fix: do not create SBOM for packages without SBOMable material (#3540)

Signed-off-by: Austin Abro <[email protected]>

src/cmd/package.go

@@ -440,7 +440,7 @@ func (o *PackageInspectSBOMOptions) Run(cmd *cobra.Command, args []string) error
 	}
 	outputPath, err := layout.GetSBOM(o.outputDir)
 	if err != nil {
-		return err
+		return fmt.Errorf("could not get SBOM: %w", err)
 	}
 	outputPath, err = filepath.Abs(outputPath)
 	if err != nil {

src/internal/packager2/create.go

@@ -5,12 +5,15 @@ package packager2
 
 import (
 	"context"
+	"errors"
+	"fmt"
 
 	"github.com/defenseunicorns/pkg/helpers/v2"
 	"github.com/defenseunicorns/pkg/oci"
 
 	"github.com/zarf-dev/zarf/src/config"
 	layout2 "github.com/zarf-dev/zarf/src/internal/packager2/layout"
+	"github.com/zarf-dev/zarf/src/pkg/logger"
 )
 
 type CreateOptions struct {
@@ -27,6 +30,10 @@ type CreateOptions struct {
 }
 
 func Create(ctx context.Context, packagePath string, opt CreateOptions) error {
+	if opt.SkipSBOM && opt.SBOMOut != "" {
+		return fmt.Errorf("cannot skip SBOM creation and specify an SBOM output directory")
+	}
+
 	createOpt := layout2.CreateOptions{
 		Flavor:                  opt.Flavor,
 		RegistryOverrides:       opt.RegistryOverrides,
@@ -64,6 +71,12 @@ func Create(ctx context.Context, packagePath string, opt CreateOptions) error {
 
 	if opt.SBOMOut != "" {
 		_, err := pkgLayout.GetSBOM(opt.SBOMOut)
+		// Don't fail package create if the package doesn't have an sbom
+		var noSBOMErr *layout2.NoSBOMAvailableError
+		if errors.As(err, &noSBOMErr) {
+			logger.From(ctx).Error(fmt.Sprintf("cannot output sbom: %s", err.Error()))
+			return nil
+		}
 		if err != nil {
 			return err
 		}

src/internal/packager2/layout/create.go

@@ -165,7 +165,7 @@ func CreatePackage(ctx context.Context, packagePath string, opt CreateOptions) (
 
 	l.Info("composed components successfully")
 
-	if !opt.SkipSBOM {
+	if !opt.SkipSBOM && pkg.IsSBOMAble() {
 		l.Info("generating SBOM")
 		err = generateSBOM(ctx, pkg, buildPath, sbomImageList)
 		if err != nil {

src/internal/packager2/layout/create_test.go

@@ -227,6 +227,44 @@ func TestLoadPackageErrorWithoutCompatibleFlavor(t *testing.T) {
 	require.EqualError(t, err, fmt.Sprintf("package validation failed: %s", lint.PkgValidateErrNoComponents))
 }
 
+func writePackageToDisk(t *testing.T, pkg v1alpha1.ZarfPackage, dir string) {
+	t.Helper()
+	b, err := goyaml.Marshal(pkg)
+	require.NoError(t, err)
+	path := filepath.Join(dir, ZarfYAML)
+	err = os.WriteFile(path, b, 0700)
+	require.NoError(t, err)
+}
+
+func TestGetSBOM(t *testing.T) {
+	t.Parallel()
+	lint.ZarfSchema = testutil.LoadSchema(t, "../../../../zarf.schema.json")
+
+	tmpdir := t.TempDir()
+	pkg := v1alpha1.ZarfPackage{
+		Kind: v1alpha1.ZarfPackageConfig,
+		Metadata: v1alpha1.ZarfMetadata{
+			Name: "test-sbom",
+		},
+		Components: []v1alpha1.ZarfComponent{
+			{
+				Name: "do-nothing",
+			},
+		},
+	}
+	writePackageToDisk(t, pkg, tmpdir)
+
+	pkgLayout, err := CreatePackage(context.Background(), tmpdir, CreateOptions{})
+	require.NoError(t, err)
+
+	// Ensure the SBOM does not exist
+	require.NoFileExists(t, filepath.Join(pkgLayout.dirPath, SBOMTar))
+	// Ensure Zarf errors correctly
+	_, err = pkgLayout.GetSBOM(tmpdir)
+	var noSBOMErr *NoSBOMAvailableError
+	require.ErrorAs(t, err, &noSBOMErr)
+}
+
 func TestCreateAbsolutePathFileSource(t *testing.T) {
 	t.Parallel()
 	lint.ZarfSchema = testutil.LoadSchema(t, "../../../../zarf.schema.json")
@@ -240,15 +278,6 @@ func TestCreateAbsolutePathFileSource(t *testing.T) {
 		return absoluteFilePath
 	}
 
-	writePackageToDisk := func(t *testing.T, pkg v1alpha1.ZarfPackage, dir string) {
-		t.Helper()
-		b, err := goyaml.Marshal(pkg)
-		require.NoError(t, err)
-		path := filepath.Join(dir, "zarf.yaml")
-		err = os.WriteFile(path, b, 0700)
-		require.NoError(t, err)
-	}
-
 	t.Run("test a standard package can use absolute file paths", func(t *testing.T) {
 		t.Parallel()
 		tmpdir := t.TempDir()

src/internal/packager2/layout/package.go

@@ -121,8 +121,20 @@ func (p *PackageLayout) Cleanup() error {
 	return nil
 }
 
+// NoSBOMAvailableError is returned when a user tries to access a package SBOM, but it is not available
+type NoSBOMAvailableError struct {
+	pkgName string
+}
+
+func (e *NoSBOMAvailableError) Error() string {
+	return fmt.Sprintf("zarf package %s does not have an SBOM available", e.pkgName)
+}
+
 // GetSBOM outputs the SBOM data from the package to the give destination path.
 func (p *PackageLayout) GetSBOM(destPath string) (string, error) {
+	if !p.Pkg.IsSBOMAble() {
+		return "", &NoSBOMAvailableError{pkgName: p.Pkg.Metadata.Name}
+	}
 	path := filepath.Join(destPath, p.Pkg.Metadata.Name)
 	err := archiver.Extract(filepath.Join(p.dirPath, SBOMTar), "", path)
 	if err != nil {

src/internal/packager2/remove.go

@@ -167,5 +167,6 @@ func Remove(ctx context.Context, opt RemoveOptions) error {
 		}
 	}
 
+	l.Info("package successfully removed", "name", pkg.Metadata.Name)
 	return nil
 }

src/test/e2e/29_config_file_test.go

@@ -29,8 +29,6 @@ func TestConfigFileCreate(t *testing.T) {
 	require.NoError(t, err)
 	require.Equal(t, "This is a zebra and they have stripes", pkgLayout.Pkg.Components[1].Description)
 	require.Equal(t, "This is a leopard and they have spots", pkgLayout.Pkg.Components[2].Description)
-	_, err = pkgLayout.GetSBOM(t.TempDir())
-	require.NoError(t, err)
 
 	_, _, err = e2e.Zarf(t, "package", "deploy", tarPath, "--confirm")
 	require.NoError(t, err)