feat(sbom): Support license detection for SBOM scan

[bedla]

Description

Hi, I find out that when scanning SBOM files I am not able to select License scanner, only Vulnerability scannes is available. I dig little bit in source code and it looks trivial - from high level.
What do you think about this change.
If you will guide me to tests I should write or other parts/use-cases I should test and fix, I can update it. I will also polish commits, PR title, and all the stuff required :)
Thx
Ivos

note: I have also started conversation here #6073

Issue

• Close Support license detection for SBOM scan #6257

Checklist

• I've read the guidelines for contributing to this repository.
• I've followed the conventions in the PR title.
• I've added tests that prove my fix is effective or that my feature works.
• I've updated the documentation with the relevant information (if needed).
• I've added usage information (if the PR introduces new options)
• I've included a "before" and "after" example to the description (if the PR is a user interface change).

[CLAassistant]

All committers have signed the CLA.

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[knqyf263]

Looks good. Can you please test it @DmitriyLewen?

[DmitriyLewen]

Hello @bedla
Thanks for your work.

You can read about PR title here - https://aquasecurity.github.io/trivy/v0.49/community/contribute/pr/#title

I left some comments. Take a look, please.
Can you also update docs:

• trivy/docs/docs/scanner/license.md

  Line 35 in 428420e

  | Standard | ✅ | ✅ | - | - |

• trivy/docs/docs/target/sbom.md

  Line 3 in 428420e

  Trivy can take the following SBOM formats as an input and scan for vulnerabilities.

About tests - i think we can add 1 more testcase in integration sbom test:
add scanner to args, scan licenses for testdata/fixtures/sbom/centos-7-cyclonedx.json and create new golden file.

[bedla]

Sure, I will take a look and make changes.

[bedla]

On my Maven test project I have generated integration/testdata/fixtures/sbom/license-cyclonedx.json file with command trivy fs --format cyclonedx --output result.json C:\Users\bedla.czech\IdeaProjects\sbom-demo.

Mind that golden file integration/testdata/license-cyclonedx.json.golden has all Licenses marked as UNKNOWN.
With deeper investigation I found out that it is because my Maven test project dependencies does not identify licenses using SPDX License ID.

I did more deeper investigation because Cyclone DX Maven plugin is identifying License ID at most cases correctly. What I found is that they use mapping file https://github.com/CycloneDX/cyclonedx-core-java/blob/master/src/main/resources/license-mapping.json to find those License IDs.

I think that new PR should be created to implement similar concept like they do. What do you think?

[DmitriyLewen]

We already have mapping -

trivy/pkg/licensing/normalize.go

Lines 8 to 14 in 8221473

	var mapping = map[string]string{
	// GPL
	"GPL-1": GPL10,
	"GPL-1+": GPL10,
	"GPL 1.0": GPL10,
	"GPL 1": GPL10,
	"GPL2": GPL20,

.
But it looks like we need to supplement our map with pairs from cycledx-core-java.

[christiankofler]

This is really a great improvement! Just to be sure: will license scanning on SBOM also work for SPDX json with this PR? If not, this would be another great improvement for trivy.

[DmitriyLewen]

@christiankofler It should work for all supported SBOM formats

[knqyf263]

@bedla Do you have time to wrap it up? If not, we can take care of this PR.

[bedla]

sorry, I was on vacations last week. I will finish it this week.

[bedla]

Hi, I have force pushed new changes to my branch (sorry for delay).
No thing to note is that it seems to https://github.com/CycloneDX/cyclonedx-core-java/blob/master/src/main/resources/license-mapping.json has more heuristic capabilities then Trivy has. So, I copied definition that I was sure that we can map to Trivy definition - other I left intact.

[DmitriyLewen]

Hello @bedla

Left comments.
Also pay attention to integration tests. integration/client_server_test.go is now broken.

[bedla]

ahh, sorry ... will fix it asap.
(note: it is hard to work with mage on windows, and also for some reason first compilation after some time is super-super slow => from time to time I am trying to find root causes on my local machine)

[bedla]

all the stuff should be fixed

[bedla]

hmm, interesting that test is not failing on my local machine ... will check it.

[bedla]

I have force pushed fixes, now it should be ok.

[DmitriyLewen]

@bedla Thanks for your work!

@knqyf263 Take a look, when you have time, please.

[bedla]

@DmitriyLewen you are welcome, I am happy to help :)