feat: dedup sbom but keep it monolithic

[moolen]

Problem Statement

The SBOM is too large, we have to either split it apart (#6003) or deduplicate the entries.

This PR deduplicates entries from the SBOM.

---

What we keep

• SPDX document structure and metadata (except optional fallback pruning).
• Unique package/version entries (different versions are still separate).
• Dependency semantics (DEPENDENCY_OF, CONTAINS, etc., deduped).
• Attestation flow and verification flow remain the same, just using the deduped file.

What we strip

• Always: duplicate package entries and duplicate relationships.
• Optional fallback (only if still too large): drop OTHER relationships and remove files[] (the file-ownership-heavy part).

How dedup works (implementation)

• Group packages by dedupe key (purl else name@version).
• Keep first package in each group as canonical.
• Build old→canonical SPDXID map.
• Rewrite relationships[].spdxElementId and .relatedSpdxElement.
• unique_by(spdxElementId|relationshipType|relatedSpdxElement).
• Optionally remove OTHER + files.

References:

• Dedupe logic: dedupe-spdx-gomod.sh (/tmp/eso-sign-monolithic/hack/dedupe-spdx-gomod.sh#L61)
• Action wiring + size gate/fallback: action.yml (/tmp/eso-sign-monolithic/.github/actions/sign/action.yml#L103)

⚠️ One important tradeoff:

• You lose “how many modules referenced this package” as explicit repeated nodes (that multiplicity is intentionally collapsed).

Before (monolithic raw Syft SPDX)

• Same dependency appears many times (once per go.mod context), each with a different SPDXID.
• Relationship graph is inflated by those repeated nodes.
• You keep full file-ownership data (files[] + many OTHER relationships).
• Result: very large predicate payload.

{
  "packages": [
    {
      "SPDXID": "SPDXRef-Package-go-module-k8s.io-client-go-a1",
      "name": "k8s.io/client-go",
      "versionInfo": "v0.35.0",
      "externalRefs": [
        {
          "referenceType": "purl",
          "referenceLocator": "pkg:golang/k8s.io/client-go@v0.35.0"
        }
      ],
      "sourceInfo": "acquired package info from /go.mod"
    },
    {
      "SPDXID": "SPDXRef-Package-go-module-k8s.io-client-go-b2",
      "name": "k8s.io/client-go",
      "versionInfo": "v0.35.0",
      "externalRefs": [
        {
          "referenceType": "purl",
          "referenceLocator": "pkg:golang/k8s.io/client-go@v0.35.0"
        }
      ],
      "sourceInfo": "acquired package info from /providers/v1/aws/go.mod"
    }
  ],
  "relationships": [
    {
      "spdxElementId": "SPDXRef-Package-go-module-k8s.io-client-go-a1",
      "relationshipType": "DEPENDENCY_OF",
      "relatedSpdxElement": "SPDXRef-Package-sigs.k8s.io-controller-runtime-x"
    },
    {
      "spdxElementId": "SPDXRef-Package-go-module-k8s.io-client-go-b2",
      "relationshipType": "DEPENDENCY_OF",
      "relatedSpdxElement": "SPDXRef-Package-sigs.k8s.io-controller-runtime-x"
    }
  ]
}

After (deduped monolithic SPDX)

• One package node per unique key:
  • purl if present
  • fallback name@version
• All relationships are remapped to the canonical package SPDXID.
• Duplicate relationship triples are removed.
• Result: much smaller payload, same SPDX document type.

{
  "packages": [
    {
      "SPDXID": "SPDXRef-Package-go-module-k8s.io-client-go-a1",
      "name": "k8s.io/client-go",
      "versionInfo": "v0.35.0",
      "externalRefs": [
        {
          "referenceType": "purl",
          "referenceLocator": "pkg:golang/k8s.io/client-go@v0.35.0"
        }
      ]
    }
  ],
  "relationships": [
    {
      "spdxElementId": "SPDXRef-Package-go-module-k8s.io-client-go-a1",
      "relationshipType": "DEPENDENCY_OF",
      "relatedSpdxElement": "SPDXRef-Package-sigs.k8s.io-controller-runtime-x"
    }
  ]
}

Related Issue

Fixes #...

Proposed Changes

How do you like to solve the issue and why?

Format

Please ensure that your PR follows the following format for the title:

feat(scope): add new feature
fix(scope): fix bug
docs(scope): update documentation
chore(scope): update build tool or dependencies
ref(scope): refactor code
clean(scope): provider cleanup
test(scope): add tests
perf(scope): improve performance
desig(scope): improve design

Where scope is optionally one of:

• charts
• release
• testing
• security
• templating

Checklist

• I have read the contribution guidelines
• All commits are signed with git commit --signoff
• My changes have reasonable test coverage
• All tests pass with make test
• I ensured my PR is ready for review with make reviewable

Changes

Implements size-aware SBOM deduplication for both image and Go modules SBOMs while keeping a monolithic SPDX document.

