Skip to content

fix(sbom): avoid ARG_MAX limit when uploading large SBoMs to DTrack#81

Merged
pgmac merged 1 commit into
mainfrom
fix/dtrack-upload-arg-too-long
Jun 14, 2026
Merged

fix(sbom): avoid ARG_MAX limit when uploading large SBoMs to DTrack#81
pgmac merged 1 commit into
mainfrom
fix/dtrack-upload-arg-too-long

Conversation

@pgmac

@pgmac pgmac commented Jun 14, 2026

Copy link
Copy Markdown
Collaborator

Summary

  • base64 -w 0 sbom.json for large repos produces a string that exceeds the kernel ARG_MAX when passed to jq via --arg bom — metasearch hit this: jq: Argument list too long / exit code 126
  • Replaces the BOM_B64 shell variable + --arg approach with:
    • --rawfile bom sbom.json — jq reads the file directly, no shell intermediate
    • $bom | ltrimstr("") | @base64 — strips UTF-8 BOM then encodes within jq
    • curl -d @- — reads payload from stdin, no shell variable for the full JSON blob

Fixes: https://github.com/pgmac-net/metasearch/actions/runs/27493686604/job/81263679233

Test plan

  • Trigger SBOM workflow on metasearch (or any repo with a large SBoM) — upload step succeeds
  • Project appears/updates in DTrack with correct tags

🤖 Generated with Claude Code

Passing the base64-encoded SBoM as a shell --arg to jq fails with
"Argument list too long" for large projects (metasearch hit this).

Fixes by using jq --rawfile to read sbom.json directly, encoding with
jq's @base64 filter, and piping the payload to curl via -d @- instead
of a shell variable. Also strips UTF-8 BOM via ltrimstr("").

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@pgmac pgmac requested a review from a team as a code owner June 14, 2026 09:19
@pgmac pgmac enabled auto-merge (squash) June 14, 2026 09:22
@github-actions

Copy link
Copy Markdown

SBoM Vulnerability Scan Results

Scan Summary:

  • Total vulnerabilities found: 1
  • Critical: 0
  • High: 1
  • Medium: 0

SBoM Details:

  • Generated from commit: 4d629a3
  • SBoM format: CycloneDX
  • Repository: pgmac-net/pg-actions

View full SARIF report

This comment will be updated on each commit

@pgmac pgmac disabled auto-merge June 14, 2026 10:04
@pgmac pgmac merged commit 218190a into main Jun 14, 2026
3 checks passed
@pgmac pgmac deleted the fix/dtrack-upload-arg-too-long branch June 14, 2026 10:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant