Fix SBOM generation for Docker packages without OCI export

When exportToCache is false, Docker images are built and loaded into the
Docker daemon with their content hash as the tag. SBOM generation was
failing because syft couldn't find these images - it was trying all
providers (registry, podman, containerd, etc.) instead of looking in
the local Docker daemon.

The fix explicitly configures syft to use the 'docker' source provider,
similar to how the OCI export path uses 'oci-archive'. This tells syft
to look for the image in the local Docker daemon.

Tested with integration test that covers both paths:
- exportToCache=false (Docker daemon) - now works
- exportToCache=true (OCI layout) - still works

Co-authored-by: Ona <[email protected]>

Author: leodido

pkg/leeway/sbom.go

@@ -266,7 +266,10 @@ func writeSBOM(buildctx *buildContext, p *Package, builddir string) (err error)
 				return xerrors.Errorf("failed to get package version: %w", err)
 			}
 
-			src, err = syft.GetSource(context.Background(), version, nil)
+			// Use explicit source provider configuration to ensure docker daemon is used
+			// The version is a content hash that exists as a tag in the local Docker daemon
+			srcCfg := syft.DefaultGetSourceConfig().WithSources("docker")
+			src, err = syft.GetSource(context.Background(), version, srcCfg)
 			if err != nil {
 				return xerrors.Errorf("failed to get Docker image source for SBOM generation: %w", err)
 			}