remove previously deprecated attach/download sbom commands

Signed-off-by: hectorj2f <[email protected]>

Author: hectorj2f

cmd/cosign/cli/attach.go

@@ -16,9 +16,6 @@
 package cli
 
 import (
-	"fmt"
-	"os"
-
 	"github.com/sigstore/cosign/v2/cmd/cosign/cli/attach"
 	"github.com/sigstore/cosign/v2/cmd/cosign/cli/options"
 	"github.com/spf13/cobra"
@@ -32,7 +29,6 @@ func Attach() *cobra.Command {
 
 	cmd.AddCommand(
 		attachSignature(),
-		attachSBOM(),
 		attachAttestation(),
 	)
 
@@ -75,32 +71,6 @@ func attachSignature() *cobra.Command {
 	return cmd
 }
 
-func attachSBOM() *cobra.Command {
-	o := &options.AttachSBOMOptions{}
-
-	cmd := &cobra.Command{
-		Use:              "sbom",
-		Short:            "DEPRECATED: Attach sbom to the supplied container image",
-		Long:             "Attach sbom to the supplied container image\n\n" + options.SBOMAttachmentDeprecation,
-		Example:          "  cosign attach sbom <image uri>",
-		Args:             cobra.ExactArgs(1),
-		PersistentPreRun: options.BindViper,
-		RunE: func(cmd *cobra.Command, args []string) error {
-			fmt.Fprintln(os.Stderr, options.SBOMAttachmentDeprecation)
-			mediaType, err := o.MediaType()
-			if err != nil {
-				return err
-			}
-			fmt.Fprintf(os.Stderr, "WARNING: Attaching SBOMs this way does not sign them. To sign them, use 'cosign attest --predicate %s --key <key path>'.\n", o.SBOM)
-			return attach.SBOMCmd(cmd.Context(), o.Registry, o.RegistryExperimental, o.SBOM, mediaType, args[0])
-		},
-	}
-
-	o.AddFlags(cmd)
-
-	return cmd
-}
-
 func attachAttestation() *cobra.Command {
 	o := &options.AttachAttestationOptions{}
 

cmd/cosign/cli/attach/sbom.go

@@ -16,9 +16,6 @@
 package cli
 
 import (
-	"fmt"
-	"os"
-
 	"github.com/spf13/cobra"
 
 	"github.com/sigstore/cosign/v2/cmd/cosign/cli/download"
@@ -33,7 +30,6 @@ func Download() *cobra.Command {
 
 	cmd.AddCommand(
 		downloadSignature(),
-		downloadSBOM(),
 		downloadAttestation(),
 	)
 
@@ -59,31 +55,6 @@ func downloadSignature() *cobra.Command {
 	return cmd
 }
 
-func downloadSBOM() *cobra.Command {
-	o := &options.RegistryOptions{}
-	do := &options.SBOMDownloadOptions{}
-
-	cmd := &cobra.Command{
-		Use:              "sbom",
-		Short:            "DEPRECATED: Download SBOMs from the supplied container image",
-		Long:             "Download SBOMs from the supplied container image\n\n" + options.SBOMAttachmentDeprecation,
-		Example:          "  cosign download sbom <image uri>",
-		Args:             cobra.ExactArgs(1),
-		PersistentPreRun: options.BindViper,
-		RunE: func(cmd *cobra.Command, args []string) error {
-			fmt.Fprintln(os.Stderr, options.SBOMAttachmentDeprecation)
-			fmt.Fprintln(os.Stderr, "WARNING: Downloading SBOMs this way does not ensure its authenticity. If you want to ensure a tamper-proof SBOM, download it using 'cosign download attestation <image uri>'.")
-			_, err := download.SBOMCmd(cmd.Context(), *o, *do, args[0], cmd.OutOrStdout())
-			return err
-		},
-	}
-
-	do.AddFlags(cmd)
-	o.AddFlags(cmd)
-
-	return cmd
-}
-
 func downloadAttestation() *cobra.Command {
 	o := &options.RegistryOptions{}
 	ao := &options.AttestationDownloadOptions{}

cmd/cosign/cli/download.go

@@ -39,7 +39,6 @@ import (
 	"github.com/google/go-containerregistry/pkg/name"
 	"github.com/google/go-containerregistry/pkg/v1/types"
 	"github.com/sigstore/cosign/v2/cmd/cosign/cli/attach"
-	"github.com/sigstore/cosign/v2/cmd/cosign/cli/download"
 	"github.com/sigstore/cosign/v2/cmd/cosign/cli/generate"
 	"github.com/sigstore/cosign/v2/cmd/cosign/cli/options"
 	cliverify "github.com/sigstore/cosign/v2/cmd/cosign/cli/verify"
@@ -402,95 +401,3 @@ func TestUploadDownload(t *testing.T) {
 		})
 	}
 }
-
-func TestAttachSBOM_bom_flag(t *testing.T) {
-	repo, stop := reg(t)
-	defer stop()
-	td := t.TempDir()
-	ctx := context.Background()
-	bomData, err := os.ReadFile("./testdata/bom-go-mod.spdx")
-	must(err, t)
-
-	testCases := map[string]struct {
-		bom         string
-		bomType     attach.SignatureArgType
-		expectedErr bool
-	}{
-		"stdin containing bom": {
-			bom:         string(bomData),
-			bomType:     attach.StdinSignature,
-			expectedErr: false,
-		},
-		"file containing bom": {
-			bom:         string(bomData),
-			bomType:     attach.FileSignature,
-			expectedErr: false,
-		},
-		"raw bom as argument": {
-			bom:         string(bomData),
-			bomType:     attach.RawSignature,
-			expectedErr: true,
-		},
-		"empty bom as argument": {
-			bom:         "",
-			bomType:     attach.RawSignature,
-			expectedErr: true,
-		},
-	}
-
-	for testName, testCase := range testCases {
-		t.Run(testName, func(t *testing.T) {
-			imgName := path.Join(repo, "sbom-image")
-			img, _, cleanup := mkimage(t, imgName)
-			var sbomRef string
-			restoreStdin := func() {}
-			switch {
-			case testCase.bomType == attach.FileSignature:
-				sbomRef = mkfile(testCase.bom, td, t)
-			case testCase.bomType == attach.StdinSignature:
-				sbomRef = "-"
-				restoreStdin = mockStdin(testCase.bom, td, t)
-			default:
-				sbomRef = testCase.bom
-			}
-
-			out := bytes.Buffer{}
-			_, errPl := download.SBOMCmd(ctx, options.RegistryOptions{}, options.SBOMDownloadOptions{Platform: "darwin/amd64"}, img.Name(), &out)
-			if errPl == nil {
-				t.Fatalf("Expected error when passing Platform to single arch image")
-			}
-			_, err := download.SBOMCmd(ctx, options.RegistryOptions{}, options.SBOMDownloadOptions{}, img.Name(), &out)
-			if err == nil {
-				t.Fatal("Expected error")
-			}
-			t.Log(out.String())
-			out.Reset()
-
-			// Upload it!
-			err = attach.SBOMCmd(ctx, options.RegistryOptions{}, options.RegistryExperimentalOptions{}, sbomRef, "spdx", imgName)
-			restoreStdin()
-
-			if testCase.expectedErr {
-				mustErr(err, t)
-			} else {
-				sboms, err := download.SBOMCmd(ctx, options.RegistryOptions{}, options.SBOMDownloadOptions{}, imgName, &out)
-				if err != nil {
-					t.Fatal(err)
-				}
-				t.Log(out.String())
-				if len(sboms) != 1 {
-					t.Fatalf("Expected one sbom, got %d", len(sboms))
-				}
-				want, err := os.ReadFile("./testdata/bom-go-mod.spdx")
-				if err != nil {
-					t.Fatal(err)
-				}
-				if diff := cmp.Diff(string(want), sboms[0]); diff != "" {
-					t.Errorf("diff: %s", diff)
-				}
-			}
-
-			cleanup()
-		})
-	}
-}