feat(sbom): Support license detection for SBOM scan

aquasecurity · Mar 10, 2024 · 9902696 · 9902696
1 parent 8221473
commit 9902696
Show file tree

Hide file tree

Showing 10 changed files with 1,181 additions and 21 deletions.
diff --git a/docs/docs/references/configuration/cli/trivy.md b/docs/docs/references/configuration/cli/trivy.md
@@ -53,7 +53,7 @@ trivy [global flags] command [flags] target
 * [trivy plugin](trivy_plugin.md)	 - Manage plugins
 * [trivy repository](trivy_repository.md)	 - Scan a repository
 * [trivy rootfs](trivy_rootfs.md)	 - Scan rootfs
-* [trivy sbom](trivy_sbom.md)	 - Scan SBOM for vulnerabilities
+* [trivy sbom](trivy_sbom.md)	 - Scan SBOM for vulnerabilities and licenses
 * [trivy server](trivy_server.md)	 - Server mode
 * [trivy version](trivy_version.md)	 - Print the version
 * [trivy vm](trivy_vm.md)	 - [EXPERIMENTAL] Scan a virtual machine image

diff --git a/docs/docs/references/configuration/cli/trivy_sbom.md b/docs/docs/references/configuration/cli/trivy_sbom.md
@@ -1,6 +1,6 @@
 ## trivy sbom
 
-Scan SBOM for vulnerabilities
+Scan SBOM for vulnerabilities and licenses
 
 ```
 trivy sbom [flags] SBOM_PATH
@@ -36,6 +36,7 @@ trivy sbom [flags] SBOM_PATH
       --ignore-policy string        specify the Rego file path to evaluate each vulnerability
       --ignore-status strings       comma-separated list of vulnerability status to ignore (unknown,not_affected,affected,fixed,under_investigation,will_not_fix,fix_deferred,end_of_life)
       --ignore-unfixed              display only fixed vulnerabilities
+      --ignored-licenses strings    specify a list of license to ignore
       --ignorefile string           specify .trivyignore file (default ".trivyignore")
       --java-db-repository string   OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db")
       --list-all-pkgs               enabling the option will output all packages regardless of vulnerability
@@ -50,6 +51,7 @@ trivy sbom [flags] SBOM_PATH
       --rekor-url string            [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
       --reset                       remove all caches and database
       --sbom-sources strings        [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor)
+      --scanners strings            comma-separated list of what security issues to detect (vuln,license) (default [vuln])
       --server string               server address in client mode
   -s, --severity strings            severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
       --show-suppressed             [EXPERIMENTAL] show suppressed vulnerabilities

diff --git a/docs/docs/scanner/license.md b/docs/docs/scanner/license.md
@@ -30,10 +30,10 @@ To configure the confidence level, you can use `--license-confidence-level`. Thi
 
 Currently, the standard license scanning doesn't support filesystem and repository scanning.
 
-|   License scanning    | Image | Rootfs | Filesystem | Repository |
-| :-------------------: | :---: | :----: | :--------: | :--------: |
-|       Standard        |   ✅   |   ✅    |     -      |     -      |
-| Full (--license-full) |   ✅   |   ✅    |     ✅      |     ✅      |
+|   License scanning    | Image | Rootfs | Filesystem | Repository | SBOM |
+|:---------------------:|:-----:|:------:|:----------:|:----------:|:----:|
+|       Standard        |   ✅   |   ✅    |     -      |     -      |  ✅   |
+| Full (--license-full) |   ✅   |   ✅    |     ✅      |     ✅      |  -   |
 
 License checking classifies the identified licenses and map the classification to severity.
 

diff --git a/docs/docs/target/sbom.md b/docs/docs/target/sbom.md
@@ -1,6 +1,6 @@
 # SBOM scanning
 
-Trivy can take the following SBOM formats as an input and scan for vulnerabilities.
+Trivy can take the following SBOM formats as an input and scan for vulnerabilities and licenses.
 
 - CycloneDX
 - SPDX
@@ -17,6 +17,9 @@ $ trivy sbom /path/to/sbom_file
 
 ```
 
+By default, vulnerability scan in SBOM is executed. You can use `--scanners vuln,license` 
+command property to select also license scan, or `--scanners license` alone.
+
 !!! note
     Passing SBOMs generated by tool other than Trivy may result in inaccurate detection
     because Trivy relies on custom properties in SBOM for accurate scanning.

diff --git a/integration/sbom_test.go b/integration/sbom_test.go
@@ -19,6 +19,7 @@ func TestSBOM(t *testing.T) {
 		input        string
 		format       string
 		artifactType string
+		scanners     string
 	}
 	tests := []struct {
 		name     string
@@ -150,13 +151,28 @@ func TestSBOM(t *testing.T) {
 				},
 			},
 		},
+		{
+			name: "license check cyclonedx json",
+			args: args{
+				input:        "testdata/fixtures/sbom/license-cyclonedx.json",
+				format:       "json",
+				artifactType: "cyclonedx",
+				scanners:     "license",
+			},
+			golden: "testdata/license-cyclonedx.json.golden",
+		},
 	}
 
 	// Set up testing DB
 	cacheDir := initDB(t)
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
+			scanners := "vuln"
+			if tt.args.scanners != "" {
+				scanners = tt.args.scanners
+			}
+
 			osArgs := []string{
 				"--cache-dir",
 				cacheDir,
@@ -165,6 +181,8 @@ func TestSBOM(t *testing.T) {
 				"--skip-db-update",
 				"--format",
 				tt.args.format,
+				"--scanners",
+				scanners,
 			}
 
 			// Set up the output file