[Bug]: witness cli doesn't always reconise sbom file as sboms

[xNok]

What steps did you take and what happened:

Here is how to reproduce the issue, there is not really build here; we are only generating the sbom for a known image using trivy.

 witness run --step build -o att-alpine.json -a sbom --signer-file-key-path testkey.pem -- /bin/bash -c 'trivy image --format cyclonedx --output alpine.cdx.json alpine:latest'

This will return the error.

ERROR   attestors failed with error messages
no SBOM file found

We can run the same command without the -a sbom to debug the products, the sbom file is listed as a product as below:

      {
        "type": "https://witness.dev/attestations/product/v0.1",
        "attestation": {
          "alpine.cdx.json": {
            "mime_type": "application/json",
            "digest": {
              "sha256": "392ad10a908b4f8ccb2c8315bc47a13a896ab7bd18912b2d9847fa00c00af6c4"
            }
          }
        },
        "starttime": "2024-10-14T12:21:00.123733702+01:00",
        "endtime": "2024-10-14T12:21:00.131667719+01:00"
      }

The sbom is recorded but the Mime type is invalid. I thought the issues might be in go-witness and made the following test: https://github.com/xNok/go-witness/commit/7cc2d62b3995765412ea154ee881a44ee2c0e780#diff-497bc6b0bf036ac033a672665b1a6e3724c6bacb95993554bf1cb55b7c6f3287

It turns out this test passed, and the file generated is properly processed, so it seems the issue is elsewhere.

What did you expect to happen:

The sbom generated by trivy should be added to the attestations.

Anything else you would like to add:

I have tried the same process with syft and it works as expected

witness run --step build -o att-alpine.json -a sbom --signer-file-key-path testkey.pem -- /bin/bash -c 'syft scan alpine:latest -o cyclonedx-json > alpine.cyclonedx.json'

Environment:

• Witness version: v0.6.0-050506a
• Architecture: linux_amd64
• Attestors used: sbom
• Archivista version: