Merge branch 'main' into 1730-sca-integrations-osv

Author: tdruez

.github/workflows/sca-integration-cdxgen.yml

@@ -0,0 +1,54 @@
+name: Generate SBOM with CycloneDX cdxgen and load into ScanCode.io
+
+# This workflow:
+#  1. Generates a CycloneDX SBOM for a container image using CycloneDX cdxgen.
+#  2. Uploads the SBOM as a GitHub artifact for future inspection.
+#  3. Loads the SBOM into ScanCode.io for further analysis.
+#  4. Runs assertions to verify that the SBOM was properly processed in ScanCode.io.
+#
+# It runs on demand, and once a week (scheduled).
+
+on:
+  workflow_dispatch:
+  schedule:
+    # Run once a week (every 7 days) at 00:00 UTC on Sunday
+    - cron: "0 0 * * 0"
+
+permissions:
+  contents: read
+
+env:
+  IMAGE_REFERENCE: "python:3.13.0-slim"
+
+jobs:
+  generate-and-load-sbom:
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Install CycloneDX cdxgen
+        run: npm install @cyclonedx/cdxgen
+
+      - name: Generate SBOM with CycloneDX cdxgen
+        run: |
+          npx cdxgen ${{ env.IMAGE_REFERENCE }} \
+            --type docker \
+            --output cdxgen-sbom.cdx.json \
+            --spec-version 1.6 \
+            --json-pretty
+
+      - name: Upload SBOM as GitHub Artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: cdxgen-sbom
+          path: "cdxgen-sbom.cdx.json"
+          retention-days: 20
+
+      - name: Import SBOM into ScanCode.io
+        uses: aboutcode-org/scancode-action@main
+        with:
+          pipelines: "load_sbom"
+          inputs-path: "cdxgen-sbom.cdx.json"
+
+      - name: Verify SBOM Analysis Results in ScanCode.io
+        shell: bash
+        run: |
+          scanpipe shell --command "from scanpipe.models import DiscoveredPackage, DiscoveredDependency; package_manager = DiscoveredPackage.objects; assert package_manager.count() > 340; assert package_manager.vulnerable().count() == 0; assert DiscoveredDependency.objects.count() == 0"

.github/workflows/sca-integration-depscan.yml

@@ -0,0 +1,59 @@
+name: Generate SBOM with OWASP dep-scan and load into ScanCode.io
+
+# This workflow:
+#  1. Generates a CycloneDX SBOM for a container image using OWASP dep-scan.
+#  2. Uploads the SBOM as a GitHub artifact for future inspection.
+#  3. Loads the SBOM into ScanCode.io for further analysis.
+#  4. Runs assertions to verify that the SBOM was properly processed in ScanCode.io.
+#
+# It runs on demand, and once a week (scheduled).
+
+on:
+  workflow_dispatch:
+  schedule:
+    # Run once a week (every 7 days) at 00:00 UTC on Sunday
+    - cron: "0 0 * * 0"
+
+permissions:
+  contents: read
+
+env:
+  IMAGE_REFERENCE: "python:3.13.0-slim"
+
+jobs:
+  generate-and-load-sbom:
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Install OWASP dep-scan
+        run: |
+          sudo npm install -g @cyclonedx/cdxgen
+          pip install owasp-depscan
+
+      - name: Generate SBOM with OWASP dep-scan
+        run: |
+          depscan \
+            --src ${{ env.IMAGE_REFERENCE }} \
+            --type docker \
+            --reports-dir reports \
+            --explain
+
+      - name: Upload SBOM as GitHub Artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: depscan-sbom
+          path: reports/
+          retention-days: 20
+
+      - name: Uninstall dep-scan to avoid conflicts in the Python env
+        run: pip uninstall --yes owasp-depscan
+
+      - name: Import SBOM into ScanCode.io
+        uses: aboutcode-org/scancode-action@main
+        with:
+          pipelines: "load_sbom"
+          inputs-path: "reports/sbom-docker.vdr.json"
+
+      - name: Verify SBOM Analysis Results in ScanCode.io
+        shell: bash
+        run: |
+          scanpipe shell --command "from scanpipe.models import DiscoveredPackage, DiscoveredDependency; package_manager = DiscoveredPackage.objects; assert package_manager.count() > 220; assert package_manager.vulnerable().count() > 10; assert DiscoveredDependency.objects.count() > 150"

