fix: fail fast on SPDX normalization errors (P0 fixes)

Critical improvements to SPDX UUID replacement:

1. **Type validation**: Check that documentNamespace is a string
   - Prevents silent corruption when field has wrong type
   - Returns clear error message with actual type

2. **Empty validation**: Check that documentNamespace is not empty
   - Prevents invalid SBOM generation
   - Fails fast instead of silently continuing

3. **UUID validation**: Fail if no UUID found in namespace
   - Previously logged warning and continued (non-deterministic!)
   - Now returns error with helpful message
   - Alerts to potential Syft format changes

4. **Multiple UUID handling**: Log warning when multiple UUIDs found
   - Documents intentional behavior (replace all with same UUID)
   - Helps debugging unexpected formats

5. **Comprehensive edge case tests**:
   - documentNamespace is not a string
   - documentNamespace is empty
   - documentNamespace has no UUID
   - All cases now properly fail with clear errors

Benefits:
- Fails fast instead of silently producing non-deterministic builds
- Better error messages for debugging
- Catches unexpected SBOM format changes
- Prevents SBOM corruption

Addresses critical issues identified in PR review.

Co-authored-by: Ona <no-reply@ona.com>

Author: leodido

pkg/leeway/sbom.go

@@ -199,9 +199,16 @@ func normalizeSPDX(sbomPath string, timestamp time.Time) error {
 	}
 	creationInfo["created"] = timestamp.Format(time.RFC3339)
 
+	// Get and validate documentNamespace
+	originalNamespace, ok := sbom["documentNamespace"].(string)
+	if !ok {
+		return fmt.Errorf("documentNamespace field is not a string (got type %T)", sbom["documentNamespace"])
+	}
+	if originalNamespace == "" {
+		return fmt.Errorf("documentNamespace field is empty")
+	}
+
 	// Generate deterministic UUID from normalized content (without timestamp and UUID)
-	// Save original namespace to extract later
-	originalNamespace, _ := sbom["documentNamespace"].(string)
 	delete(sbom, "documentNamespace")
 
 	normalizedForHash, err := json.Marshal(sbom)
@@ -212,18 +219,23 @@ func normalizeSPDX(sbomPath string, timestamp time.Time) error {
 	deterministicUUID := generateDeterministicUUID(contentHash[:])
 
 	// Replace UUID in documentNamespace using regex for robust matching
-	if originalNamespace != "" {
-		// UUID pattern: 8-4-4-4-12 hex digits
-		uuidPattern := regexp.MustCompile(`[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}`)
-		if uuidPattern.MatchString(originalNamespace) {
-			// Replace the UUID with our deterministic one
-			originalNamespace = uuidPattern.ReplaceAllString(originalNamespace, deterministicUUID)
-		} else {
-			// Log warning if no UUID found in namespace (unexpected format)
-			log.WithField("documentNamespace", originalNamespace).Warn("No UUID found in SPDX documentNamespace, skipping UUID normalization")
-		}
-		sbom["documentNamespace"] = originalNamespace
+	// UUID pattern: 8-4-4-4-12 hex digits
+	uuidPattern := regexp.MustCompile(`[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}`)
+	
+	matches := uuidPattern.FindAllString(originalNamespace, -1)
+	if len(matches) == 0 {
+		return fmt.Errorf("no UUID found in SPDX documentNamespace: %s. "+
+			"This may indicate a format change in Syft. Please report this issue", originalNamespace)
 	}
+	if len(matches) > 1 {
+		log.WithField("documentNamespace", originalNamespace).
+			WithField("uuid_count", len(matches)).
+			Warn("Multiple UUIDs found in documentNamespace, replacing all with same deterministic UUID")
+	}
+	
+	// Replace the UUID(s) with our deterministic one
+	originalNamespace = uuidPattern.ReplaceAllString(originalNamespace, deterministicUUID)
+	sbom["documentNamespace"] = originalNamespace
 
