Error: generating index SBOM: generating spdx sbom (pull 1441)

[Cloudnapsys]

I encountered an error during the pipeline execution with APKO after a new build of the repository. It appears that a recent change in the container image is causing the issue. The error is as follows:

2024/12/17 15:36:58 INFO built index file as /tmp/apko-temp-675144136/index.json
Error: generating index SBOM: generating spdx sbom: unable to render index sbom, no architecture images found
2024/12/17 15:36:58 INFO error during command execution: generating index SBOM: generating spdx sbom: unable to render index sbom, no architecture images found

Change Reference:
The issue seems to coincide with the following recent change: [https://github.com//pull/1441]

This is the comand to build:

docker run --rm -v "${PWD}":/work -w /work \
       cgr.dev/chainguard/apko build \
       --arch amd64 apko.yaml \
       myapp:apko "/work/myapp.tar" -k melange.rsa.pub

---

this is the log of execution after pull 1441:

---

Unable to find image 'cgr.dev/chainguard/apko:latest' locally
latest: Pulling from chainguard/apko
c6641a5e2e67: Pulling fs layer
c6641a5e2e67: Verifying Checksum
c6641a5e2e67: Download complete
c6641a5e2e67: Pull complete
Digest: sha256:960fa7d713be9529c5ec52b3c79af2ca3fcbcef3c579a4f2005291e309b51e98
Status: Downloaded newer image for cgr.dev/chainguard/apko:latest
2024/12/17 14:58:17 INFO Building images for 1 architectures: [amd64]
2024/12/17 14:58:17 INFO detected https://<gitprovider>.com/[email protected] as VCS URL
2024/12/17 14:58:18 [DEBUG] GET https://dl-cdn.alpinelinux.org/alpine/edge/community/apk-configuration
2024/12/17 14:58:19 [DEBUG] GET https://dl-cdn.alpinelinux.org/alpine/edge/main/apk-configuration
2024/12/17 14:58:19 INFO setting apk repositories: [@local ./packages https://dl-cdn.alpinelinux.org/alpine/edge/community https://dl-cdn.alpinelinux.org/alpine/edge/main]
2024/12/17 14:58:21 [DEBUG] GET https://dl-cdn.alpinelinux.org/alpine/edge/community/apk-configuration
2024/12/17 14:58:21 [DEBUG] GET https://dl-cdn.alpinelinux.org/alpine/edge/main/apk-configuration
2024/12/17 14:58:21 INFO setting apk repositories: [@local ./packages https://dl-cdn.alpinelinux.org/alpine/edge/community https://dl-cdn.alpinelinux.org/alpine/edge/main]
2024/12/17 14:58:21 INFO built index file as /tmp/apko-temp-3854543332/index.json
Error: generating index SBOM: generating spdx sbom: unable to render index sbom, no architecture images found
2024/12/17 14:58:21 INFO error during command execution: generating index SBOM: generating spdx sbom: unable to render index sbom, no architecture images found

---

and this is the log of the version just before pull 1441

---

2024/12/17 14:43:31 INFO Building images for 1 architectures: [amd64]
2024/12/17 14:43:31 INFO detected https://<gitprovider>.com/[email protected] as VCS URL
2024/12/17 14:43:31 ERRO request failed error="Get \"@local%20./packages/apk-configuration\": unsupported protocol scheme \"\"" method=GET url=@local%20./packages/apk-configuration
2024/12/17 14:43:31 WARN ignoring missing keys for @local ./packages: failed to perform key discovery: Get "@local%20./packages/apk-configuration": GET @local%20./packages/apk-configuration giving up after 1 attempt(s): Get "@local%20./packages/apk-configuration": unsupported protocol scheme ""
2024/12/17 14:43:32 INFO setting apk repositories: [@local ./packages https://dl-cdn.alpinelinux.org/alpine/edge/community https://dl-cdn.alpinelinux.org/alpine/edge/main]
2024/12/17 14:43:33 INFO installing musl (1.2.5-r8)
2024/12/17 14:43:33 INFO installing libcrypto3 (3.3.2-r4)
..........
2024/12/17 14:43:43 INFO installing python3-dev (3.12.8-r1)
2024/12/17 14:43:43 INFO setting apk repositories: [@local ./packages https://dl-cdn.alpinelinux.org/alpine/edge/community https://dl-cdn.alpinelinux.org/alpine/edge/main]
2024/12/17 14:43:43 WARN /etc/os-release is missing
2024/12/17 14:43:47 INFO built image layer tarball as /tmp/apko-temp-1447558923/apko-x86_64.tar.gz
2024/12/17 14:43:47 INFO OCI layer digest: sha256:f1d6...20da arch=x86_64
2024/12/17 14:43:47 INFO OCI layer diffID: sha256:1a7b...d8f2 arch=x86_64
2024/12/17 14:43:47 INFO built index file as /tmp/apko-temp-1447558923/index.json

