feat(sbom): add cyclonedx sbom scan (#2203)

Co-authored-by: knqyf263 <knqyf263@gmail.com>
2025-12-05 20:40:16 -08:00 · 2022-07-04 02:03:21 +09:00
parent f0720f3ce5
commit 5b821d3b13
58 changed files with 3896 additions and 105 deletions
--- a/integration/sbom_test.go
+++ b/integration/sbom_test.go
@@ -0,0 +1,96 @@
+//go:build integration
+// +build integration
+
+package integration
+
+import (
+	"io"
+	"os"
+	"path/filepath"
+	"testing"
+
+	cdx "github.com/CycloneDX/cyclonedx-go"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"github.com/aquasecurity/trivy/pkg/commands"
+)
+
+func TestCycloneDX(t *testing.T) {
+	type args struct {
+		input        string
+		format       string
+		artifactType string
+	}
+	tests := []struct {
+		name   string
+		args   args
+		golden string
+	}{
+		{
+			name: "centos7-bom by trivy",
+			args: args{
+				input:        "testdata/fixtures/sbom/centos-7-cyclonedx.json",
+				format:       "cyclonedx",
+				artifactType: "cyclonedx",
+			},
+			golden: "testdata/centos-7-cyclonedx.json.golden",
+		},
+		{
+			name: "fluentd-multiple-lockfiles-bom by trivy",
+			args: args{
+				input:        "testdata/fixtures/sbom/fluentd-multiple-lockfiles-cyclonedx.json",
+				format:       "cyclonedx",
+				artifactType: "cyclonedx",
+			},
+			golden: "testdata/fluentd-multiple-lockfiles-cyclonedx.json.golden",
+		},
+	}
+
+	// Set up testing DB
+	cacheDir := initDB(t)
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			osArgs := []string{
+				"trivy", "--cache-dir", cacheDir, "sbom", "--skip-db-update", "--format", tt.args.format,
+			}
+
+			// Setup the output file
+			outputFile := filepath.Join(t.TempDir(), "output.json")
+			if *update {
+				outputFile = tt.golden
+			}
+
+			osArgs = append(osArgs, "--output", outputFile)
+			osArgs = append(osArgs, tt.args.input)
+
+			// Setup CLI App
+			app := commands.NewApp("dev")
+			app.Writer = io.Discard
+
+			// Run "trivy sbom"
+			assert.Nil(t, app.Run(osArgs))
+
+			// Compare want and got
+			want := decodeCycloneDX(t, tt.golden)
+			got := decodeCycloneDX(t, outputFile)
+			assert.Equal(t, want, got)
+		})
+	}
+}
+
+func decodeCycloneDX(t *testing.T, filePath string) *cdx.BOM {
+	f, err := os.Open(filePath)
+	require.NoError(t, err)
+	defer f.Close()
+
+	bom := cdx.NewBOM()
+	decoder := cdx.NewBOMDecoder(f, cdx.BOMFileFormatJSON)
+	err = decoder.Decode(bom)
+	require.NoError(t, err)
+
+	bom.Metadata.Timestamp = ""
+
+	return bom
+}