Zarf always populates sbom.tar artifact even if no SBOMs exist #3524
Description
Environment
Device and OS: darwin arm64
App version: 0.48.1
Kubernetes distro being used: N/A
Other:
After a recent change in Zarf, it seems like an sbom.tar artifact is being created and populated for every package, even if no SBOM exists. This tar file contains a single file compare.html
I believe this was introduced in this commit. The in-line comment above the call to createSBOMCompareAsset() says to only add the compare tool if there are SBOMs but that doesn't seem to be something we check before calling the function or within the function
When we noticed this in our project, we wrote this small hotfix to check if there was SBOM content we needed to care about.
Steps to reproduce
- Build the following Zarf Package
kind: ZarfPackageConfig
metadata:
name: sbom-gen
components:
- name: silly-goofy-mood
actions:
onCreate:
before:
- cmd: echo "Hello World!"
NOTE: Even though I am using different inspect commands. This is not a side effect of updating the inspect command.
Expected result
No SBOM generated as of Zarf 0.46.0
NOTE: The sbom.tar file exists within the package, but it is empty.
Actual Result
SBOM output exists as of Zarf v0.48.1 (But I believe it was introduced in earlier)
