feat(report): add support for SPDX (#2059)

Co-authored-by: knqyf263 <knqyf263@gmail.com>

README.md

@@ -198,6 +198,7 @@ Failures: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)
   - container image, local filesystem and remote git repository
 - Supply chain security (SBOM support)
   - Support CycloneDX
+  - Support SPDX
 
 # Integrations
 - [GitHub Actions][action]

docs/docs/index.md

@@ -57,6 +57,7 @@ See [Integrations][integrations] for details.
     - remote git repository
 - [SBOM][sbom] (Software Bill of Materials) support
     - CycloneDX 
+    - SPDX
 
 Please see [LICENSE][license] for Trivy licensing information.
 

docs/docs/references/cli/sbom.md

@@ -7,13 +7,20 @@ NAME:
 USAGE:
    trivy sbom [command options] ARTIFACT
 
+DESCRIPTION:
+   ARTIFACT can be a container image, file path/directory, git repository or container image archive. See examples.
+
 OPTIONS:
    --output value, -o value             output file name [$TRIVY_OUTPUT]
    --clear-cache, -c                    clear image caches without scanning (default: false) [$TRIVY_CLEAR_CACHE]
    --ignorefile value                   specify .trivyignore file (default: ".trivyignore") [$TRIVY_IGNOREFILE]
    --timeout value                      timeout (default: 5m0s) [$TRIVY_TIMEOUT]
    --severity value, -s value           severities of vulnerabilities to be displayed (comma separated) (default: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL") [$TRIVY_SEVERITY]
+   --offline-scan                       do not issue API requests to identify dependencies (default: false) [$TRIVY_OFFLINE_SCAN]
+   --db-repository value                OCI repository to retrieve trivy-db from (default: "ghcr.io/aquasecurity/trivy-db") [$TRIVY_DB_REPOSITORY]
+   --skip-files value                   specify the file paths to skip traversal                (accepts multiple inputs) [$TRIVY_SKIP_FILES]
+   --skip-dirs value                    specify the directories where the traversal is skipped  (accepts multiple inputs) [$TRIVY_SKIP_DIRS]
    --artifact-type value, --type value  input artifact type (image, fs, repo, archive) (default: "image") [$TRIVY_ARTIFACT_TYPE]
-   --sbom-format value, --format value  SBOM format (cyclonedx) (default: "cyclonedx") [$TRIVY_SBOM_FORMAT]
+   --sbom-format value, --format value  SBOM format (cyclonedx, spdx, spdx-json) (default: "cyclonedx") [$TRIVY_SBOM_FORMAT]
    --help, -h                           show help (default: false)
 ```

docs/docs/sbom/index.md

@@ -1,7 +1,9 @@
 # SBOM
+
 Trivy currently supports the following SBOM formats.
 
 - [CycloneDX][cyclonedx]
+- [SPDX][spdx]
 
 To generate SBOM, you can use the `--format` option for each subcommand such as `image` and `fs`.
 
@@ -188,4 +190,5 @@ $ trivy sbom --artifact-type repo github.com/aquasecurity/trivy-ci-test
 $ trivy sbom --artifact-type archive alpine.tar
 ```
 