.github/workflows/sca-integration-sbom-tool.yml

@@ -0,0 +1,60 @@
+name: Generate SBOM with SBOM tool and load into ScanCode.io
+
+# This workflow:
+#  1. Generates a CycloneDX SBOM for a container image using SBOM tool.
+#  2. Uploads the SBOM as a GitHub artifact for future inspection.
+#  3. Loads the SBOM into ScanCode.io for further analysis.
+#  4. Runs assertions to verify that the SBOM was properly processed in ScanCode.io.
+#
+# It runs on demand, and once a week (scheduled).
+
+on:
+  workflow_dispatch:
+  schedule:
+    # Run once a week (every 7 days) at 00:00 UTC on Sunday
+    - cron: "0 0 * * 0"
+
+permissions:
+  contents: read
+
+env:
+  IMAGE_REFERENCE: "python:3.13.0-slim"
+
+jobs:
+  generate-and-load-sbom:
+    runs-on: ubuntu-24.04
+    steps:
+    - name: Download SBOM tool
+      run: |
+        curl -Lo $RUNNER_TEMP/sbom-tool https://github.com/microsoft/sbom-tool/releases/latest/download/sbom-tool-linux-x64
+        chmod +x $RUNNER_TEMP/sbom-tool
+
+    - name: Generate SBOM with SBOM tool
+      run: |
+        mkdir -p sbom-output
+        $RUNNER_TEMP/sbom-tool generate \
+          -di ${{ env.IMAGE_REFERENCE }} \
+          -pn DockerImage \
+          -pv 1.0.0 \
+          -ps Company \
+          -nsb https://sbom.company.com \
+          -m sbom-output \
+          -V Verbose
+
+    - name: Upload SBOM artifact
+      uses: actions/upload-artifact@v4
+      with:
+        name: sbom-output
+        path: sbom-output
+
+    - name: Import SBOM into ScanCode.io
+      uses: aboutcode-org/scancode-action@main
+      with:
+        pipelines: "load_sbom"
+        inputs-path: "sbom-output/_manifest/spdx_2.2/manifest.spdx.json"
+        scancodeio-repo-branch: "main"
+
+    - name: Verify SBOM Analysis Results in ScanCode.io
+      shell: bash
+      run: |
+        scanpipe shell --command "from scanpipe.models import DiscoveredPackage, DiscoveredDependency; package_manager = DiscoveredPackage.objects; assert package_manager.count() > 90; assert package_manager.vulnerable().count() == 0; assert DiscoveredDependency.objects.count() > 90"

CHANGELOG.rst

@@ -1,6 +1,12 @@
 Changelog
 =========
 
+v35.4.0 (unreleased)
+--------------------
+
+- Resolve and load dependencies from SPDX SBOMs.
+  https://github.com/aboutcode-org/scancode.io/issues/1145
+
 v35.3.0 (2025-08-20)
 --------------------
 

docs/faq.rst

@@ -363,3 +363,21 @@ The input to ScanCode is a local saved image: Docker or OCI.
 Docker in Docker support will demand to have access to the saved images
 (either extracted from the Docker images in Docker, or mounted in a volume or saved
 from the Docker in the Docker image). Once saved we can analyze these alright.
+
+Can I import SBOM from other SCA tools?
+---------------------------------------
+
+Yes! You can load SBOMs generated by other tools for further review and run
+pipelines to enrich or validate the data directly in ScanCode.io.
+
+While most valid SBOMs should work out of the box, SBOMs from the following tools
+are actively supported and tested::
+
+  - Anchore: https://anchore.com/sbom/
+  - CycloneDX cdxgen: https://cyclonedx.github.io/cdxgen/
+  - OWASP dep-scan: https://owasp.org/www-project-dep-scan/
+  - Trivy: https://trivy.dev/latest/
+
+.. note:: Imported SBOMs must follow the SPDX or CycloneDX standards, in JSON format.
+   You can use the ``load-sbom`` pipeline to process and enhance these SBOMs in your
+   ScanCode.io projects.

scanpipe/pipelines/load_sbom.py

@@ -20,6 +20,7 @@
 # ScanCode.io is a free software code scanning tool from nexB Inc. and others.
 # Visit https://github.com/aboutcode-org/scancode.io for support and download.
 
+from scanpipe.models import DiscoveredDependency
 from scanpipe.pipelines.scan_codebase import ScanCodebase
 from scanpipe.pipes import resolve
 
@@ -44,7 +45,7 @@ def steps(cls):
             cls.flag_empty_files,
             cls.flag_ignored_resources,
             cls.get_sbom_inputs,
-            cls.get_packages_from_sboms,
+            cls.get_data_from_sboms,
             cls.create_packages_from_sboms,
             cls.create_dependencies_from_sboms,
         )
@@ -53,13 +54,13 @@ def get_sbom_inputs(self):
         """Locate all the SBOMs among the codebase resources."""
         self.manifest_resources = resolve.get_manifest_resources(self.project)
 
-    def get_packages_from_sboms(self):
-        """Get packages data from SBOMs."""
-        self.packages = resolve.get_packages(
+    def get_data_from_sboms(self):
+        """Get data from SBOMs."""
+        self.packages, self.dependencies = resolve.get_data_from_manifests(
             project=self.project,
             package_registry=resolve.sbom_registry,
             manifest_resources=self.manifest_resources,
-            model="get_packages_from_sboms",
+            model="get_data_from_sboms",
         )
 
     def create_packages_from_sboms(self):
@@ -71,4 +72,12 @@ def create_packages_from_sboms(self):
 