Workflow updates (.github/actions/sign/action.yml)

• Generates image SBOM: sbom.${IMAGE_TAG}.spdx.json and logs original size; deduplicates to sbom.${IMAGE_TAG}.dedup.spdx.json, logs deduped size, and if > 10 MB reruns dedupe with --drop-file-ownership; aborts attestation if still too large. Uses the final deduplicated SBOM for cosign attestation and verification.
• Generates Go modules SBOM: sbom.gomod.${IMAGE_TAG}.spdx.json and logs original size; deduplicates to sbom.gomod.${IMAGE_TAG}.dedup.spdx.json, logs deduped size, and if > 10 MB reruns dedupe with --drop-file-ownership; aborts attestation if still too large. Uses the final deduplicated Go modules SBOM for cosign attestation and verification.
• Keeps provenance generation/attestation and verification steps unchanged.

New script (hack/dedupe-spdx-gomod.sh)

• Deduplicates SPDX package nodes by purl (fallback: name@version plus provenance + SPDXID); keeps the first package in each group as canonical.
• Builds an old→canonical SPDXID map and rewrites relationships' spdxElementId and relatedSpdxElement to canonical IDs.
• Deduplicates relationship triples (unique by spdxElementId|relationshipType|relatedSpdxElement).
• Optional --drop-file-ownership: filters out relationshipType "OTHER" and removes files[] entries.
• Updates documentDescribes to reference canonical IDs and writes transformed SPDX JSON.

Notes

• Preserves SPDX document metadata, distinct versions, and dependency semantics; collapses repeated package-node multiplicity to reduce payload size.

[coderabbitai]

Walkthrough

Adds size-aware deduplication and attestation switching for both image and Go modules SBOMs: captures original sizes, deduplicates, logs deduped sizes, re-runs dedupe with file-ownership dropped if over a 10,000,000-byte (10 MB) cap, aborts if still oversized, and uses the final deduped SBOMs for attestation; adds a dedupe script.

Changes

Cohort / File(s)	Summary
Image & Go modules SBOM attestation flow .github/actions/sign/action.yml	Implements size-aware processing for image and Go modules SBOMs: record original sizes, deduplicate, log deduped sizes, retry dedupe with --drop-file-ownership if >10,000,000 bytes, abort attestation if still oversized, and switch attestation inputs to the final deduplicated (and possibly ownership-pruned) SBOMs. Verification steps unchanged.
SPDX dedupe script hack/dedupe-spdx-gomod.sh	Adds a Bash script that deduplicates SPDX packages by purl (fallback: name@version), maps old SPDXIDs to canonical IDs, rewrites and deduplicates relationships and documentDescribes, optionally removes files and filters ownership (OTHER) relationships when --drop-file-ownership is used, with CLI, validation, temp-file handling, and error exits.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (2)

.github/actions/sign/action.yml (1)

111-113: Invoke the dedupe script via bash for portability.

These calls currently depend on file execute permissions. Running via bash avoids mode-related CI failures.

Suggested fix

-        ./hack/dedupe-spdx-gomod.sh \
+        bash ./hack/dedupe-spdx-gomod.sh \
           --input sbom.gomod.${IMAGE_TAG}.spdx.json \
           --output sbom.gomod.${IMAGE_TAG}.dedup.spdx.json
...
-          ./hack/dedupe-spdx-gomod.sh \
+          bash ./hack/dedupe-spdx-gomod.sh \
             --input sbom.gomod.${IMAGE_TAG}.spdx.json \
             --output sbom.gomod.${IMAGE_TAG}.dedup.spdx.json \
             --drop-file-ownership

Also applies to: 123-126

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/actions/sign/action.yml around lines 111 - 113, The dedupe script is
being invoked directly (“./hack/dedupe-spdx-gomod.sh ...”) which depends on
execute permissions; change the invocation to run the script via bash (e.g.,
call bash with the script path and same arguments) wherever it appears in this
action.yml (including the other block at lines 123-126) so the CI runs the
script portably regardless of file mode.

hack/dedupe-spdx-gomod.sh (1)

83-87: Preserve relationship metadata while remapping IDs.

Rebuilding relationship objects with only 3 fields drops optional data (e.g., comments/extensions). Prefer mutating existing objects in place.