[eminaktas]

I found the problem. Since it is getting the original package list from the configuration, it cannot correctly get the diff here. I sent a PR but probably there is a better solution to it.

[jackwhelpton]

I'm seeing a similar error attempting to build images from the AWS Corretto repo:

contents:
  keyring:
    - https://apk.corretto.aws/amazoncorretto.rsa.pub
  repositories:
    - https://apk.corretto.aws
  packages:
    - amazon-corretto-21

archs:
  - x86_64

2025/01/05 18:16:41 DEBU initializing apk keyring
2025/01/05 18:16:41 DEBU installing key https://apk.corretto.aws/amazoncorretto.rsa.pub
2025/01/05 18:16:41 INFO setting apk repositories: [https://apk.corretto.aws]
2025/01/05 18:16:41 DEBU loading config file: gradle.yaml
2025/01/05 18:16:41 INFO built index file as /tmp/apko-temp-344517879/index.json
2025/01/05 18:16:41 DEBU Generating index SBOM
Error: generating index SBOM: generating spdx sbom: unable to render index sbom, no architecture images found
2025/01/05 18:16:41 INFO error during command execution: generating index SBOM: generating spdx sbom: unable to render index sbom, no architecture images found

I'm not sure if this is exactly the same problem, as I'm not dealing with local packages, so let me know if this warrants a separate issue... I've been using Chainguard base images for a while, but this is my first time playing with apko.

[eminaktas]

I tested few things at least find some clue. It looks like this issue started after v0.22.1. My build works in v0.22.1. There is this PR #1441. Maybe @jonjohnsonjr can help here.

[jackwhelpton]

Thanks, reverting to v0.22.1 works for me too, so I assume we are hitting the same problem.

I say "works", I'm now running into a problem whereby the Corretto APK packages target musl rather than glibc, whereas the glibc version is only available packaged as an RPM. That's obviously a whole different issue.

[Cloudnapsys]

hello, @jonjohnsonjr as requested see bellow how to reproduce:

run this script:

#!/bin/bash

build_apko()
{
    DATE_TIME=$(date +"%Y-%m-%d_%H%M%S")

    echo "generating key ..."
    docker run --rm -v $(pwd):/work cgr.dev/chainguard/melange keygen


    echo "Building melange..."
    docker run --privileged --rm -v "${PWD}":/work -w /work \
            cgr.dev/chainguard/melange build /work/melange-manifest.yaml \
            --arch host \
            --signing-key /work/melange.rsa \
            --out-dir /work/packages \
            --log-level debug 2>&1 | tee ${DATE_TIME}-melange-script.txt


    echo "Building APKO ..."
    docker run --rm -v "${PWD}":/work -w /work \
           cgr.dev/chainguard/apko build \
           --arch amd64 apko-config.yaml \
           myapp:apko "/work/myapp.tar" \
           -k melange.rsa.pub 2>&1 | tee ${DATE_TIME}-apko-script.txt

