[Bug]: duplicated entries returned by referrers API

zot version

ghcr.io/project-zot/zot-linux-amd64:v2.0.1

Describe the bug

In one of my ZOT repositories, I have a OCI v1.1.0 manifest A with its subject pointing to another manifest B. When I get the referrers of B (via GET /v2/<name>/referrers/<digest_of_b>), I can see one entry with descriptor of A.

If I add a tag to A (via PUT /v2/<name>/manifests/<digest_of_a>) and get the referrers of B again, there are two duplicated entries in the returned result of GET /v2/<name>/referrers/<digest_of_b>, both pointing to A.

To reproduce

Configuration: Running ghcr.io/project-zot/zot-linux-amd64:v2.0.1 based on ext4 file system
Client tools: oras v1.2.0 and curl for listing referrers
Steps
- Create a subject and a referrer artifact.
- List referrers of subject (get one entry).
- Tag the referrer artifact.
- List referrers of subject (get two duplicated entries)

> ## Create a subject and a referrer artifact.
> oras push localhost:7000/test:subject
...
Pushed [registry] localhost:7000/test:subject
ArtifactType: application/vnd.unknown.artifact.v1
> oras attach --artifact-type billy/test -a test=true localhost:7000/test:subject
...
Attached to [registry] localhost:7000/test@sha256:ba84e32aa0da494820c26b3d53f642c80f98fbb719aa5bd0fef9056ba14d5442
Digest: sha256:84cf75ff09cf72fa7a30c9e29ec1c11cb6d6a30a79367a4dd892b6b8a6d67c71

> ## List referrers of subject (get one entry).
> curl -u hello:oras-test http://localhost:7000/v2/test/referrers/sha256:ba84e32aa0da494820c26b3d53f642c80f98fbb719aa5bd0fef9056ba14d5442 -v | jq
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 127.0.0.1:7000...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 7000 (#0)
* Server auth using Basic with user 'hello'
> GET /v2/test/referrers/sha256:ba84e32aa0da494820c26b3d53f642c80f98fbb719aa5bd0fef9056ba14d5442 HTTP/1.1
> Host: localhost:7000
> Authorization: Basic aGVsbG86b3Jhcy10ZXN0
> User-Agent: curl/7.68.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Access-Control-Allow-Credentials: true
< Access-Control-Allow-Headers: Authorization,content-type,X-ZOT-API-CLIENT
< Access-Control-Allow-Methods: GET,OPTIONS
< Access-Control-Allow-Origin: *
< Content-Type: application/vnd.oci.image.index.v1+json
< Date: Mon, 01 Jul 2024 03:12:26 GMT
< Content-Length: 356
<
{ [356 bytes data]
100   356  100   356    0     0  44500      0 --:--:-- --:--:-- --:--:-- 44500
* Connection #0 to host localhost left intact
{
  "schemaVersion": 2,
  "mediaType": "application/vnd.oci.image.index.v1+json",
  "manifests": [
    {
      "mediaType": "application/vnd.oci.image.manifest.v1+json",
      "digest": "sha256:84cf75ff09cf72fa7a30c9e29ec1c11cb6d6a30a79367a4dd892b6b8a6d67c71",
      "size": 687,
      "annotations": {
        "org.opencontainers.image.created": "2024-07-01T03:11:06Z",
        "test": "true"
      },
      "artifactType": "billy/test"
    }
  ]
}

> ## Tag the referrer artifact.
> oras tag localhost:7000/test@sha256:84cf75ff09cf72fa7a30c9e29ec1c11cb6d6a30a79367a4dd892b6b8a6d67c71 new
Tagging [registry] localhost:7000/test@sha256:84cf75ff09cf72fa7a30c9e29ec1c11cb6d6a30a79367a4dd892b6b8a6d67c71
Tagged new

> ## List referrers of subject (get two duplicated entries)
> curl -u hello:oras-test http://localhost:7000/v2/test/referrers/sha256:ba84e32aa0da494820c26b3d53f642c80f98fbb719aa5bd0fef9056ba14d5442 -v | jq
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 127.0.0.1:7000...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 7000 (#0)
* Server auth using Basic with user 'hello'
> GET /v2/test/referrers/sha256:ba84e32aa0da494820c26b3d53f642c80f98fbb719aa5bd0fef9056ba14d5442 HTTP/1.1
> Host: localhost:7000
> Authorization: Basic aGVsbG86b3Jhcy10ZXN0
> User-Agent: curl/7.68.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Access-Control-Allow-Credentials: true
< Access-Control-Allow-Headers: Authorization,content-type,X-ZOT-API-CLIENT
< Access-Control-Allow-Methods: GET,OPTIONS
< Access-Control-Allow-Origin: *
< Content-Type: application/vnd.oci.image.index.v1+json
< Date: Mon, 01 Jul 2024 03:15:52 GMT
< Content-Length: 625
<
{ [625 bytes data]
100   625  100   625    0     0  78125      0 --:--:-- --:--:-- --:--:-- 78125
* Connection #0 to host localhost left intact
{
  "schemaVersion": 2,
  "mediaType": "application/vnd.oci.image.index.v1+json",
  "manifests": [
    {
      "mediaType": "application/vnd.oci.image.manifest.v1+json",
      "digest": "sha256:84cf75ff09cf72fa7a30c9e29ec1c11cb6d6a30a79367a4dd892b6b8a6d67c71",
      "size": 687,
      "annotations": {
        "org.opencontainers.image.created": "2024-07-01T03:11:06Z",
        "test": "true"
      },
      "artifactType": "billy/test"
    },
    {
      "mediaType": "application/vnd.oci.image.manifest.v1+json",
      "digest": "sha256:84cf75ff09cf72fa7a30c9e29ec1c11cb6d6a30a79367a4dd892b6b8a6d67c71",
      "size": 687,
      "annotations": {
        "org.opencontainers.image.created": "2024-07-01T03:11:06Z",
        "test": "true"
      },
      "artifactType": "billy/test"
    }
  ]
}

Expected behavior

Returned result of referrers API should be deduplicated.

Screenshots

No response

Additional context

No response

project-zot / zot