feat(report): add support for SPDX (#2059)

Co-authored-by: knqyf263 <knqyf263@gmail.com>

pkg/commands/app.go

@@ -816,7 +816,7 @@ func NewSbomCommand() *cli.Command {
 				Name:    "sbom-format",
 				Aliases: []string{"format"},
 				Value:   "cyclonedx",
-				Usage:   "SBOM format (cyclonedx)",
+				Usage:   "SBOM format (cyclonedx, spdx, spdx-json)",
 				EnvVars: []string{"TRIVY_SBOM_FORMAT"},
 			},
 		},

pkg/commands/option/report.go

@@ -5,13 +5,13 @@ import (
 	"os"
 	"strings"
 
-	"github.com/aquasecurity/trivy/pkg/types"
-
 	"github.com/urfave/cli/v2"
 	"go.uber.org/zap"
+	"golang.org/x/exp/slices"
 	"golang.org/x/xerrors"
 
 	dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
+	"github.com/aquasecurity/trivy/pkg/types"
 )
 
 // ReportOption holds the options for reporting scan results
@@ -137,8 +137,8 @@ func (c *ReportOption) populateSecurityChecks() error {
 }
 
 func (c *ReportOption) forceListAllPkgs(logger *zap.SugaredLogger) bool {
-	if c.Format == "cyclonedx" && !c.ListAllPkgs {
-		logger.Debugf("'--format cyclonedx' automatically enables '--list-all-pkgs'.")
+	if slices.Contains(supportedSbomFormats, c.Format) && !c.ListAllPkgs {
+		logger.Debugf("'cyclonedx', 'spdx', and 'spdx-json' automatically enables '--list-all-pkgs'.")
 		return true
 	}
 	return false

pkg/commands/option/report_test.go

@@ -103,7 +103,7 @@ func TestReportReportConfig_Init(t *testing.T) {
 			},
 			args: []string{"centos:7"},
 			logs: []string{
-				"'--format cyclonedx' automatically enables '--list-all-pkgs'.",
+				"'cyclonedx', 'spdx', and 'spdx-json' automatically enables '--list-all-pkgs'.",
 				"Severities: CRITICAL",
 			},
 			want: ReportOption{

pkg/commands/option/sbom.go

@@ -8,7 +8,7 @@ import (
 	"go.uber.org/zap"
 )
 
-var supportedSbomFormats = []string{"cyclonedx"}
+var supportedSbomFormats = []string{"cyclonedx", "spdx", "spdx-json"}
 
 // SbomOption holds the options for SBOM generation
 type SbomOption struct {