-[cyclonedx]: cyclonedx.md
+[cyclonedx]: cyclonedx.md
+[spdx]: spdx.md

docs/docs/sbom/spdx.md

@@ -0,0 +1,297 @@
+# SPDX
+
+Trivy generates reports in the [SPDX][spdx] format.
+
+You can use the regular subcommands (like `image`, `fs` and `rootfs`) and specify `spdx` with the `--format` option.
+
+```
+$ trivy image --format spdx --output result.spdx alpine:3.15
+```
+
+<details>
+<summary>Result</summary>
+
+```
+$ cat result.spdx
+SPDXVersion: SPDX-2.2
+DataLicense: CC0-1.0
+SPDXID: SPDXRef-DOCUMENT
+DocumentName: alpine:3.15
+DocumentNamespace: http://aquasecurity.github.io/trivy/container_image/alpine:3.15-bebf6b19-a94c-4e2c-af44-065f63923f48
+Creator: Organization: aquasecurity
+Creator: Tool: trivy
+Created: 2022-04-28T07:32:57.142806Z
+
+##### Package: zlib
+
+PackageName: zlib
+SPDXID: SPDXRef-12bc938ac028a5e1
+PackageVersion: 1.2.12-r0
+FilesAnalyzed: false
+PackageLicenseConcluded: Zlib
+PackageLicenseDeclared: Zlib
+
+##### Package: apk-tools
+
+PackageName: apk-tools
+SPDXID: SPDXRef-26c274652190d87f
+PackageVersion: 2.12.7-r3
+FilesAnalyzed: false
+PackageLicenseConcluded: GPL-2.0-only
+PackageLicenseDeclared: GPL-2.0-only
+
+##### Package: libretls
+
+PackageName: libretls
+SPDXID: SPDXRef-2b021966d19a8211
+PackageVersion: 3.3.4-r3
+FilesAnalyzed: false
+PackageLicenseConcluded: ISC AND (BSD-3-Clause OR MIT)
+PackageLicenseDeclared: ISC AND (BSD-3-Clause OR MIT)
+
+##### Package: busybox
+
+PackageName: busybox
+SPDXID: SPDXRef-317ce3476703f20d
+PackageVersion: 1.34.1-r5
+FilesAnalyzed: false
+PackageLicenseConcluded: GPL-2.0-only
+PackageLicenseDeclared: GPL-2.0-only
+
+##### Package: libcrypto1.1
+
+PackageName: libcrypto1.1
+SPDXID: SPDXRef-34f407fb4dbd67f4
+PackageVersion: 1.1.1n-r0
+FilesAnalyzed: false
+PackageLicenseConcluded: OpenSSL
+PackageLicenseDeclared: OpenSSL
+
+##### Package: libc-utils
+
+PackageName: libc-utils
+SPDXID: SPDXRef-4bbc1cb449d54083
+PackageVersion: 0.7.2-r3
+FilesAnalyzed: false
+PackageLicenseConcluded: BSD-2-Clause AND BSD-3-Clause
+PackageLicenseDeclared: BSD-2-Clause AND BSD-3-Clause
+
+##### Package: alpine-keys
+
+PackageName: alpine-keys
+SPDXID: SPDXRef-a3bdd174be1456b6
+PackageVersion: 2.4-r1
+FilesAnalyzed: false
+PackageLicenseConcluded: MIT
+PackageLicenseDeclared: MIT
+
+##### Package: ca-certificates-bundle
+
+PackageName: ca-certificates-bundle
+SPDXID: SPDXRef-ac6472ba26fb991c
+PackageVersion: 20211220-r0
+FilesAnalyzed: false
+PackageLicenseConcluded: MPL-2.0 AND MIT
+PackageLicenseDeclared: MPL-2.0 AND MIT
+
+##### Package: libssl1.1
+
+PackageName: libssl1.1
+SPDXID: SPDXRef-b2d1b1d70fe90f7d
+PackageVersion: 1.1.1n-r0
+FilesAnalyzed: false
+PackageLicenseConcluded: OpenSSL
+PackageLicenseDeclared: OpenSSL
+
+##### Package: scanelf
+
+PackageName: scanelf
+SPDXID: SPDXRef-c617077ba6649520
+PackageVersion: 1.3.3-r0
+FilesAnalyzed: false
+PackageLicenseConcluded: GPL-2.0-only
+PackageLicenseDeclared: GPL-2.0-only
+
+##### Package: musl
+
+PackageName: musl
+SPDXID: SPDXRef-ca80b810029cde0e
+PackageVersion: 1.2.2-r7
+FilesAnalyzed: false
+PackageLicenseConcluded: MIT
+PackageLicenseDeclared: MIT
+
+##### Package: alpine-baselayout
+
+PackageName: alpine-baselayout
+SPDXID: SPDXRef-d782e64751ba9faa
+PackageVersion: 3.2.0-r18
+FilesAnalyzed: false
+PackageLicenseConcluded: GPL-2.0-only
+PackageLicenseDeclared: GPL-2.0-only
+
+##### Package: musl-utils
+
+PackageName: musl-utils
+SPDXID: SPDXRef-e5e8a237f6162e22
+PackageVersion: 1.2.2-r7
+FilesAnalyzed: false
+PackageLicenseConcluded: MIT BSD GPL2+
+PackageLicenseDeclared: MIT BSD GPL2+
+
+##### Package: ssl_client
+
+PackageName: ssl_client
+SPDXID: SPDXRef-fdf0ce84f6337be4
+PackageVersion: 1.34.1-r5
+FilesAnalyzed: false
+PackageLicenseConcluded: GPL-2.0-only
+PackageLicenseDeclared: GPL-2.0-only
+```
+
+</details>
+
