In cases where you have multiple images for a single repository already pulled and you specify an image without a tag to docker sbom then you will get back from docker image save a tar that has multiple images / manifests. This is a problem sense we are trying to create a SBOM description for a single image, and multiple images are not supported.
This PR adjusts input validation to parse the image reference and if a tag or digest is not found, then a latest is assumed. This should result in a single manifest at the docker image save step since platform and OS have sane defaults as well. The only remaining case that is not covered would be if multiple manifests are created for the same tag manually, which is unlikely, and not supported yet (they will need to use a digest in these cases).
In cases where you have multiple images for a single repository already pulled and you specify an image without a tag to
docker sbomthen you will get back fromdocker image savea tar that has multiple images / manifests. This is a problem sense we are trying to create a SBOM description for a single image, and multiple images are not supported.This PR adjusts input validation to parse the image reference and if a tag or digest is not found, then a
latestis assumed. This should result in a single manifest at thedocker image savestep since platform and OS have sane defaults as well. The only remaining case that is not covered would be if multiple manifests are created for the same tag manually, which is unlikely, and not supported yet (they will need to use a digest in these cases).