Fix issue preventing some SBOMs being fetched from Docker Hub (#1119)

* Fix typo'd accept header

* Ensure we only parse the first line of the attestation

* Changelog

CHANGELOG.md

@@ -11,10 +11,16 @@ All notable changes to `src-cli` are documented in this file.
 
 ## Unreleased
 
+## 5.8.2
+
 ### Added
 
 - Support HTTP(S), SOCKS5, and UNIX Domain Socket proxies via SRC_PROXY environment variable. [#1120](https://github.com/sourcegraph/src-cli/pull/1120)
 
+### Fixed
+
+- Fixed a compatibility issue that prevented `src sbom fetch` from fetching some SBOMs [#1119](https://github.com/sourcegraph/src-cli/pull/1119)
+
 ## 5.8.1
 
 ### Fixed

cmd/src/sbom_fetch.go

@@ -2,6 +2,7 @@ package main
 
 import (
 	"bufio"
+	"bytes"
 	"encoding/base64"
 	"encoding/json"
 	"flag"
@@ -262,8 +263,14 @@ type attestation struct {
 }
 
 func extractSBOM(attestationBytes []byte) (string, error) {
+	// Ensure we only use the first line - occasionally Cosign includes multiple lines
+	lines := bytes.Split(attestationBytes, []byte("\n"))
+	if len(lines) == 0 {
+		return "", fmt.Errorf("attestation is empty")
+	}
+
 	var a attestation
-	if err := json.Unmarshal(attestationBytes, &a); err != nil {
+	if err := json.Unmarshal(lines[0], &a); err != nil {
 		return "", fmt.Errorf("failed to unmarshal attestation: %w", err)
 	}
 

cmd/src/sbom_utils.go

@@ -46,7 +46,7 @@ func getImageDigestDockerHub(image string, tag string) (string, error) {
 		return "", err
 	}
 	req.Header.Add("Authorization", fmt.Sprintf("Bearer %s", token))
-	req.Header.Add("Accept", "Accept: application/vnd.docker.distribution.manifest.v2+json, application/vnd.oci.image.manifest.v1+json")
+	req.Header.Add("Accept", "application/vnd.docker.distribution.manifest.v2+json, application/vnd.oci.image.manifest.v1+json")
 
 	// Make the HTTP request
 	resp, err := http.DefaultClient.Do(req)