SBOM. sbom flags are not respected

[AndreiPaulau]

Issue Description

SBOM flags are not respected while podman build command.
Meanwhile sbom options fails if wrong input.

Builds were made inside container quay.io/containers/podman:v5

Checked over tags 5.0 - 5.2

At the same time buildah build command works as expected.

Steps to reproduce the issue

podman build:

podman build -t sbom-img --sbom=trivy-spdx \
        --sbom-image-output=/app/sbom-spdx.json \
        --sbom-output=sbom-spdx.json \
        --sbom-scanner-image=ghcr.io/aquasecurity/trivy \
        --sbom-scanner-command="trivy filesystem -q {ROOTFS} --format spdx-json --output {OUTPUT}" \
        --sbom-scanner-command="trivy filesystem -q {CONTEXT} --format spdx-json --output {OUTPUT}" \
        --sbom-merge-strategy=merge-spdx-by-package-name-and-versioninfo \
        -f Dockerfile

Dockerfile

FROM ubuntu:22.04
WORKDIR /app

Describe the results you received

Simply skipped scanning and further SBOM file creation

WARN[0000] Using cgroups-v1 which is deprecated in favor of cgroups-v2 with Podman v5 and will be removed in a future version. Set environment variable `PODMAN_IGNORE_CGROUPSV1_WARNING` to hide this warning.
STEP 1/2: FROM ubuntu:22.04
Resolved "ubuntu" as an alias (/etc/containers/registries.conf.d/000-shortnames.conf)
Trying to pull docker.io/library/ubuntu:22.04...
Getting image source signatures
Copying blob 857cc8cb19c0 done   |
Copying config 53a843653c done   |
Writing manifest to image destination
STEP 2/2: WORKDIR /app
COMMIT sbom-img
--> c3058f6a81c4
Successfully tagged localhost/sbom-img:latest
c3058f6a81c46dea828fd8965374ade3daa9e69ca408ef39c850caa3c2827a5a
[root@da6851966881 /]# podman run -it --rm sbom-img ls -al
WARN[0000] Using cgroups-v1 which is deprecated in favor of cgroups-v2 with Podman v5 and will be removed in a future version. Set environment variable `PODMAN_IGNORE_CGROUPSV1_WARNING` to hide this warning.
total 8
drwxr-xr-x  2 root root 4096 Sep 12 14:28 .
dr-xr-xr-x 18 root root 4096 Sep 12 14:28 ..

While building with buildah: pulled trivy -> scanned image -> create layer with /app/sbom-spdx.json file
buildah build with the same options:

STEP 1/2: FROM ubuntu:22.04
STEP 2/2: WORKDIR /app
COMMIT sbom-img-buildah
Getting image source signatures
Copying blob 1b9b7346fee7 skipped: already exists
Copying blob cad2856146df done   |
Copying blob 9ad3fb25c9c9 done   |
Copying config 85ca4d47d9 done   |
Writing manifest to image destination
--> 85ca4d47d901
Successfully tagged localhost/sbom-img-buildah:latest
85ca4d47d901094e5ea61523aec04661d408a2fa855932a97ba4d6f73fe746e9
[root@da6851966881 /]# podman run -it --rm sbom-img-buildah ls -al
WARN[0000] Using cgroups-v1 which is deprecated in favor of cgroups-v2 with Podman v5 and will be removed in a future version. Set environment variable `PODMAN_IGNORE_CGROUPSV1_WARNING` to hide this warning.
total 312
drwxr-xr-x  2 root root   4096 Sep 12 14:30 .
dr-xr-xr-x 18 root root   4096 Sep 12 14:31 ..
-rw-r--r--  1 root root 307726 Sep 12 14:30 sbom-spdx.json

Describe the results you expected

Describe the results you expected

podman info output

- WSL ubuntu 22.04
- K8s

Podman in a container

Yes

Privileged Or Rootless

Privileged

Upstream Latest Release

Yes

Additional environment details

Additional environment details

Additional information

Additional information like issue happens only occasionally or issue happens with a particular architecture or on a particular setting

[lsm5]

@AndreiPaulau thanks for the report. Could you please update the Describe the results you received with the actual results you noticed?

@l0rd PTAL in case this is wsl / k8s related.

[AndreiPaulau]

@lsm5 Updated with command output

[l0rd]

It looks like in podman we are not parsing sbom command line arguments and that's done buildah CLI side. Should not be related to WSL or Kube.

[l0rd]

@AndreiPaulau would you like to submit a PR to fix this?

[AndreiPaulau]

@l0rd Unfortunately, don't have much experience in Go