+SPDX-JSON format is also supported by using `spdx-json` with the `--format` option.
+
+```
+$ trivy image --format spdx-json --output result.spdx.json alpine:3.15
+```
+
+<details>
+<summary>Result</summary>
+
+```
+$ cat result.spdx.json | jq .
+{
+	"SPDXID": "SPDXRef-DOCUMENT",
+	"creationInfo": {
+		"created": "2022-04-28T08:16:55.328255Z",
+		"creators": [
+			"Tool: trivy",
+			"Organization: aquasecurity"
+		]
+	},
+	"dataLicense": "CC0-1.0",
+	"documentNamespace": "http://aquasecurity.github.io/trivy/container_image/alpine:3.15-d9549e3a-a4c5-4ee3-8bde-8c78d451fbe7",
+	"name": "alpine:3.15",
+	"packages": [
+		{
+			"SPDXID": "SPDXRef-12bc938ac028a5e1",
+			"filesAnalyzed": false,
+			"licenseConcluded": "Zlib",
+			"licenseDeclared": "Zlib",
+			"name": "zlib",
+			"versionInfo": "1.2.12-r0"
+		},
+		{
+			"SPDXID": "SPDXRef-26c274652190d87f",
+			"filesAnalyzed": false,
+			"licenseConcluded": "GPL-2.0-only",
+			"licenseDeclared": "GPL-2.0-only",
+			"name": "apk-tools",
+			"versionInfo": "2.12.7-r3"
+		},
+		{
+			"SPDXID": "SPDXRef-2b021966d19a8211",
+			"filesAnalyzed": false,
+			"licenseConcluded": "ISC AND (BSD-3-Clause OR MIT)",
+			"licenseDeclared": "ISC AND (BSD-3-Clause OR MIT)",
+			"name": "libretls",
+			"versionInfo": "3.3.4-r3"
+		},
+		{
+			"SPDXID": "SPDXRef-317ce3476703f20d",
+			"filesAnalyzed": false,
+			"licenseConcluded": "GPL-2.0-only",
+			"licenseDeclared": "GPL-2.0-only",
+			"name": "busybox",
+			"versionInfo": "1.34.1-r5"
+		},
+		{
+			"SPDXID": "SPDXRef-34f407fb4dbd67f4",
+			"filesAnalyzed": false,
+			"licenseConcluded": "OpenSSL",
+			"licenseDeclared": "OpenSSL",
+			"name": "libcrypto1.1",
+			"versionInfo": "1.1.1n-r0"
+		},
+		{
+			"SPDXID": "SPDXRef-4bbc1cb449d54083",
+			"filesAnalyzed": false,
+			"licenseConcluded": "BSD-2-Clause AND BSD-3-Clause",
+			"licenseDeclared": "BSD-2-Clause AND BSD-3-Clause",
+			"name": "libc-utils",
+			"versionInfo": "0.7.2-r3"
+		},
+		{
+			"SPDXID": "SPDXRef-a3bdd174be1456b6",
+			"filesAnalyzed": false,
+			"licenseConcluded": "MIT",
+			"licenseDeclared": "MIT",
+			"name": "alpine-keys",
+			"versionInfo": "2.4-r1"
+		},
+		{
+			"SPDXID": "SPDXRef-ac6472ba26fb991c",
+			"filesAnalyzed": false,
+			"licenseConcluded": "MPL-2.0 AND MIT",
+			"licenseDeclared": "MPL-2.0 AND MIT",
+			"name": "ca-certificates-bundle",
+			"versionInfo": "20211220-r0"
+		},
+		{
+			"SPDXID": "SPDXRef-b2d1b1d70fe90f7d",
+			"filesAnalyzed": false,
+			"licenseConcluded": "OpenSSL",
+			"licenseDeclared": "OpenSSL",
+			"name": "libssl1.1",
+			"versionInfo": "1.1.1n-r0"
+		},
+		{
+			"SPDXID": "SPDXRef-c617077ba6649520",
+			"filesAnalyzed": false,
+			"licenseConcluded": "GPL-2.0-only",
+			"licenseDeclared": "GPL-2.0-only",
+			"name": "scanelf",
+			"versionInfo": "1.3.3-r0"
+		},
+		{
+			"SPDXID": "SPDXRef-ca80b810029cde0e",
+			"filesAnalyzed": false,
+			"licenseConcluded": "MIT",
+			"licenseDeclared": "MIT",
+			"name": "musl",
+			"versionInfo": "1.2.2-r7"
+		},
+		{
+			"SPDXID": "SPDXRef-d782e64751ba9faa",
+			"filesAnalyzed": false,
+			"licenseConcluded": "GPL-2.0-only",
+			"licenseDeclared": "GPL-2.0-only",
+			"name": "alpine-baselayout",
+			"versionInfo": "3.2.0-r18"
+		},
+		{
+			"SPDXID": "SPDXRef-e5e8a237f6162e22",
+			"filesAnalyzed": false,
+			"licenseConcluded": "MIT BSD GPL2+",
+			"licenseDeclared": "MIT BSD GPL2+",
+			"name": "musl-utils",
+			"versionInfo": "1.2.2-r7"
+		},
+		{
+			"SPDXID": "SPDXRef-fdf0ce84f6337be4",
+			"filesAnalyzed": false,
+			"licenseConcluded": "GPL-2.0-only",
+			"licenseDeclared": "GPL-2.0-only",
+			"name": "ssl_client",
+			"versionInfo": "1.34.1-r5"
+		}
+	],
+	"spdxVersion": "SPDX-2.2"
+}
+```
+
+</details>
+
+[spdx]: https://spdx.dev/wp-content/uploads/sites/41/2020/08/SPDX-specification-2-2.pdf

