From a404f176b725939277cde2dfe572e636664c8d40 Mon Sep 17 00:00:00 2001
From: Will Dollman <will.dollman@sourcegraph.com>
Date: Wed, 30 Oct 2024 16:15:02 +0000
Subject: [PATCH] Fix issue preventing some SBOMs being fetched from Docker Hub
 (#1119)

* Fix typo'd accept header

* Ensure we only parse the first line of the attestation

* Changelog
---
 CHANGELOG.md          | 6 ++++++
 cmd/src/sbom_fetch.go | 9 ++++++++-
 cmd/src/sbom_utils.go | 2 +-
 3 files changed, 15 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index c96941788b..89bb4a1799 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -11,10 +11,16 @@ All notable changes to `src-cli` are documented in this file.
 
 ## Unreleased
 
+## 5.8.2
+
 ### Added
 
 - Support HTTP(S), SOCKS5, and UNIX Domain Socket proxies via SRC_PROXY environment variable. [#1120](https://github.com/sourcegraph/src-cli/pull/1120)
 
+### Fixed
+
+- Fixed a compatibility issue that prevented `src sbom fetch` from fetching some SBOMs [#1119](https://github.com/sourcegraph/src-cli/pull/1119)
+
 ## 5.8.1
 
 ### Fixed
diff --git a/cmd/src/sbom_fetch.go b/cmd/src/sbom_fetch.go
index 6cee467780..894e34658d 100644
--- a/cmd/src/sbom_fetch.go
+++ b/cmd/src/sbom_fetch.go
@@ -2,6 +2,7 @@ package main
 
 import (
 	"bufio"
+	"bytes"
 	"encoding/base64"
 	"encoding/json"
 	"flag"
@@ -262,8 +263,14 @@ type attestation struct {
 }
 
 func extractSBOM(attestationBytes []byte) (string, error) {
+	// Ensure we only use the first line - occasionally Cosign includes multiple lines
+	lines := bytes.Split(attestationBytes, []byte("\n"))
+	if len(lines) == 0 {
+		return "", fmt.Errorf("attestation is empty")
+	}
+
 	var a attestation
-	if err := json.Unmarshal(attestationBytes, &a); err != nil {
+	if err := json.Unmarshal(lines[0], &a); err != nil {
 		return "", fmt.Errorf("failed to unmarshal attestation: %w", err)
 	}
 
diff --git a/cmd/src/sbom_utils.go b/cmd/src/sbom_utils.go
index ff223bcb74..9bce46e748 100644
--- a/cmd/src/sbom_utils.go
+++ b/cmd/src/sbom_utils.go
@@ -46,7 +46,7 @@ func getImageDigestDockerHub(image string, tag string) (string, error) {
 		return "", err
 	}
 	req.Header.Add("Authorization", fmt.Sprintf("Bearer %s", token))
-	req.Header.Add("Accept", "Accept: application/vnd.docker.distribution.manifest.v2+json, application/vnd.oci.image.manifest.v1+json")
+	req.Header.Add("Accept", "application/vnd.docker.distribution.manifest.v2+json, application/vnd.oci.image.manifest.v1+json")
 
 	// Make the HTTP request
 	resp, err := http.DefaultClient.Do(req)