From 660f1e66af1e9e3d93cd15b4f81266ed80f33a45 Mon Sep 17 00:00:00 2001
From: Will Dollman <will.dollman@sourcegraph.com>
Date: Wed, 16 Oct 2024 22:43:50 +0100
Subject: [PATCH 1/3] Fix typo'd accept header

---
 cmd/src/sbom_utils.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cmd/src/sbom_utils.go b/cmd/src/sbom_utils.go
index ff223bcb74..9bce46e748 100644
--- a/cmd/src/sbom_utils.go
+++ b/cmd/src/sbom_utils.go
@@ -46,7 +46,7 @@ func getImageDigestDockerHub(image string, tag string) (string, error) {
 		return "", err
 	}
 	req.Header.Add("Authorization", fmt.Sprintf("Bearer %s", token))
-	req.Header.Add("Accept", "Accept: application/vnd.docker.distribution.manifest.v2+json, application/vnd.oci.image.manifest.v1+json")
+	req.Header.Add("Accept", "application/vnd.docker.distribution.manifest.v2+json, application/vnd.oci.image.manifest.v1+json")
 
 	// Make the HTTP request
 	resp, err := http.DefaultClient.Do(req)

From 90124a9202c856f7a9b40934008d60d44073c690 Mon Sep 17 00:00:00 2001
From: Will Dollman <will.dollman@sourcegraph.com>
Date: Wed, 16 Oct 2024 22:44:10 +0100
Subject: [PATCH 2/3] Ensure we only parse the first line of the attestation

---
 cmd/src/sbom_fetch.go | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/cmd/src/sbom_fetch.go b/cmd/src/sbom_fetch.go
index 6cee467780..894e34658d 100644
--- a/cmd/src/sbom_fetch.go
+++ b/cmd/src/sbom_fetch.go
@@ -2,6 +2,7 @@ package main
 
 import (
 	"bufio"
+	"bytes"
 	"encoding/base64"
 	"encoding/json"
 	"flag"
@@ -262,8 +263,14 @@ type attestation struct {
 }
 
 func extractSBOM(attestationBytes []byte) (string, error) {
+	// Ensure we only use the first line - occasionally Cosign includes multiple lines
+	lines := bytes.Split(attestationBytes, []byte("\n"))
+	if len(lines) == 0 {
+		return "", fmt.Errorf("attestation is empty")
+	}
+
 	var a attestation
-	if err := json.Unmarshal(attestationBytes, &a); err != nil {
+	if err := json.Unmarshal(lines[0], &a); err != nil {
 		return "", fmt.Errorf("failed to unmarshal attestation: %w", err)
 	}
 

From 29b833fdce05e62308bc94ab74da1a302c148be4 Mon Sep 17 00:00:00 2001
From: Will Dollman <will.dollman@sourcegraph.com>
Date: Wed, 16 Oct 2024 22:50:50 +0100
Subject: [PATCH 3/3] Changelog

---
 CHANGELOG.md | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index ef1ec46a4b..e3e0bb1768 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -11,6 +11,12 @@ All notable changes to `src-cli` are documented in this file.
 
 ## Unreleased
 
+## 5.8.2
+
+### Fixed
+
+- Fixed a compatibility issue that prevented `src sbom fetch` from fetching some SBOMs [#1119](https://github.com/sourcegraph/src-cli/pull/1119)
+
 ## 5.8.1
 
 ### Fixed