fix(sbom): handle different installation scenarios

Author: JasonTheDeveloper

src/sbom/install.sh

@@ -24,30 +24,46 @@ check_packages() {
 	fi
 }
 
-# Figure out correct version of a three part version number is not passed
+# Resolve "latest" version by following the GitHub redirect (no API rate limit)
+resolve_latest_version() {
+	local latest_url="https://github.com/microsoft/sbom-tool/releases/latest"
+	local redirect_url
+	redirect_url=$(curl -sIL -o /dev/null -w '%{url_effective}' "${latest_url}")
+	if [ -z "${redirect_url}" ] || [ "${redirect_url}" = "${latest_url}" ]; then
+		echo "ERROR: Failed to resolve latest sbom-tool version from GitHub." >&2
+		exit 1
+	fi
+	# Extract tag from redirect URL (e.g. .../releases/tag/v4.1.5 -> v4.1.5)
+	echo "${redirect_url##*/}"
+}
+
+# Validate that a given version/tag exists by checking the download URL returns 200
 validate_version_exists() {
 	local variable_name=$1
-    local requested_version=$2
-	if [ "${requested_version}" = "latest" ]; then requested_version=$(curl -sL https://api.github.com/repos/microsoft/sbom-tool/releases/latest | jq -r ".tag_name"); fi
-	local version_list
-    version_list=$(curl -sL https://api.github.com/repos/microsoft/sbom-tool/releases | jq -r ".[].tag_name")
-	if [ -z "${variable_name}" ] || ! echo "${version_list}" | grep "${requested_version}" >/dev/null 2>&1; then
-		echo -e "Invalid ${variable_name} value: ${requested_version}\nValid values:\n${version_list}" >&2
+	local requested_version=$2
+	local check_url="https://github.com/microsoft/sbom-tool/releases/tag/${requested_version}"
+	local http_code
+	http_code=$(curl -sIL -o /dev/null -w '%{http_code}' "${check_url}")
+	if [ "${http_code}" != "200" ]; then
+		echo "ERROR: ${variable_name} value '${requested_version}' not found (HTTP ${http_code})." >&2
+		echo "Check available versions at: https://github.com/microsoft/sbom-tool/releases" >&2
 		exit 1
 	fi
 	echo "${variable_name}=${requested_version}"
 }
 
 # make sure we have curl
-check_packages curl jq ca-certificates libicu-dev
+check_packages curl ca-certificates libicu-dev
 
 # Normalize version: add 'v' prefix if missing
 if [ "${SBOM_TOOL_VERSION}" != "latest" ] && [[ "${SBOM_TOOL_VERSION}" != v* ]]; then
 	SBOM_TOOL_VERSION="v${SBOM_TOOL_VERSION}"
 fi
 
-# make sure version is available
-if [ "${SBOM_TOOL_VERSION}" = "latest" ]; then SBOM_TOOL_VERSION=$(curl -sL https://api.github.com/repos/microsoft/sbom-tool/releases/latest | jq -r ".tag_name"); fi
+# Resolve latest or validate the requested version
+if [ "${SBOM_TOOL_VERSION}" = "latest" ]; then
+	SBOM_TOOL_VERSION=$(resolve_latest_version)
+fi
 validate_version_exists SBOM_TOOL_VERSION "${SBOM_TOOL_VERSION}"
 
 # download and install binary

test/sbom/install_sbom_specific_version.sh

@@ -1,7 +1,7 @@
 #!/usr/bin/env bash
 
 # Scenario: install_sbom_specific_version
-# Verifies that a specific version of sbom-tool (2.2.5) installs correctly
+# Verifies that a specific version of sbom-tool (3.0.1) installs correctly
 
 set -e
 
@@ -10,8 +10,8 @@ source dev-container-features-test-lib
 # Verify sbom-tool is installed
 check "sbom-tool is installed" bash -c "which sbom-tool"
 
-# Verify sbom-tool can run
-check "sbom-tool version runs" bash -c "sbom-tool version"
+# Verify the exact version is installed
+check "sbom-tool version is 3.0.1" bash -c "sbom-tool version | grep '3.0.1'"
 
 # Verify sbom-tool binary is in the expected location
 check "sbom-tool in /usr/local/bin" bash -c "ls /usr/local/bin/sbom-tool"

test/sbom/invalid_version.sh

@@ -13,29 +13,24 @@ source dev-container-features-test-lib
 # sbom-tool should be installed (the scenario uses "latest")
 check "sbom-tool is installed" bash -c "which sbom-tool"
 
-# Verify that a completely fake version does NOT appear in the releases list
-check "fake version not in releases" bash -c \
-    "! curl -sL https://api.github.com/repos/microsoft/sbom-tool/releases | jq -r '.[].tag_name' | grep -qx 'v99.99.99'"
-
-# Simulate the install script's validation: attempt to match a non-existent
-# version against the release list and confirm it fails
-check "validation rejects non-existent version" bash -c '
-    version_list=$(curl -sL https://api.github.com/repos/microsoft/sbom-tool/releases | jq -r ".[].tag_name")
-    if echo "${version_list}" | grep -qx "v99.99.99"; then
-        echo "ERROR: fake version was found in release list"
+# Verify that a fake version returns non-200 from GitHub releases
+check "fake version not in releases" bash -c '
+    http_code=$(curl -sIL -o /dev/null -w "%{http_code}" "https://github.com/microsoft/sbom-tool/releases/tag/v99.99.99")
+    if [ "${http_code}" = "200" ]; then
+        echo "ERROR: fake version v99.99.99 returned HTTP 200"
         exit 1
     fi
-    echo "Correctly rejected non-existent version v99.99.99"
+    echo "Correctly rejected non-existent version v99.99.99 (HTTP ${http_code})"
 '
 
-# Also verify that a valid version IS accepted by the same logic
+# Verify that a valid version IS accepted (returns HTTP 200)
 check "validation accepts a real version" bash -c '
-    version_list=$(curl -sL https://api.github.com/repos/microsoft/sbom-tool/releases | jq -r ".[].tag_name")
-    if ! echo "${version_list}" | grep -q "0.3.3"; then
-        echo "ERROR: valid version 0.3.3 was not found in release list"
+    http_code=$(curl -sIL -o /dev/null -w "%{http_code}" "https://github.com/microsoft/sbom-tool/releases/tag/v3.0.1")
+    if [ "${http_code}" != "200" ]; then
+        echo "ERROR: valid version v3.0.1 returned HTTP ${http_code}"
         exit 1
     fi
-    echo "Correctly accepted valid version 0.3.3"
+    echo "Correctly accepted valid version v3.0.1 (HTTP ${http_code})"
 '
 
 reportResults

test/sbom/scenarios.json

@@ -11,7 +11,7 @@
         "image": "mcr.microsoft.com/devcontainers/base:ubuntu",
         "features": {
             "sbom": {
-                "version": "2.2.5"
+                "version": "3.0.1"
             }
         }
     },