Suggested refactor

-      | map({
-          spdxElementId: ($id_map[.spdxElementId] // .spdxElementId),
-          relationshipType: .relationshipType,
-          relatedSpdxElement: ($id_map[.relatedSpdxElement] // .relatedSpdxElement)
-        })
+      | map(
+          .spdxElementId = ($id_map[.spdxElementId] // .spdxElementId)
+          | .relatedSpdxElement = ($id_map[.relatedSpdxElement] // .relatedSpdxElement)
+        )

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@hack/dedupe-spdx-gomod.sh` around lines 83 - 87, The current map({...})
rebuilds relationship objects with only spdxElementId, relationshipType, and
relatedSpdxElement, dropping optional fields (comments/extensions); instead
update the existing objects in place by assigning the remapped IDs to the
spdxElementId and relatedSpdxElement properties while leaving all other keys
untouched (use id_map to remap: id_map[.spdxElementId] // .spdxElementId and
id_map[.relatedSpdxElement] // .relatedSpdxElement), e.g. replace the map({...})
rebuild with a mapping that sets .spdxElementId and .relatedSpdxElement via
assignment/pipe so existing metadata (comments, extensions, etc.) and
relationshipType remain preserved.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@hack/dedupe-spdx-gomod.sh`:
- Around line 67-79: The current package_key function falls back to name@version
when purl is missing, which can wrongly merge distinct packages; update
package_key so it does not use the simple name@version fallback alone—instead,
make the key conditional: if purl exists use purl, otherwise build a
non-destructive key that includes a purl-missing marker plus additional
provenance fields (e.g., ecosystem, supplier/source, or SPDXID) so __dedupe_key
is unique per actual package; adjust the creation of __dedupe_key and downstream
grouping (used when building $pkgs and $groups / canonical_spdxid) to rely on
that enriched key or skip dedupe for items with no purl.
- Around line 25-31: The --input/--output case branches currently do blind
"INPUT=\"${2:-}\"; shift 2" which will crash if the flag is the last arg; update
the handlers for the --input and --output cases to explicitly verify that a
non-empty value exists and is not another flag before assigning to INPUT/OUTPUT,
and if it is missing print a clear usage/error message and exit nonzero;
reference the case labels handling "--input" and "--output" and the variables
INPUT and OUTPUT when making the change.

---

Nitpick comments:
In @.github/actions/sign/action.yml:
- Around line 111-113: The dedupe script is being invoked directly
(“./hack/dedupe-spdx-gomod.sh ...”) which depends on execute permissions; change
the invocation to run the script via bash (e.g., call bash with the script path
and same arguments) wherever it appears in this action.yml (including the other
block at lines 123-126) so the CI runs the script portably regardless of file
mode.

In `@hack/dedupe-spdx-gomod.sh`:
- Around line 83-87: The current map({...}) rebuilds relationship objects with
only spdxElementId, relationshipType, and relatedSpdxElement, dropping optional
fields (comments/extensions); instead update the existing objects in place by
assigning the remapped IDs to the spdxElementId and relatedSpdxElement
properties while leaving all other keys untouched (use id_map to remap:
id_map[.spdxElementId] // .spdxElementId and id_map[.relatedSpdxElement] //
.relatedSpdxElement), e.g. replace the map({...}) rebuild with a mapping that
sets .spdxElementId and .relatedSpdxElement via assignment/pipe so existing
metadata (comments, extensions, etc.) and relationshipType remain preserved.

---

ℹ️ Review info

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 03f0814 and 789a6fd.

📒 Files selected for processing (2)

• .github/actions/sign/action.yml
• hack/dedupe-spdx-gomod.sh

[coderabbitai]

🧹 Nitpick comments (1)

hack/dedupe-spdx-gomod.sh (1)

69-69: Consider adding a trap for temp file cleanup.

If the script fails after creating the temp file (e.g., jq error), the orphan file persists. Adding a trap ensures cleanup on exit.

🧹 Suggested improvement

 TMP_OUT="$(mktemp)"
+trap 'rm -f "${TMP_OUT}"' EXIT

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@hack/dedupe-spdx-gomod.sh` at line 69, After creating the temporary file with
TMP_OUT="$(mktemp)" add a trap to ensure the temp file is removed on script exit
(success or failure): set a trap for EXIT that runs rm -f "$TMP_OUT" so any
orphaned file from commands like jq is cleaned up; place the trap immediately
after the TMP_OUT assignment and ensure any later early exits still trigger the
trap (use the EXIT signal and a quoted $TMP_OUT in the trap command).

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@hack/dedupe-spdx-gomod.sh`:
- Line 69: After creating the temporary file with TMP_OUT="$(mktemp)" add a trap
to ensure the temp file is removed on script exit (success or failure): set a
trap for EXIT that runs rm -f "$TMP_OUT" so any orphaned file from commands like
jq is cleaned up; place the trap immediately after the TMP_OUT assignment and
ensure any later early exits still trigger the trap (use the EXIT signal and a
quoted $TMP_OUT in the trap command).

