a support for SBOM in OCI metadata and this step as well as manual run of
+	# syft will be deprecated
+	docker export $(shell docker create $(KERNEL_TAG) create) | tar xv -C $(TMP_ROOTDIR) --wildcards --no-anchored '*.spdx.json'
 	docker run -v $(TMP_ROOTDIR):/rootdir:ro -v $(CURDIR)/.syft.yaml:/syft.yaml:ro $(SYFT_IMAGE) -c /syft.yaml --base-path /rootdir /rootdir > $@
 	rm -rf $(TMP_ROOTDIR)
 	$(QUIET): $@: Succeeded