Description
Downstream issue: https://issues.redhat.com/browse/TC-2291
Hey, we have been doing some investigation on how to switch from TPA v1 to v2 for Atlas + Konflux use case and figure out there is a difference in the API for SBOM uploads.
In v1, a client uploading the SBOM using API is able to set the identifier. The identifier is later used in the URL. For a Konflux use case, we used the OCI image digest (sha256:xxx) as an identifier. Konflux UI provides a link to Atlas and redirects users to the Atlas UI with given SBOM content.
In the v2 it seems this option is no longer available and TPA generates its internal identifier (example: urn:uuid:01956681-ffdf-7872-8621-cb2d73ab469d). This mechanism makes the URL unpredictable, and Konflux can't provide the link to Atlas.
We had a short conversation in Slack about this issue, and there was an idea to use labels instead. However, there seems to be still some limitations with this solution.
To be clear we don't need 1:1 feature mapping from v1 but we would need an replacement that could allow us set a name of the SBOM that is later query-able with the URL parameters.
Slack thread: https://redhat-internal.slack.com/archives/C06E0PCESLR/p1741166288640559
Metadata
Metadata
Assignees
Type
Projects
Status