[CRAVEX] SCA Integrations: OSV-Scanner (#1730)

Signed-off-by: tdruez <[email protected]>

Author: tdruez

.github/workflows/sca-integration-osv-scanner.yml

@@ -0,0 +1,59 @@
+name: Generate SBOM with OSV-Scanner and load into ScanCode.io
+
+# This workflow:
+#  1. Generates a CycloneDX SBOM for a container image using OSV-Scanner.
+#  2. Uploads the SBOM as a GitHub artifact for future inspection.
+#  3. Loads the SBOM into ScanCode.io for further analysis.
+#  4. Runs assertions to verify that the SBOM was properly processed in ScanCode.io.
+#
+# It runs on demand, and once a week (scheduled).
+
+on:
+  workflow_dispatch:
+  schedule:
+    # Run once a week (every 7 days) at 00:00 UTC on Sunday
+    - cron: "0 0 * * 0"
+
+permissions:
+  contents: read
+
+env:
+  IMAGE_REFERENCE: "python:3.13.0-slim"
+
+jobs:
+  generate-and-load-sbom:
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Install OSV-Scanner
+        run: |
+          curl -sLO https://github.com/google/osv-scanner/releases/latest/download/osv-scanner_linux_amd64
+          chmod +x osv-scanner_linux_amd64
+          sudo mv osv-scanner_linux_amd64 /usr/local/bin/osv-scanner
+
+      - name: Run OSV Scanner
+        # Using `|| true` as OSV-Scanner exits with code 1 when vulnerabilities are found.
+        run: |
+          osv-scanner scan image ${{ env.IMAGE_REFERENCE }} \
+            --all-packages \
+            --format spdx-2-3 \
+            --output osv-sbom.spdx.json \
+            || true
+
+      - name: Upload SBOM as GitHub Artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: osv-scanner-sbom-report
+          path: osv-sbom.spdx.json
+          retention-days: 20
+
+      - name: Import SBOM into ScanCode.io
+        uses: aboutcode-org/scancode-action@main
+        with:
+          pipelines: "load_sbom"
+          inputs-path: "osv-sbom.spdx.json"
+          scancodeio-repo-branch: "main"
+
+      - name: Verify SBOM Analysis Results in ScanCode.io
+        shell: bash
+        run: |
+          scanpipe shell --command "from scanpipe.models import DiscoveredPackage, DiscoveredDependency; package_manager = DiscoveredPackage.objects; assert package_manager.count() >= 100; assert package_manager.vulnerable().count() == 0; assert DiscoveredDependency.objects.count() >= 100"

docs/faq.rst

@@ -376,8 +376,10 @@ are actively supported and tested::
   - Anchore: https://anchore.com/sbom/
   - CycloneDX cdxgen: https://cyclonedx.github.io/cdxgen/
   - OWASP dep-scan: https://owasp.org/www-project-dep-scan/
-  - Trivy: https://trivy.dev/latest/
+  - SBOM tool: https://github.com/microsoft/sbom-tool/
+  - Trivy: https://trivy.dev/
+  - OSV-Scanner: https://osv.dev/
 
 .. note:: Imported SBOMs must follow the SPDX or CycloneDX standards, in JSON format.
-   You can use the ``load-sbom`` pipeline to process and enhance these SBOMs in your
+   You can use the ``load_sbom`` pipeline to process and enhance these SBOMs in your
    ScanCode.io projects.

scanpipe/pipes/resolve.py

@@ -408,6 +408,9 @@ def resolve_spdx_dependencies(input_location):
     return [
         spdx_relationship_to_dependency_data(spdx_relationship)
         for spdx_relationship in spdx_relationships
+        if spdx_relationship.spdx_id != "NOASSERTION"
+        and spdx_relationship.related_spdx_id != "NOASSERTION"
+        and spdx_relationship.relationship != "DESCRIBES"
     ]