In cases where you have multiple images for a single repository already pulled and you specify an image without a tag to docker sbom then you will get back from docker image save a tar that has multiple images / manifests. This is a problem sense we are trying to create a SBOM description for a single image, and multiple images are not supported.
This PR adjusts input validation to parse the image reference and if a tag or digest is not found, then a latest is assumed. This should result in a single manifest at the docker image save step since platform and OS have sane defaults as well. The only remaining case that is not covered would be if multiple manifests are created for the same tag manually, which is unlikely, and not supported yet (they will need to use a digest in these cases).
In cases where you have multiple images for a single repository already pulled and you specify an image without a tag to
docker sbom
then you will get back fromdocker image save
a tar that has multiple images / manifests. This is a problem sense we are trying to create a SBOM description for a single image, and multiple images are not supported.This PR adjusts input validation to parse the image reference and if a tag or digest is not found, then a
latest
is assumed. This should result in a single manifest at thedocker image save
step since platform and OS have sane defaults as well. The only remaining case that is not covered would be if multiple manifests are created for the same tag manually, which is unlikely, and not supported yet (they will need to use a digest in these cases).