fix sbom generation inconsistency, take 2

internal/gok/overwrite.go

@@ -65,6 +65,11 @@ func init() {
 }
 
 func (r *overwriteImplConfig) run(ctx context.Context, args []string, stdout, stderr io.Writer) error {
+	fileCfg, err := config.ReadFromFile()
+	if err != nil {
+		return err
+	}
+
 	cfg, err := config.ReadFromFile()
 	if err != nil {
 		return err
@@ -121,8 +126,9 @@ func (r *overwriteImplConfig) run(ctx context.Context, args []string, stdout, st
 	}
 
 	pack := &packer.Pack{
-		Cfg:    cfg,
-		Output: &output,
+		FileCfg: fileCfg,
+		Cfg:     cfg,
+		Output:  &output,
 	}
 
 	pack.Main("gokrazy gok")

internal/gok/sbom.go

@@ -58,6 +58,11 @@ func (r *sbomConfig) run(ctx context.Context, args []string, stdout, stderr io.W
 
 	updateflag.SetUpdate("yes")
 
+	// GenerateSBOM() must be provided with a cfg
+	// that hasn't been modified by gok at runtime,
+	// as the SBOM should reflect what’s going into gokrazy,
+	// not its internal implementation details
+	// (i.e.  cfg.InternalCompatibilityFlags untouched).
 	sbomMarshaled, sbomWithHash, err := packer.GenerateSBOM(cfg)
 	if os.IsNotExist(err) {
 		// Common case, handle with a good error message

internal/gok/update.go

@@ -45,6 +45,11 @@ func init() {
 }
 
 func (r *updateImplConfig) run(ctx context.Context, args []string, stdout, stderr io.Writer) error {
+	fileCfg, err := config.ReadFromFile()
+	if err != nil {
+		return err
+	}
+
 	cfg, err := config.ReadFromFile()
 	if err != nil {
 		return err
@@ -77,7 +82,8 @@ func (r *updateImplConfig) run(ctx context.Context, args []string, stdout, stder
 	}
 
 	pack := &packer.Pack{
-		Cfg: cfg,
+		FileCfg: fileCfg,
+		Cfg:     cfg,
 	}
 
 	pack.Main("gokrazy gok")

internal/packer/gaf.go

@@ -49,7 +49,12 @@ func (p *Pack) overwriteGaf(root *FileInfo) error {
 		return err
 	}
 
-	sbomMarshaled, _, err := GenerateSBOM(p.Cfg)
+	// GenerateSBOM() must be provided with a cfg
+	// that hasn't been modified by gok at runtime,
+	// as the SBOM should reflect what’s going into gokrazy,
+	// not its internal implementation details
+	// (i.e.  cfg.InternalCompatibilityFlags untouched).
+	sbomMarshaled, _, err := GenerateSBOM(p.FileCfg)
 	if err != nil {
 		return err
 	}

internal/packer/packer.go

@@ -978,8 +978,11 @@ type OutputStruct struct {
 type Pack struct {
 	packer.Pack
 
-	Cfg    *config.Struct
-	Output *OutputStruct
+	// FileCfg holds an untouched copy
+	// of the config file, as it was read from disk.
+	FileCfg *config.Struct
+	Cfg     *config.Struct
+	Output  *OutputStruct
 }
 
 func filterGoEnv(env []string) []string {
@@ -1366,10 +1369,16 @@ func (pack *Pack) logic(programName string) error {
 		FromLiteral: update.HTTPSPort,
 	})
 
-	sbom, _, err := GenerateSBOM(cfg)
+	// GenerateSBOM() must be provided with a cfg
+	// that hasn't been modified by gok at runtime,
+	// as the SBOM should reflect what’s going into gokrazy,
+	// not its internal implementation details
+	// (i.e.  cfg.InternalCompatibilityFlags untouched).
+	sbom, _, err := GenerateSBOM(pack.FileCfg)
 	if err != nil {
 		return err
 	}
+
 	etcGokrazy := &FileInfo{Filename: "gokrazy"}
 	etcGokrazy.Dirents = append(etcGokrazy.Dirents, &FileInfo{
 		Filename:    "sbom.json",

internal/packer/sbom.go

@@ -48,6 +48,10 @@ type SBOMWithHash struct {
 
 // GenerateSBOM generates a Software Bills Of Material (SBOM) for the
 // local gokrazy instance.
+// It must be provided with a cfg that hasn't been modified by gok at runtime,
+// as the SBOM should reflect what’s going into gokrazy,
+// not its internal implementation details
+// (i.e.  cfg.InternalCompatibilityFlags untouched).
 func GenerateSBOM(cfg *config.Struct) ([]byte, SBOMWithHash, error) {
 	wd, err := os.Getwd()
 	if err != nil {