Lack of predictable URLs for SBOM content

[jcrossley3]

Downstream issue: https://issues.redhat.com/browse/TC-2291

Hey, we have been doing some investigation on how to switch from TPA v1 to v2 for Atlas + Konflux use case and figure out there is a difference in the API for SBOM uploads.

In v1, a client uploading the SBOM using API is able to set the identifier. The identifier is later used in the URL. For a Konflux use case, we used the OCI image digest (sha256:xxx) as an identifier. Konflux UI provides a link to Atlas and redirects users to the Atlas UI with given SBOM content.

Example: https://atlas.build.devshift.net/sbom/content/sha256%3A27997ced3a373c1c4352477abfd59a8229efba9b61a5b38bbf18aedccc103aad

In the v2 it seems this option is no longer available and TPA generates its internal identifier (example: urn:uuid:01956681-ffdf-7872-8621-cb2d73ab469d). This mechanism makes the URL unpredictable, and Konflux can't provide the link to Atlas.

We had a short conversation in Slack about this issue, and there was an idea to use labels instead. However, there seems to be still some limitations with this solution.

To be clear we don't need 1:1 feature mapping from v1 but we would need an replacement that could allow us set a name of the SBOM that is later query-able with the URL parameters.

Slack thread: https://redhat-internal.slack.com/archives/C06E0PCESLR/p1741166288640559

[ctron]

I think it would make sense to allow retrieval by:

• Document digest (SHA256, ...)
• Document ID (SPDX namespace, CDX serial). This however might result in multiple documents.

[ctron]

So checking the API, we also ready do support that, although the documentation for that might have been better. That should be fixed in PR #1413