go.mod

@@ -155,6 +155,7 @@ require (
 	github.com/sergi/go-diff v1.1.0 // indirect
 	github.com/shopspring/decimal v1.2.0 // indirect
 	github.com/sirupsen/logrus v1.8.1 // indirect
+	github.com/spdx/tools-golang v0.3.0
 	github.com/spf13/cast v1.4.1 // indirect
 	github.com/stretchr/objx v0.3.0 // indirect
 	github.com/tmccombs/hcl2json v0.3.4 // indirect
@@ -198,5 +199,7 @@ require (
 	sigs.k8s.io/yaml v1.3.0 // indirect
 )
 
+require github.com/mitchellh/hashstructure/v2 v2.0.2
+
 // To resolve CVE-2022-23648
 replace github.com/containerd/containerd v1.5.9 => github.com/containerd/containerd v1.5.10

go.sum

@@ -1183,6 +1183,8 @@ github.com/mitchellh/go-wordwrap v1.0.1 h1:TLuKupo69TCn6TQSyGxwI1EblZZEsQ0vMlAFQ
 github.com/mitchellh/go-wordwrap v1.0.1/go.mod h1:R62XHJLzvMFRBbcrT7m7WgmE1eOyTSsCt+hzestvNj0=
 github.com/mitchellh/gox v0.4.0/go.mod h1:Sd9lOJ0+aimLBi73mGofS1ycjY8lL3uZM3JPS42BGNg=
 github.com/mitchellh/hashstructure v1.0.0/go.mod h1:QjSHrPWS+BGUVBYkbTZWEnOh3G1DutKwClXU/ABz6AQ=
+github.com/mitchellh/hashstructure/v2 v2.0.2 h1:vGKWl0YJqUNxE8d+h8f6NJLcCJrgbhC4NcD46KavDd4=
+github.com/mitchellh/hashstructure/v2 v2.0.2/go.mod h1:MG3aRVU/N29oo/V/IhBX8GR/zz4kQkprJgF2EVszyDE=
 github.com/mitchellh/iochan v1.0.0/go.mod h1:JwYml1nuB7xOzsp52dPpHFffvOCDupsG0QubkSMEySY=
 github.com/mitchellh/mapstructure v0.0.0-20160808181253-ca63d7c062ee/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
 github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
@@ -1468,6 +1470,9 @@ github.com/sourcegraph/go-diff v0.5.1/go.mod h1:j2dHj3m8aZgQO8lMTcTnBcXkRRRqi34c
 github.com/sourcegraph/go-diff v0.5.3/go.mod h1:v9JDtjCE4HHHCZGId75rg8gkKKa98RVjBcBGsVmMmak=
 github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA=
 github.com/spaolacci/murmur3 v1.1.0/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA=
+github.com/spdx/gordf v0.0.0-20201111095634-7098f93598fb/go.mod h1:uKWaldnbMnjsSAXRurWqqrdyZen1R7kxl8TkmWk2OyM=
+github.com/spdx/tools-golang v0.3.0 h1:rtm+DHk3aAt74Fh0Wgucb4pCxjXV8SqHCPEb2iBd30k=
+github.com/spdx/tools-golang v0.3.0/go.mod h1:RO4Y3IFROJnz+43JKm1YOrbtgQNljW4gAPpA/sY2eqo=
 github.com/spf13/afero v1.1.2/go.mod h1:j4pytiNVoe2o6bmDsKpLACNPDBIoEAkihy7loJ1B0CQ=
 github.com/spf13/afero v1.2.2/go.mod h1:9ZxEEn6pIJ8Rxe320qSDBk6AsU0r9pR7Q4OcevTdifk=
 github.com/spf13/afero v1.6.0/go.mod h1:Ai8FlHk4v/PARR026UzYexafAt9roJ7LcLMAmO6Z93I=