Skip to content

fix: upload SBOM files in sign-cache command #315

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
leodido wants to merge 3 commits into
base: ldd/resolve-builtin-pkg-internal
Choose a base branch
from
Open

fix: upload SBOM files in sign-cache command #315

leodido wants to merge 3 commits into from
+103 −43

Conversation

@leodido
Copy link
Contributor

@leodido leodido commented Dec 13, 2025

Summary

Upload SBOM sidecar files alongside artifacts when using the sign-cache command.

Stacked on #314

Changes

  1. Add SBOM upload to sign-cache (signing/upload.go)

    • Upload .sbom.cdx.json, .sbom.spdx.json, .sbom.json files alongside artifacts
    • Check if SBOM exists locally before upload
    • Check if SBOM already exists in remote cache to avoid re-upload
    • Non-blocking: failures are logged but don't fail the upload

  2. Fix SBOM upload when artifact already exists

    • When artifact/attestation already exist in cache, still check and upload missing SBOM files
    • Covers all code paths in UploadArtifactWithAttestation

  3. Consolidate SBOM constants (cache/types.go)

    • Move SBOM extension constants to single location
    • Add SBOMSidecarExtensions() function
    • Remove duplication from sbom.go, s3.go, signing/upload.go

Testing

  • All existing tests pass
  • Manual testing with SLSA L3 cache verification in gitpod-next CI

leodido and others added 3 commits December 13, 2025 15:10
@leodido @ona-agent
fix: upload SBOM files in sign-cache command
5e90928 
When LEEWAY_DEFAULT_CACHE_LEVEL=remote-pull is set (SLSA mode), the
normal upload path is skipped and sign-cache handles uploads. However,
sign-cache only uploaded artifacts and attestations, not SBOM files.

This caused SBOM vulnerability scans to fail with 'SBOM file not found
in package archive' because SBOM files were generated locally but never
uploaded to the remote cache.

Now sign-cache also uploads SBOM sidecar files (.sbom.cdx.json,
.sbom.spdx.json, .sbom.json) alongside artifacts and attestations.

Co-authored-by: Ona <[email protected]>
@leodido @ona-agent
fix: upload SBOM files even when artifact already exists
7e41168 
When artifact and attestation already exist in cache, we were returning
early without checking for SBOM files. This caused SBOM files to be
missing when builds were re-run.

Now we call uploadSBOMFiles in all code paths to ensure SBOM files are
uploaded if they exist locally but are missing from the cache.

Co-authored-by: Ona <[email protected]>
@leodido @ona-agent
refactor: consolidate SBOM extension constants in cache package
7b5ffb0 
Move SBOM file extension constants to pkg/leeway/cache/types.go to avoid
duplication across sbom.go, s3.go, and signing/upload.go.

Add SBOMSidecarExtensions() function that returns all SBOM sidecar file
extensions, ensuring consistency across the codebase.

Co-authored-by: Ona <[email protected]>
@leodido leodido changed the title fix: upload SBOM files in sign-cache command fix: upload SBOM files in sign-cache command Dec 13, 2025
@leodido leodido self-assigned this Dec 13, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@corneliusludmann corneliusludmann Awaiting requested review from corneliusludmann

@csweichel csweichel Awaiting requested review from csweichel

@geropl geropl Awaiting requested review from geropl

Assignees

@leodido leodido

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@leodido