example: fix npm-lock

Signed-off-by: CrazyMax <[email protected]>

examples/npm-lock/.dockerignore

@@ -1 +1,2 @@
-/build/
+/build/
+/node_modules/

examples/npm-lock/.gitignore

@@ -0,0 +1 @@
+node_modules

examples/npm-lock/Dockerfile

@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:1
 
-# Copyright 2022 buildkit-syft-scanner authors
+# Copyright 2024 buildkit-syft-scanner authors
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -14,6 +14,10 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-FROM scratch
+FROM scratch AS base
+COPY package-lock.json .
+COPY <<EOF /empty
+EOF
 
-COPY package-lock.json /package-lock.json
+FROM scratch
+COPY --from=base /empty /

examples/npm-lock/checks/sbom-base.spdx.json

@@ -0,0 +1,14 @@
+{
+  "_type": "https://in-toto.io/Statement/v0.1",
+  "predicateType": "https://spdx.dev/Document",
+  "predicate": {
+    "SPDXID": "SPDXRef-DOCUMENT",
+    "name": "sbom-base",
+    "packages": [
+      {
+        "SPDXID": "=package",
+        "name": "lodash"
+      }
+    ]
+  }
+}

examples/npm-lock/checks/sbom.spdx.json

@@ -3,16 +3,6 @@
   "predicateType": "https://spdx.dev/Document",
   "predicate": {
     "SPDXID": "SPDXRef-DOCUMENT",
-    "name": "sbom",
-    "packages": [
-      {
-        "SPDXID": "=package",
-        "name": "lodash"
-      },
-      {
-        "SPDXID": "=package",
-        "name": "npm"
-      }
-    ]
+    "name": "sbom"
   }
 }

examples/npm-lock/package.json

@@ -0,0 +1,8 @@
+{
+  "name": "npm-lock",
+  "version": "1.0.0",
+  "description": "BuildKit Syft Scanner",
+  "dependencies": {
+    "lodash": "^4.17.21"
+  }
+}