 	// Write back
 	normalized, err := json.MarshalIndent(sbom, "", "  ")

pkg/leeway/sbom_normalize_test.go

@@ -266,26 +266,25 @@ func TestNormalizeSPDX(t *testing.T) {
 		name              string
 		documentNamespace string
 		wantUUIDChanged   bool
+		wantMultipleWarn  bool
 	}{
 		{
 			name:              "UUID at end of namespace",
 			documentNamespace: "https://example.com/test-12345678-1234-1234-1234-123456789abc",
 			wantUUIDChanged:   true,
+			wantMultipleWarn:  false,
 		},
 		{
 			name:              "UUID in middle of namespace",
 			documentNamespace: "https://example.com/12345678-1234-1234-1234-123456789abc/test",
 			wantUUIDChanged:   true,
+			wantMultipleWarn:  false,
 		},
 		{
 			name:              "multiple UUIDs (replaces all)",
 			documentNamespace: "https://example.com/12345678-1234-1234-1234-123456789abc/test-abcdef01-2345-6789-abcd-ef0123456789",
 			wantUUIDChanged:   true,
-		},
-		{
-			name:              "no UUID in namespace",
-			documentNamespace: "https://example.com/test-no-uuid",
-			wantUUIDChanged:   false,
+			wantMultipleWarn:  true,
 		},
 	}
 
@@ -353,20 +352,13 @@ func TestNormalizeSPDX(t *testing.T) {
 
 			// Verify UUID in documentNamespace
 			namespace := normalizedSBOM["documentNamespace"].(string)
-			if tt.wantUUIDChanged {
-				// Should have changed from original
-				if namespace == tt.documentNamespace {
-					t.Error("UUID in documentNamespace was not changed")
-				}
-				// Should not contain the original UUID
-				if contains(namespace, "12345678-1234-1234-1234-123456789abc") {
-					t.Error("original UUID still present in documentNamespace")
-				}
-			} else {
-				// Should remain unchanged if no UUID was present
-				if namespace != tt.documentNamespace {
-					t.Errorf("documentNamespace changed unexpectedly: got %s, want %s", namespace, tt.documentNamespace)
-				}
+			// Should have changed from original
+			if namespace == tt.documentNamespace {
+				t.Error("UUID in documentNamespace was not changed")
+			}
+			// Should not contain the original UUID
+			if contains(namespace, "12345678-1234-1234-1234-123456789abc") {
+				t.Error("original UUID still present in documentNamespace")
 			}
 
 			// Normalize again with same timestamp - should produce same result
@@ -463,7 +455,7 @@ func TestNormalizeSPDX_MalformedSBOM(t *testing.T) {
 		},
 		{
 			name:        "missing creationInfo field",
-			sbomContent: `{"spdxVersion": "SPDX-2.3", "name": "test"}`,
+			sbomContent: `{"spdxVersion": "SPDX-2.3", "name": "test", "documentNamespace": "https://example.com/test-12345678-1234-1234-1234-123456789abc"}`,
 			wantErr:     true,
 			errContains: "creationInfo field not found",
 		},
@@ -473,6 +465,39 @@ func TestNormalizeSPDX_MalformedSBOM(t *testing.T) {
 			wantErr:     true,
 			errContains: "failed to parse SBOM",
 		},
+		{
+			name: "documentNamespace is not a string",
+			sbomContent: `{
+				"spdxVersion": "SPDX-2.3",
+				"name": "test",
+				"documentNamespace": 12345,
+				"creationInfo": {"created": "2023-01-01T00:00:00Z"}
+			}`,
+			wantErr:     true,
+			errContains: "documentNamespace field is not a string",
+		},
+		{
+			name: "documentNamespace is empty",
+			sbomContent: `{
+				"spdxVersion": "SPDX-2.3",
+				"name": "test",
+				"documentNamespace": "",
+				"creationInfo": {"created": "2023-01-01T00:00:00Z"}
+			}`,
+			wantErr:     true,
+			errContains: "documentNamespace field is empty",
+		},
+		{
+			name: "documentNamespace has no UUID",
+			sbomContent: `{
+				"spdxVersion": "SPDX-2.3",
+				"name": "test",
+				"documentNamespace": "https://example.com/no-uuid-here",
+				"creationInfo": {"created": "2023-01-01T00:00:00Z"}
+			}`,
+			wantErr:     true,
+			errContains: "no UUID found in SPDX documentNamespace",
+		},
 	}
 
 	for _, tt := range tests {