---

ℹ️ Review info

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 789a6fd and fa05a03.

📒 Files selected for processing (2)

• .github/actions/sign/action.yml
• hack/dedupe-spdx-gomod.sh

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/actions/sign/action.yml

[coderabbitai]

🧹 Nitpick comments (1)

.github/actions/sign/action.yml (1)

95-117: Consider extracting duplicated dedupe/size-cap logic into a helper function.

The two blocks are nearly identical; centralizing them will reduce drift risk when thresholds/flags change later.

♻️ Suggested refactor (bash helper inside this run block)

+        dedupe_with_size_gate() {
+          local input="$1"
+          local output="$2"
+          local label="$3"
+
+          bash ./hack/dedupe-spdx-gomod.sh --input "$input" --output "$output"
+          local size
+          size="$(wc -c < "$output")"
+          echo "Deduplicated ${label} SBOM size: ${size} bytes"
+
+          if [[ "$size" -gt "$MAX_SBOM_SIZE_BYTES" ]]; then
+            echo "Deduped ${label} SBOM still above ${MAX_SBOM_SIZE_BYTES} bytes, dropping file ownership data"
+            bash ./hack/dedupe-spdx-gomod.sh --input "$input" --output "$output" --drop-file-ownership
+            size="$(wc -c < "$output")"
+            echo "Ownership-pruned deduplicated ${label} SBOM size: ${size} bytes"
+          fi
+
+          if [[ "$size" -gt "$MAX_SBOM_SIZE_BYTES" ]]; then
+            echo "${label} SBOM predicate is still too large (${size} bytes)."
+            echo "Refusing attestation to avoid Rekor submission retries/failure."
+            exit 1
+          fi
+        }
-
-        echo "Deduplicating image SPDX package nodes and relationships"
-        bash ./hack/dedupe-spdx-gomod.sh \
-          --input sbom.${IMAGE_TAG}.spdx.json \
-          --output sbom.${IMAGE_TAG}.dedup.spdx.json
-        ...
-        if [[ "${DEDUP_IMAGE_SBOM_SIZE}" -gt "${MAX_SBOM_SIZE_BYTES}" ]]; then
-          ...
-        fi
+        dedupe_with_size_gate "sbom.${IMAGE_TAG}.spdx.json" "sbom.${IMAGE_TAG}.dedup.spdx.json" "image"
-
-        echo "Deduplicating Go modules SPDX package nodes and relationships"
-        bash ./hack/dedupe-spdx-gomod.sh \
-          --input sbom.gomod.${IMAGE_TAG}.spdx.json \
-          --output sbom.gomod.${IMAGE_TAG}.dedup.spdx.json
-        ...
-        if [[ "${DEDUP_GOMOD_SBOM_SIZE}" -gt "${MAX_SBOM_SIZE_BYTES}" ]]; then
-          ...
-        fi
+        dedupe_with_size_gate "sbom.gomod.${IMAGE_TAG}.spdx.json" "sbom.gomod.${IMAGE_TAG}.dedup.spdx.json" "Go modules"

Also applies to: 138-162

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/actions/sign/action.yml around lines 95 - 117, Extract the
duplicated dedup/size-cap logic into a bash helper function (e.g.,
dedupe_and_check) inside the run block and call it twice instead of repeating
the blocks: the helper should invoke ./hack/dedupe-spdx-gomod.sh with the given
--input/--output (and optional --drop-file-ownership flag), recalculate
DEDUP_IMAGE_SBOM_SIZE via wc -c, echo the size messages, and return a non-zero
status if the size still exceeds MAX_SBOM_SIZE_BYTES; replace the two
near-identical blocks that reference DEDUP_IMAGE_SBOM_SIZE, MAX_SBOM_SIZE_BYTES
and the --drop-file-ownership flag with calls to this helper so thresholds/flags
are maintained in one place.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In @.github/actions/sign/action.yml:
- Around line 95-117: Extract the duplicated dedup/size-cap logic into a bash
helper function (e.g., dedupe_and_check) inside the run block and call it twice
instead of repeating the blocks: the helper should invoke
./hack/dedupe-spdx-gomod.sh with the given --input/--output (and optional
--drop-file-ownership flag), recalculate DEDUP_IMAGE_SBOM_SIZE via wc -c, echo
the size messages, and return a non-zero status if the size still exceeds
MAX_SBOM_SIZE_BYTES; replace the two near-identical blocks that reference
DEDUP_IMAGE_SBOM_SIZE, MAX_SBOM_SIZE_BYTES and the --drop-file-ownership flag
with calls to this helper so thresholds/flags are maintained in one place.

---

ℹ️ Review info

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between fa05a03 and 49242d9.

📒 Files selected for processing (1)

• .github/actions/sign/action.yml

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
1 Accepted issue

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud