Add an OperatingSystem package to our image SBOMs (#1690)

We are missing some information in our image SBOMs that cause trivy to
generate warnings. The missing piece is a package declaring what
operating system our images are using.

---------

Signed-off-by: Łukasz 'sil2100' Zemczak <[email protected]>

Author: sil2100

internal/cli/testdata/golden/sboms/sbom-aarch64.spdx.json

@@ -55,6 +55,16 @@
         }
       ]
     },
+    {
+      "SPDXID": "SPDXRef-OperatingSystem-replaces",
+      "name": "replaces",
+      "versionInfo": "1.0.0",
+      "filesAnalyzed": false,
+      "description": "Operating System",
+      "downloadLocation": "NOASSERTION",
+      "supplier": "Organization: Replaces",
+      "primaryPackagePurpose": "OPERATING-SYSTEM"
+    },
     {
       "SPDXID": "SPDXRef-Package-pretend-baselayout-1.0.0-r0",
       "name": "pretend-baselayout",

internal/cli/testdata/golden/sboms/sbom-x86_64.spdx.json

@@ -55,6 +55,16 @@
         }
       ]
     },
+    {
+      "SPDXID": "SPDXRef-OperatingSystem-replaces",
+      "name": "replaces",
+      "versionInfo": "1.0.0",
+      "filesAnalyzed": false,
+      "description": "Operating System",
+      "downloadLocation": "NOASSERTION",
+      "supplier": "Organization: Replaces",
+      "primaryPackagePurpose": "OPERATING-SYSTEM"
+    },
     {
       "SPDXID": "SPDXRef-Package-pretend-baselayout-1.0.0-r0",
       "name": "pretend-baselayout",

pkg/sbom/generator/spdx/spdx.go

@@ -134,6 +134,9 @@ func (sx *SPDX) Generate(opts *options.Options, path string) error {
 		doc.DocumentDescribes = []string{imagePackage.ID}
 	}
 
+	// Add the operating system package
+	addOperatingSystem(doc, opts)
+
 	if opts.ImageInfo.VCSUrl != "" {
 		if opts.ImageInfo.ImageDigest != "" {
 			addSourcePackage(opts.ImageInfo.VCSUrl, doc, imagePackage, opts)
@@ -623,6 +626,22 @@ func (sx *SPDX) GenerateIndex(opts *options.Options, path string) error {
 	return nil
 }
 
+// addOperatingSystem adds a package describing the operating system
+func addOperatingSystem(doc *Document, opts *options.Options) {
+	osPackage := Package{
+		ID:               fmt.Sprintf("SPDXRef-OperatingSystem-%s", stringToIdentifier(opts.OS.ID)),
+		Name:             opts.OS.ID,
+		Version:          opts.OS.Version,
+		Supplier:         supplier(opts),
+		FilesAnalyzed:    false,
+		Description:      "Operating System",
+		DownloadLocation: NOASSERTION,
+		PrimaryPurpose:   "OPERATING-SYSTEM",
+	}
+
+	doc.Packages = append(doc.Packages, osPackage)
+}
+
 // addSourcePackage creates a package describing the source code
 func addSourcePackage(vcsURL string, doc *Document, parent *Package, opts *options.Options) {
 	version := ""

pkg/sbom/generator/spdx/testdata/expected_image_sboms/custom-license.spdx.json

@@ -32,6 +32,16 @@
         }
       ]
     },
+    {
+      "SPDXID": "SPDXRef-OperatingSystem-unknown",
+      "name": "unknown",
+      "versionInfo": "3.0",
+      "filesAnalyzed": false,
+      "description": "Operating System",
+      "downloadLocation": "NOASSERTION",
+      "supplier": "Organization: unknown",
+      "primaryPackagePurpose": "OPERATING-SYSTEM"
+    },
     {
       "SPDXID": "SPDXRef-Package-font-ubuntu-0.869-r1",
       "name": "font-ubuntu",

pkg/sbom/generator/spdx/testdata/expected_image_sboms/no-supplier.spdx.json

@@ -32,6 +32,16 @@
         }
       ]
     },
+    {
+      "SPDXID": "SPDXRef-OperatingSystem-apko-images",
+      "name": "apko-images",
+      "versionInfo": "3.0",
+      "filesAnalyzed": false,
+      "description": "Operating System",
+      "downloadLocation": "NOASSERTION",
+      "supplier": "Organization: Apko Images, Plc",
+      "primaryPackagePurpose": "OPERATING-SYSTEM"
+    },
     {
       "SPDXID": "SPDXRef-Package-libattr1-2.5.1-r2",
       "name": "libattr1",

pkg/sbom/generator/spdx/testdata/expected_image_sboms/package-deduplicating.spdx.json

@@ -32,6 +32,16 @@
         }
       ]
     },
+    {
+      "SPDXID": "SPDXRef-OperatingSystem-unknown",
+      "name": "unknown",
+      "versionInfo": "3.0",
+      "filesAnalyzed": false,
+      "description": "Operating System",
+      "downloadLocation": "NOASSERTION",
+      "supplier": "Organization: unknown",
+      "primaryPackagePurpose": "OPERATING-SYSTEM"
+    },
     {
       "SPDXID": "SPDXRef-Package-logstash-8-8.15.3-r4",
       "name": "logstash-8",

pkg/sbom/generator/spdx/testdata/expected_image_sboms/unbound-package-dedupe.spdx.json

@@ -32,6 +32,16 @@
         }
       ]
     },
+    {
+      "SPDXID": "SPDXRef-OperatingSystem-unknown",
+      "name": "unknown",
+      "versionInfo": "3.0",
+      "filesAnalyzed": false,
+      "description": "Operating System",
+      "downloadLocation": "NOASSERTION",
+      "supplier": "Organization: unknown",
+      "primaryPackagePurpose": "OPERATING-SYSTEM"
+    },
     {
       "SPDXID": "SPDXRef-Package-unbound-libs-1.23.0-r0",
       "name": "unbound-libs",