}

build_apko

with this melange-manifest.yaml:

package:
  name: myapp
  version: 0.1
  description: myapp 
  target-architecture:
    - x86_64
  dependencies:
    runtime:
    - python3
    - py3-pip
    - py3-setuptools
    - py3-wheel
    - mariadb
    - aws-cli

environment:
  contents:
    repositories:
      - https://dl-cdn.alpinelinux.org/alpine/edge/main
      - https://dl-cdn.alpinelinux.org/alpine/edge/community
    packages:
      - alpine-baselayout-data
      - python3   
      - bash 
      - build-base 
      - python3-dev 
      - libffi-dev 
      - musl-dev 
      - linux-headers 
      - jpeg-dev 
      - zlib-dev 
      - mariadb-dev 
      - openssl-dev 
      - libxml2-dev 
      - libxslt-dev
      - py3-virtualenv
      - gcc
      - cargo
      - pkgconfig
      
pipeline:
  - name: Build Python application
    runs: |
      
      addgroup -g 3000 mygroup
      adduser -D -u 2000 -G mygroup -s /bin/bash myuser
      
      mkdir -p "${{targets.destdir}}/app"
      mkdir -p "${{targets.destdir}}/app/logs"

      chown -R myuser:mygroup "${{targets.destdir}}/app"

      virtualenv "${{targets.destdir}}/app/venv"
      chown -R 2000:3000 "${{targets.destdir}}/app"
      chmod -R 755 "${{targets.destdir}}/app"


      cp app/setup.py "${{targets.destdir}}/app/setup.py"
      cp app/requirements.txt "${{targets.destdir}}/app/requirements.txt"

      virtualenv "${{targets.destdir}}/app/venv"
      
      source "${{targets.destdir}}/app/venv/bin/activate"
      
      pip3 install --upgrade pip && \
      pip3 install cryptography --no-binary cryptography && \
      pip3 install gunicorn && \
      pip3 install uwsgi && \
      pip3 install pipdeptree setuptools wheel 

      pip3 install --no-cache-dir -U -e "${{targets.destdir}}/app[tests]"


      mkdir -p "${{targets.destdir}}/usr/bin"

      mkdir -p "${{targets.destdir}}/app/myapp/logs"
      mkdir -p "${{targets.destdir}}/app/logs"
      
      echo "#!/bin/bash" > "${{targets.destdir}}/usr/bin/myapp"
      echo "cd /app && ./entrypoint.sh" >> "${{targets.destdir}}/usr/bin/myapp"
      chmod +x "${{targets.destdir}}/usr/bin/myapp"
     

and with this apko-config.yaml

contents:
  keyring:
    - ./melange.rsa.pub  
  repositories:
    - https://dl-cdn.alpinelinux.org/alpine/edge/main
    - https://dl-cdn.alpinelinux.org/alpine/edge/community
    - '@local ./packages'
  packages:
    - python3    
    - py3-pip                
    - py3-setuptools         
    - libffi
    - jpeg
    - aws-cli
    - curl
    - zlib
    - mariadb-client
    - openssl
    - libxml2
    - libxslt
    - musl-dev
    - python3-dev
    - libffi-dev
    - openssl-dev
    - cargo
    - pkgconfig
    - bash 
    - myapp@local

environment:
  PATH: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
entrypoint:
  command: /usr/bin/myapp

stop-signal: SIGQUIT

work-dir: /app

paths:
  - path: /app
    type: directory

  - path: /app/logs
    type: directory
  
  - path: /app/myapp/logs
    type: directory


annotations:
  version: 1.0.0
  description: "reproduce Error: generating index SBOM: generating spdx sbom (pull 1441) #1448"

archs:
  - amd64

need also create one folder with 2 files:

app
requirements.txt
setup.py

requirements.txt

and setup.py:

#!/usr/bin/env python

'''
Setup file for myapp test.
'''

from setuptools import setup, find_packages


TESTS_REQUIRE = [
    'nose',
    'coverage',
]

setup(
    name='myapp-api',
    version='1.0',
    python_requires='>=3.6.0',
    description='myapp API',
    long_description='''
Myspp API
''',
    keywords='api myapp',
    author='myapp',
    author_email='[email protected]',
    url='https://github.com/myfolder/myapp-api',
    license='MIT',
    classifiers=[
        'Development Status :: 4 - Beta',
        'Intended Audience :: Developers',
        'License :: OSI Approved :: MIT License',
        'Natural Language :: English',
        'Operating System :: Unix',
        'Programming Language :: Python :: Implementation :: PyPy',
        'Operating System :: OS Independent',
    ],
    packages=find_packages(),
    include_package_data=True,
    install_requires=[
        line.strip(
        ) for line in open(
            "requirements.txt").readlines()],
    extras_require={
        'tests': TESTS_REQUIRE,
    },
    entry_points={
        'console_scripts': [
        ],
    },
)

let me know if you are able to reproduce.

