sbom: Use layer digest for layer package version

Currently we use the base OS version for the layer version, which confusingly
sets most image layers for Wolfi based packages to an old looking package version
which doesn't really have much to do with the image layer.

For the top level image, we use the image digest. This change duplicates that behavior
for image layers.

Author: wlynch

pkg/sbom/generator/spdx/spdx.go

@@ -427,13 +427,13 @@ func (sx *SPDX) imagePackage(opts *options.Options) (p *Package) {
 
 // LayerPackage returns a package describing the layer
 func (sx *SPDX) layerPackage(opts *options.Options, layer v1.Descriptor) *Package {
-	layerPackageName := hashToString(layer.Digest)
-	mainPkgID := stringToIdentifier(layerPackageName)
+	layerDigest := hashToString(layer.Digest)
+	mainPkgID := stringToIdentifier(layerDigest)
 
 	return &Package{
 		ID:               fmt.Sprintf("SPDXRef-Package-%s", mainPkgID),
-		Name:             layerPackageName,
-		Version:          opts.OS.Version,
+		Name:             layerDigest,
+		Version:          layerDigest,
 		FilesAnalyzed:    false,
 		Description:      "apko operating system layer",
 		DownloadLocation: NOASSERTION,

pkg/sbom/generator/spdx/spdx_test.go

@@ -231,6 +231,33 @@ func TestSPDX_Generate(t *testing.T) {
 				},
 			},
 		},
+		{
+			name: "layer-with-digest",
+			opts: &options.Options{
+				ImageInfo: options.ImageInfo{
+					Layers: []v1.Descriptor{{
+						Digest: v1.Hash{
+							Algorithm: "sha256",
+							Hex:       "abc123def456",
+						},
+					}},
+				},
+				OS: options.OSInfo{
+					Name:    "unknown",
+					ID:      "unknown",
+					Version: "3.0",
+				},
+				FileName: "sbom",
+				Packages: []*apk.InstalledPackage{
+					{
+						Package: apk.Package{
+							Name:    "libattr1",
+							Version: "2.5.1-r2",
+						},
+					},
+				},
+			},
+		},
 	}
 
 	for _, tt := range tests {

pkg/sbom/generator/spdx/testdata/expected_image_sboms/both-describes-methods.spdx.json

@@ -19,7 +19,6 @@
     {
       "SPDXID": "SPDXRef-Package-",
       "name": "",
-      "versionInfo": "3.0",
       "filesAnalyzed": false,
       "description": "apko operating system layer",
       "downloadLocation": "NOASSERTION",

pkg/sbom/generator/spdx/testdata/expected_image_sboms/custom-license.spdx.json

@@ -19,7 +19,6 @@
     {
       "SPDXID": "SPDXRef-Package-",
       "name": "",
-      "versionInfo": "3.0",
       "filesAnalyzed": false,
       "description": "apko operating system layer",
       "downloadLocation": "NOASSERTION",

pkg/sbom/generator/spdx/testdata/expected_image_sboms/describes-relationship.spdx.json

@@ -19,7 +19,6 @@
     {
       "SPDXID": "SPDXRef-Package-",
       "name": "",
-      "versionInfo": "3.0",
       "filesAnalyzed": false,
       "description": "apko operating system layer",
       "downloadLocation": "NOASSERTION",

pkg/sbom/generator/spdx/testdata/expected_image_sboms/layer-with-digest.spdx.json

@@ -0,0 +1,66 @@
+{
+  "SPDXID": "SPDXRef-DOCUMENT",
+  "name": "sbom-sha256:abc123def456",
+  "spdxVersion": "SPDX-2.3",
+  "creationInfo": {
+    "created": "0001-01-01T00:00:00Z",
+    "creators": [
+      "Tool: apko (devel)",
+      "Organization: Chainguard, Inc"
+    ],
+    "licenseListVersion": "3.16"
+  },
+  "dataLicense": "CC0-1.0",
+  "documentNamespace": "https://spdx.org/spdxdocs/apko/",
+  "documentDescribes": [
+    "SPDXRef-Package-sha256-abc123def456"
+  ],
+  "packages": [
+    {
+      "SPDXID": "SPDXRef-Package-sha256-abc123def456",
+      "name": "sha256:abc123def456",
+      "versionInfo": "sha256:abc123def456",
+      "filesAnalyzed": false,
+      "description": "apko operating system layer",
+      "downloadLocation": "NOASSERTION",
+      "supplier": "Organization: unknown",
+      "externalRefs": [
+        {
+          "referenceCategory": "PACKAGE-MANAGER",
+          "referenceLocator": "pkg:oci/image@sha256%3Aabc123def456?mediaType=\u0026os=linux",
+          "referenceType": "purl"
+        }
+      ]
+    },
+    {
+      "SPDXID": "SPDXRef-OperatingSystem-unknown",
+      "name": "unknown",
+      "versionInfo": "3.0",
+      "filesAnalyzed": false,
+      "description": "Operating System",
+      "downloadLocation": "NOASSERTION",
+      "supplier": "Organization: unknown",
+      "primaryPackagePurpose": "OPERATING_SYSTEM"
+    },
+    {
+      "SPDXID": "SPDXRef-Package-libattr1-2.5.1-r2",
+      "name": "libattr1",
+      "versionInfo": "2.5.1-r2",
+      "filesAnalyzed": false,
+      "licenseConcluded": "NOASSERTION",
+      "licenseDeclared": "GPL-2.0-or-later",
+      "downloadLocation": "NOASSERTION",
+      "originator": "Organization: unknown",
+      "supplier": "Organization: unknown",
+      "copyrightText": "TODO\n",
+      "externalRefs": [
+        {
+          "referenceCategory": "PACKAGE_MANAGER",
+          "referenceLocator": "pkg:apk/wolfi/libattr1@2.5.1-r2?arch=x86_64",
+          "referenceType": "purl"
+        }
+      ]
+    }
+  ],
+  "relationships": []
+}

pkg/sbom/generator/spdx/testdata/expected_image_sboms/no-supplier.spdx.json

@@ -19,7 +19,6 @@
     {
       "SPDXID": "SPDXRef-Package-",
       "name": "",
-      "versionInfo": "3.0",
       "filesAnalyzed": false,
       "description": "apko operating system layer",
       "downloadLocation": "NOASSERTION",

pkg/sbom/generator/spdx/testdata/expected_image_sboms/package-deduplicating.spdx.json

@@ -19,7 +19,6 @@
     {
       "SPDXID": "SPDXRef-Package-",
       "name": "",
-      "versionInfo": "3.0",
       "filesAnalyzed": false,
       "description": "apko operating system layer",
       "downloadLocation": "NOASSERTION",

pkg/sbom/generator/spdx/testdata/expected_image_sboms/unbound-package-dedupe.spdx.json

@@ -19,7 +19,6 @@
     {
       "SPDXID": "SPDXRef-Package-",
       "name": "",
-      "versionInfo": "3.0",
       "filesAnalyzed": false,
       "description": "apko operating system layer",
       "downloadLocation": "NOASSERTION",