diff --git a/internal/gok/overwrite.go b/internal/gok/overwrite.go index 0516764..ffce198 100644 --- a/internal/gok/overwrite.go +++ b/internal/gok/overwrite.go @@ -70,6 +70,14 @@ func (r *overwriteImplConfig) run(ctx context.Context, args []string, stdout, st return err } + // GenerateSBOM() must be called before any modifications to cfg.InternalCompatibilityFlags, + // as the SBOM should reflect what’s going into gokrazy, + // not its internal implementation details. + sbom, _, err := packer.GenerateSBOM(cfg) + if err != nil { + return err + } + if cfg.InternalCompatibilityFlags == nil { cfg.InternalCompatibilityFlags = &config.InternalCompatibilityFlags{} } @@ -123,6 +131,7 @@ func (r *overwriteImplConfig) run(ctx context.Context, args []string, stdout, st pack := &packer.Pack{ Cfg: cfg, Output: &output, + SBOM: sbom, } pack.Main("gokrazy gok") diff --git a/internal/gok/sbom.go b/internal/gok/sbom.go index 8757389..665b55a 100644 --- a/internal/gok/sbom.go +++ b/internal/gok/sbom.go @@ -58,6 +58,9 @@ func (r *sbomConfig) run(ctx context.Context, args []string, stdout, stderr io.W updateflag.SetUpdate("yes") + // GenerateSBOM() must be called before any modifications to cfg.InternalCompatibilityFlags, + // as the SBOM should reflect what’s going into gokrazy, + // not its internal implementation details. sbomMarshaled, sbomWithHash, err := packer.GenerateSBOM(cfg) if os.IsNotExist(err) { // Common case, handle with a good error message diff --git a/internal/gok/update.go b/internal/gok/update.go index 320a4a4..57b7492 100644 --- a/internal/gok/update.go +++ b/internal/gok/update.go @@ -50,6 +50,14 @@ func (r *updateImplConfig) run(ctx context.Context, args []string, stdout, stder return err } + // GenerateSBOM() must be called before any modifications to cfg.InternalCompatibilityFlags, + // as the SBOM should reflect what’s going into gokrazy, + // not its internal implementation details. + sbom, _, err := packer.GenerateSBOM(cfg) + if err != nil { + return err + } + if cfg.InternalCompatibilityFlags == nil { cfg.InternalCompatibilityFlags = &config.InternalCompatibilityFlags{} } @@ -77,7 +85,8 @@ func (r *updateImplConfig) run(ctx context.Context, args []string, stdout, stder } pack := &packer.Pack{ - Cfg: cfg, + Cfg: cfg, + SBOM: sbom, } pack.Main("gokrazy gok") diff --git a/internal/packer/gaf.go b/internal/packer/gaf.go index e6955a4..3b779c1 100644 --- a/internal/packer/gaf.go +++ b/internal/packer/gaf.go @@ -49,12 +49,7 @@ func (p *Pack) overwriteGaf(root *FileInfo) error { return err } - sbomMarshaled, _, err := GenerateSBOM(p.Cfg) - if err != nil { - return err - } - - if _, err := tmpSBOM.Write(sbomMarshaled); err != nil { + if _, err := tmpSBOM.Write(p.SBOM); err != nil { return err } diff --git a/internal/packer/packer.go b/internal/packer/packer.go index 1c91ee3..267db53 100644 --- a/internal/packer/packer.go +++ b/internal/packer/packer.go @@ -980,6 +980,7 @@ type Pack struct { Cfg *config.Struct Output *OutputStruct + SBOM []byte } func filterGoEnv(env []string) []string { @@ -1366,14 +1367,10 @@ func (pack *Pack) logic(programName string) error { FromLiteral: update.HTTPSPort, }) - sbom, _, err := GenerateSBOM(cfg) - if err != nil { - return err - } etcGokrazy := &FileInfo{Filename: "gokrazy"} etcGokrazy.Dirents = append(etcGokrazy.Dirents, &FileInfo{ Filename: "sbom.json", - FromLiteral: string(sbom), + FromLiteral: string(pack.SBOM), }) etc.Dirents = append(etc.Dirents, etcGokrazy) diff --git a/internal/packer/sbom.go b/internal/packer/sbom.go index d8bb143..fbe6847 100644 --- a/internal/packer/sbom.go +++ b/internal/packer/sbom.go @@ -48,6 +48,9 @@ type SBOMWithHash struct { // GenerateSBOM generates a Software Bills Of Material (SBOM) for the // local gokrazy instance. +// It must be called before any modifications to cfg.InternalCompatibilityFlags, +// as the SBOM should reflect what’s going into gokrazy, +// not its internal implementation details. func GenerateSBOM(cfg *config.Struct) ([]byte, SBOMWithHash, error) { wd, err := os.Getwd() if err != nil {