#!/usr/bin/env bash
# =============================================================================
# SBOM Generation — CycloneDX + SPDX
# =============================================================================
set -euo pipefail

IMAGE="${1:?Usage: $0 <image>}"
REPORT_DIR="${REPORT_DIR:-./scan-reports}"
mkdir -p "${REPORT_DIR}"

echo "=== Generating SBOM for ${IMAGE} ==="

# SPDX format (via Trivy)
trivy image \
  --format spdx-json \
  --output "${REPORT_DIR}/sbom.spdx.json" \
  "${IMAGE}"

# CycloneDX format (via Syft)
syft "${IMAGE}" \
  -o cyclonedx-json > "${REPORT_DIR}/sbom.cyclonedx.json"

# Vulnerability report attached to SBOM
grype "${IMAGE}" \
  -o json > "${REPORT_DIR}/grype-vulns.json"

echo "=== SBOM generated ==="
echo "  SPDX:      ${REPORT_DIR}/sbom.spdx.json"
echo "  CycloneDX: ${REPORT_DIR}/sbom.cyclonedx.json"
echo "  Vulns:     ${REPORT_DIR}/grype-vulns.json"