     def create_dependencies_from_sboms(self):
         """Create the dependency relationship declared in the SBOMs."""
+        # CycloneDX support: the dependency data is stored in ``extra_data``.
         resolve.create_dependencies_from_packages_extra_data(project=self.project)
+
+        # SPDX support: the dependency data is loaded from ``self.dependencies``.
+        for dependency_data in self.dependencies:
+            DiscoveredDependency.create_from_data(
+                project=self.project,
+                dependency_data=dependency_data,
+            )

scanpipe/pipelines/resolve_dependencies.py

@@ -84,7 +84,7 @@ def get_packages_from_manifest(self):
         Resolve package data from lockfiles/requirement files with package
         requirements/dependencies.
         """
-        self.resolved_packages = resolve.get_packages(
+        self.packages, self.dependencies = resolve.get_data_from_manifests(
             project=self.project,
             package_registry=resolve.resolver_registry,
             manifest_resources=self.manifest_resources,
@@ -99,6 +99,6 @@ def create_resolved_packages(self):
         """
         resolve.create_packages_and_dependencies(
             project=self.project,
-            packages=self.resolved_packages,
+            packages=self.packages,
             resolved=True,
         )

scanpipe/pipes/cyclonedx.py

@@ -79,7 +79,9 @@ def get_external_references(component):
 
     references = defaultdict(list)
     for reference in external_references:
-        references[reference.type.value].append(reference.url.uri)
+        reference_url = reference.url
+        if reference_url and reference_url.uri:
+            references[reference.type.value].append(reference_url.uri)
 
     return dict(references)
 
@@ -158,12 +160,9 @@ def cyclonedx_component_to_package_data(
     vulnerabilities = vulnerabilities or {}
     extra_data = {}
 
-    # Store the original bom_ref and dependencies for future processing.
     bom_ref = str(cdx_component.bom_ref)
-    if bom_ref:
-        extra_data["bom_ref"] = bom_ref
-        if depends_on := dependencies.get(bom_ref):
-            extra_data["depends_on"] = depends_on
+    if depends_on := dependencies.get(bom_ref):
+        extra_data["depends_on"] = depends_on
 
     package_url_dict = {}
     if cdx_component.purl:
@@ -189,6 +188,8 @@ def cyclonedx_component_to_package_data(
             )
 
     package_data = {
+        # Store the original "bom_ref" as package_uid for dependencies resolution.
+        "package_uid": bom_ref,
         "name": cdx_component.name,
         "extracted_license_statement": declared_license,
         "copyright": cdx_component.copyright,

scanpipe/pipes/output.py

@@ -671,6 +671,28 @@ def _get_spdx_extracted_licenses(license_expressions):
     return extracted_licenses
 
 
+def get_dependency_as_spdx_relationship(dependency, document_spdx_id, packages_as_spdx):
+    """Return a spdx.Relationship crafted from the provided ``dependency`` instance."""
+    if dependency.for_package:  # Package dependency
+        parent_id = dependency.for_package.spdx_id
+    else:  # Project dependency
+        parent_id = document_spdx_id
+
+    if dependency.is_resolved_to_package:  # Resolved to a Package
+        child_id = dependency.resolved_to_package.spdx_id
+    else:  # Not resolved to a Package (only package_url value is available)
+        dependency_as_package = dependency.as_spdx_package()
+        packages_as_spdx.append(dependency_as_package)
+        child_id = dependency_as_package.spdx_id
+
+    spdx_relationship = spdx.Relationship(
+        spdx_id=child_id,
+        related_spdx_id=parent_id,
+        relationship="DEPENDENCY_OF",
+    )
+    return spdx_relationship
+
+
 def to_spdx(project, include_files=False):
     """
     Generate output for the provided ``project`` in SPDX document format.
@@ -682,6 +704,7 @@ def to_spdx(project, include_files=False):
     discoveredpackage_qs = get_queryset(project, "discoveredpackage")
     discovereddependency_qs = get_queryset(project, "discovereddependency")
 
+    document_spdx_id = f"SPDXRef-DOCUMENT-{project.uuid}"
     packages_as_spdx = []
     license_expressions = []
     relationships = []
@@ -692,15 +715,12 @@ def to_spdx(project, include_files=False):
             license_expressions.append(license_expression)
 
     for dependency in discovereddependency_qs:
-        packages_as_spdx.append(dependency.as_spdx_package())
-        if dependency.for_package:
-            relationships.append(
-                spdx.Relationship(
-                    spdx_id=dependency.spdx_id,
-                    related_spdx_id=dependency.for_package.spdx_id,
-                    relationship="DEPENDENCY_OF",
-                )
-            )
+        spdx_relationship = get_dependency_as_spdx_relationship(
+            dependency,
+            document_spdx_id,
+            packages_as_spdx,
+        )
+        relationships.append(spdx_relationship)
 
     files_as_spdx = []
     if include_files:
@@ -710,6 +730,7 @@ def to_spdx(project, include_files=False):
         ]
 
     document = spdx.Document(
+        spdx_id=document_spdx_id,
         name=f"scancodeio_{project.name}",
         namespace=f"https://scancode.io/spdxdocs/{project.uuid}",
         creation_info=spdx.CreationInfo(tool=f"ScanCode.io-{scancodeio_version}"),