google · another-rex · Apr 18, 2023 · Apr 17, 2023 · Apr 17, 2023 · Apr 17, 2023
diff --git a/docs/usage.md b/docs/usage.md
@@ -33,13 +33,17 @@ The `--no-ignore` flag can be used to force the scanner to scan ignored files.
 If you want to check for known vulnerabilities only in dependencies in your SBOM, you can use the following command:
 
 ```bash
-osv-scanner --sbom=/path/to/your/sbom.json
+osv-scanner --sbom=/path/to/your/sbom.spdx.json
 ```
 
 [SPDX] and [CycloneDX] SBOMs using [Package URLs] are supported. The format is
-auto-detected based on the input file contents.
+auto-detected based on the input file contents and the file name.
+
+When scanning a directory, only SBOMs following the specification filename will be scanned. See the specs for [SPDX Filenames] and [CycloneDX Filenames].
 
 [SPDX]: https://spdx.dev/
+[SPDX Filenames]: https://spdx.github.io/spdx-spec/v2.3/conformance/
+[CycloneDX Filenames]: https://cyclonedx.org/specification/overview/#recognized-file-patterns
 [CycloneDX]: https://cyclonedx.org/
 [Package URLs]: https://github.com/package-url/purl-spec
 

diff --git a/internal/sbom/cyclonedx.go b/internal/sbom/cyclonedx.go
@@ -112,7 +112,7 @@ func (c *CycloneDX) GetPackages(r io.ReadSeeker, callback func(Identifier) error
 	}
 
 	return InvalidFormatError{
-		msg:  "failed to parse CycloneDX",
-		errs: errs,
+		Msg:  "failed to parse CycloneDX",
+		Errs: errs,
 	}
 }
diff --git a/internal/sbom/sbom.go b/internal/sbom/sbom.go
@@ -27,15 +27,15 @@ var (
 )
 
 type InvalidFormatError struct {
-	msg  string
-	errs []error
+	Msg  string
+	Errs []error
 }
 
 func (e InvalidFormatError) Error() string {
-	errStrings := make([]string, 0, len(e.errs))
-	for _, e := range e.errs {
+	errStrings := make([]string, 0, len(e.Errs))
+	for _, e := range e.Errs {
 		errStrings = append(errStrings, "\t"+e.Error())
 	}
 
-	return fmt.Sprintf("%s:\n%s", e.msg, strings.Join(errStrings, "\n"))
+	return fmt.Sprintf("%s:\n%s", e.Msg, strings.Join(errStrings, "\n"))
 }
diff --git a/internal/sbom/spdx.go b/internal/sbom/spdx.go
@@ -81,7 +81,7 @@ func (s *SPDX) GetPackages(r io.ReadSeeker, callback func(Identifier) error) err
 	}
 
 	return InvalidFormatError{
-		msg:  "failed to parse SPDX",
-		errs: errs,
+		Msg:  "failed to parse SPDX",
+		Errs: errs,
 	}
 }
diff --git a/pkg/osvscanner/osvscanner.go b/pkg/osvscanner/osvscanner.go
@@ -262,6 +262,14 @@ func scanSBOMFile(r *reporter.Reporter, query *osv.BatchedQuery, path string, fr
 		})
 		if err == nil {
 			// Found the right format.
+			if count == 0 {
+				return sbom.InvalidFormatError{
+					Msg: "no Package URLs found",
+					Errs: []error{
+						fmt.Errorf("scanned %s as %s SBOM, but failed to find any package URLs, this is required to scan SBOMs", path, provider.Name()),
+					},
+				}
+			}
 			r.PrintText(fmt.Sprintf("Scanned %s as %s SBOM and found %d packages\n", path, provider.Name(), count))
 			if ignoredCount > 0 {
 				r.PrintText(fmt.Sprintf("Ignored %d packages with invalid PURLs\n", ignoredCount))