[jonjohnsonjr]

Thanks for the repro, identified that I was missing an error return something 🤦

With that fixed, the actual error for this looks like:

Error: failed to build image components: resolving apk packages: for arch "amd64": solving "amazon-corretto-21" constraint: could not find package either named java-common or that provides java-common for amazon-corretto-21

[jackwhelpton]

It looks like this now results in the "correct" error, but it's still failing to build images that built OK with the previous release, is there some documentation about what has to be done to resolve this?

My example is now a little more involved than mentioned above (and much closer to @Cloudnapsys' original) as I'm using melange to bundle the glibc-based Corretto into a local apk: futher details below. The error I now see is:

amazon-corretto-21 (0.1.0-r0) packages/x86_64/amazon-corretto-21-0.1.0-r0.apk
Error: locking config: unable to lock packages to a consistent version: map[amazon-corretto-21@local:[ (amd64)]]
2025/01/06 22:28:55 INFO error during command execution: locking config: unable to lock packages to a consistent version: map[amazon-corretto-21@local:[ (amd64)]]

Here's the melange file:

package:
  name: amazon-corretto-21
  version: 0.1.0
  description: Corretto
  target-architecture:
    - x86_64
  dependencies:
    runtime:
      - busybox
      - curl
      - jq

environment:
  contents:
    keyring:
      - https://packages.wolfi.dev/os/wolfi-signing.rsa.pub
      - ./melange.rsa.pub
    repositories:
      - https://packages.wolfi.dev/os
    packages:
      - busybox
      - wget

pipeline:
  - name: Build Corretto
    working-directory: "${{targets.destdir}}/usr/lib/jvm"
    runs: |
      wget -qO- https://corretto.aws/downloads/latest/amazon-corretto-21-x64-linux-jdk.tar.gz |
        tar -xz

      cp -s */bin/java java

and the apko manifest:

contents:
  keyring:
    - https://packages.wolfi.dev/os/wolfi-signing.rsa.pub
    - ./melange.rsa.pub
  repositories:
    - https://packages.wolfi.dev/os
    - '@local /work/packages'
  packages:
    - amazon-corretto-21@local

archs:
  - x86_64

environment:
  PATH: /usr/lib/jvm:/usr/sbin:/usr/bin:/sbin:/bin

[eminaktas]

I have the same problem as @jackwhelpton described.

[Cloudnapsys]

Hello @jonjohnsonjr, now the error has changed, as described by @jackwhelpton, but I cannot find the way to deal with this new error. Where I can find what we need to do ?

...
2025/01/07 17:31:51 INFO deleting guest dir /tmp/melange-guest-633674898
2025/01/07 17:31:51 INFO deleting workspace dir /tmp/melange-workspace-2216291366
2025/01/07 17:31:51 INFO removing image path /tmp/melange-guest-1211196036
Building APKO ...
2025/01/07 17:31:53 INFO Building images for 1 architectures: [amd64]
2025/01/07 17:31:54 [DEBUG] GET https://dl-cdn.alpinelinux.org/alpine/edge/community/apk-configuration
2025/01/07 17:31:55 [DEBUG] GET https://dl-cdn.alpinelinux.org/alpine/edge/main/apk-configuration
2025/01/07 17:31:56 INFO setting apk repositories: [@local ./packages https://dl-cdn.alpinelinux.org/alpine/edge/community https://dl-cdn.alpinelinux.org/alpine/edge/main]
Error: locking config: unable to lock packages to a consistent version: map[myapp@local:[ (amd64)]]
2025/01/07 17:31:56 INFO error during command execution: locking config: unable to lock packages to a consistent version: map[myapp@local:[ (amd64)]]
...

[Cloudnapsys]

Hi, I have an update.
I was able to generate the apko.lock.json using the apko lock function, just before using the apko build. But I'm still getting the same error even when I pass the lockfile. It's possible that I'm missing something to build correctly.