Skip to content

Lack of predictable URLs for SBOM content #1410

@jcrossley3

Description

@jcrossley3

Downstream issue: https://issues.redhat.com/browse/TC-2291

Hey, we have been doing some investigation on how to switch from TPA v1 to v2 for Atlas + Konflux use case and figure out there is a difference in the API for SBOM uploads.

In v1, a client uploading the SBOM using API is able to set the identifier. The identifier is later used in the URL. For a Konflux use case, we used the OCI image digest (sha256:xxx) as an identifier. Konflux UI provides a link to Atlas and redirects users to the Atlas UI with given SBOM content.

Example: https://atlas.build.devshift.net/sbom/content/sha256%3A27997ced3a373c1c4352477abfd59a8229efba9b61a5b38bbf18aedccc103aad

In the v2 it seems this option is no longer available and TPA generates its internal identifier (example: urn:uuid:01956681-ffdf-7872-8621-cb2d73ab469d). This mechanism makes the URL unpredictable, and Konflux can't provide the link to Atlas.

We had a short conversation in Slack about this issue, and there was an idea to use labels instead. However, there seems to be still some limitations with this solution.

To be clear we don't need 1:1 feature mapping from v1 but we would need an replacement that could allow us set a name of the SBOM that is later query-able with the URL parameters.

Slack thread: https://redhat-internal.slack.com/archives/C06E0PCESLR/p1741166288640559

Metadata

Metadata

Assignees

Labels

Projects

Status

Backlog

Relationships

None yet

Development

No branches or pull requests

Issue actions