Short version:
- Derive proper caching key for SBOM/scan result.
- Do singleflight for both SBOM generation based on the key and for the scan itself.
See also #476
Cache key - we can try to follow the path established for image building:
- Schematic is mapped into the imager's Profile. Here SBOM depends only on the extensions list, so don't need to populate anything else.
- Profile is cleaned up, marshaled and hashed.
- This provides an SBOM key which already includes schematic, Talos version and arch.
- Add singleflight based on this key around SBOM generation, use it for caching.
- For the security scan - same applies, the only new stuff is invalidation based on VEX/vulndb. We should also do singleflight.
Test plan:
- Get an SBOM/scan for a schematic A.
- Mutate schematic in a way that shouldn't affect the SBOM - e.g. test with embedded config, kernel args, etc.
- Verify that SBOM for schematic B is delivered (almost) immediately - it should be cached.
Short version:
See also #476
Cache key - we can try to follow the path established for image building:
Test plan: