syft attest broken since 0.85.0

[datosh]

What happened:

Since release of https://github.com/anchore/syft/releases/tag/v0.85.0 the syft attest functionality is broken.

The specific commit 4da3be8 changed the buildSBOM logic to include a check about the artifact type. As far as I understand the code this check tests the wrong thing, as it fails if the image is a container image, but this is exactly what we need it to be: 4da3be8#diff-0d5f53ec503a82548b069d34737048067ca7a2c99ced7e5bde834207a22759ceR64

I tried to fix this locally by changing it to if !detection.IsContainerImage() {, but then it fails further along the way

./bin/syft attest ghcr.io/datosh-org/most-secure-calculator/calculator@sha256:6914a299cd3c5ebad732f488cb1909453422595c9d4d0527d8abd68ab4ebc43d
panic: value method github.com/anchore/syft/syft/source.StereoscopeImageSource.Close called using nil *StereoscopeImageSource pointer

goroutine 14 [running]:
github.com/anchore/syft/syft/source.(*StereoscopeImageSource).Close(0xc0006fd738?)
        <autogenerated>:1 +0x76
github.com/anchore/syft/cmd/syft/cli/commands.buildSBOM({{0x2214b6f, 0x4}, {0x222c4dd, 0xe}, {0x222c4dd, 0xe}, {0x222c4dd, 0xe}, {0x222c4dd, 0xe}}, ...)
        /home/datosh/code/syft/cmd/syft/cli/commands/attest.go:251 +0x886
github.com/anchore/syft/cmd/syft/cli/commands.runAttest({{0x2214b6f, 0x4}, {0x222c4dd, 0xe}, {0x222c4dd, 0xe}, {0x222c4dd, 0xe}, {0x222c4dd, 0xe}}, ...)
        /home/datosh/code/syft/cmd/syft/cli/commands/attest.go:95 +0x112
github.com/anchore/syft/cmd/syft/cli/commands.Attest.func1(0x0?, {0xc000196e90?, 0x0?, 0x0?})
        /home/datosh/code/syft/cmd/syft/cli/commands/attest.go:81 +0x5b
github.com/anchore/clio.(*application).setupCommand.(*application).WrapRunE.func2.1(0x0?, {0xc000196e90?, 0x0?, 0x0?})
        /home/datosh/go/pkg/mod/github.com/anchore/clio@v0.0.0-20231016125544-c98a83e1c7fc/application.go:146 +0x9e
github.com/anchore/clio.async.func1()
        /home/datosh/go/pkg/mod/github.com/anchore/clio@v0.0.0-20231016125544-c98a83e1c7fc/application.go:360 +0x67
created by github.com/anchore/clio.async in goroutine 1
        /home/datosh/go/pkg/mod/github.com/anchore/clio@v0.0.0-20231016125544-c98a83e1c7fc/application.go:358 +0xd6

What you expected to happen:

Steps to reproduce the issue:

With any syft version >= 0.85.0

syft attest ghcr.io/datosh-org/most-secure-calculator/calculator@sha256:6914a299cd3c5ebad732f488cb1909453422595c9d4d0527d8abd68ab4ebc43d
2023/11/17 13:14:08 error during command execution: 1 error occurred:
        * unable to build SBOM: attestations are only supported for oci images at this time

Anything else we need to know?:

Environment:

• Output of syft version:
• OS (e.g: cat /etc/os-release or similar):

[spiffcs]

Thanks for the report @datosh - sorry for the breakage here in this command - I'll try and make some time to get a patch in that get's this working again before the next release. Thanks for the detailed notes and cause of the error.

[datosh]

Thanks for getting this fixed this quickly, @wagoodman !
I was able to build & test locally. Works like a charm.
Any chance that there is a new release coming that includes the fix? I will give a workshop next week, and would love to include syft & grype, including the syft attest support.