Skip to content

Commit cdd4c4f

Browse files
authored
feat: deprecate --sbom in favor of just using -L (#1961)
I think the only difference between the two flags is that `--sbom` will give you an extra message if you provide a file which we fail to make to an extractor we give you an extra message about making sure to check the filename, which I actually think is arguably better with `-L` because imo you can't reasonably assume the scanner will be able to magically figure out e.g. `my.awesome.file.json` is meant to be an SBOM unlike with the current flag? This is the first of part #1960
1 parent 3b7bd34 commit cdd4c4f

5 files changed

Lines changed: 97 additions & 14 deletions

File tree

cmd/osv-scanner/scan/source/__snapshots__/command_test.snap

Lines changed: 58 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1010,6 +1010,7 @@ No package sources found, --help for usage information.
10101010
---
10111011

10121012
[TestCommand/one_file_that_does_not_match_the_supported_sbom_file_names - 1]
1013+
Warning: --sbom has been deprecated in favor of -L
10131014
Failed to parse SBOM "<rootdir>/fixtures/locks-many/composer.lock" with error: could not determine extractor suitable to this file
10141015
If you believe this is a valid SBOM, make sure the filename follows format per your SBOMs specification.
10151016

@@ -1020,6 +1021,15 @@ could not determine extractor suitable to this file
10201021

10211022
---
10221023

1024+
[TestCommand/one_file_that_does_not_match_the_supported_sbom_file_names_using_-L_flag - 1]
1025+
1026+
---
1027+
1028+
[TestCommand/one_file_that_does_not_match_the_supported_sbom_file_names_using_-L_flag - 2]
1029+
could not determine extractor, requested spdx
1030+
1031+
---
1032+
10231033
[TestCommand/one_specific_supported_lockfile - 1]
10241034
Scanning dir ./fixtures/locks-many/composer.lock
10251035
Scanned <rootdir>/fixtures/locks-many/composer.lock file and found 1 package
@@ -1059,6 +1069,7 @@ No issues found
10591069
---
10601070

10611071
[TestCommand/one_specific_supported_sbom_with_duplicate_PURLs - 1]
1072+
Warning: --sbom has been deprecated in favor of -L
10621073
Scanned <rootdir>/fixtures/sbom-insecure/with-duplicates.cdx.xml file and found 15 packages
10631074
Filtered 1 local/unscannable package/s from the scan.
10641075
+--------------------------------+------+-----------+---------+-----------+------------------------------------------------+
@@ -1075,7 +1086,25 @@ Filtered 1 local/unscannable package/s from the scan.
10751086

10761087
---
10771088

1089+
[TestCommand/one_specific_supported_sbom_with_duplicate_PURLs_using_-L_flag - 1]
1090+
Scanned <rootdir>/fixtures/sbom-insecure/with-duplicates.cdx.xml file and found 15 packages
1091+
Filtered 1 local/unscannable package/s from the scan.
1092+
+--------------------------------+------+-----------+---------+-----------+------------------------------------------------+
1093+
| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | SOURCE |
1094+
+--------------------------------+------+-----------+---------+-----------+------------------------------------------------+
1095+
| https://osv.dev/CVE-2025-26519 | | Alpine | musl | 1.2.3-r4 | fixtures/sbom-insecure/with-duplicates.cdx.xml |
1096+
| https://osv.dev/CVE-2018-25032 | 7.5 | Alpine | zlib | 1.2.10-r0 | fixtures/sbom-insecure/with-duplicates.cdx.xml |
1097+
| https://osv.dev/CVE-2022-37434 | 9.8 | Alpine | zlib | 1.2.10-r0 | fixtures/sbom-insecure/with-duplicates.cdx.xml |
1098+
+--------------------------------+------+-----------+---------+-----------+------------------------------------------------+
1099+
1100+
---
1101+
1102+
[TestCommand/one_specific_supported_sbom_with_duplicate_PURLs_using_-L_flag - 2]
1103+
1104+
---
1105+
10781106
[TestCommand/one_specific_supported_sbom_with_invalid_PURLs - 1]
1107+
Warning: --sbom has been deprecated in favor of -L
10791108
Scanned <rootdir>/fixtures/sbom-insecure/bad-purls.cdx.xml file and found 15 packages
10801109
Filtered 7 local/unscannable package/s from the scan.
10811110
No issues found
@@ -1086,7 +1115,19 @@ No issues found
10861115

10871116
---
10881117

1118+
[TestCommand/one_specific_supported_sbom_with_invalid_PURLs_using_-L_flag - 1]
1119+
Scanned <rootdir>/fixtures/sbom-insecure/bad-purls.cdx.xml file and found 15 packages
1120+
Filtered 7 local/unscannable package/s from the scan.
1121+
No issues found
1122+
1123+
---
1124+
1125+
[TestCommand/one_specific_supported_sbom_with_invalid_PURLs_using_-L_flag - 2]
1126+
1127+
---
1128+
10891129
[TestCommand/one_specific_supported_sbom_with_vulns - 1]
1130+
Warning: --sbom has been deprecated in favor of -L
10901131
Scanned <rootdir>/fixtures/sbom-insecure/alpine.cdx.xml file and found 15 packages
10911132
Filtered 1 local/unscannable package/s from the scan.
10921133
+--------------------------------+------+-----------+---------+-----------+---------------------------------------+
@@ -1103,6 +1144,23 @@ Filtered 1 local/unscannable package/s from the scan.
11031144

11041145
---
11051146

1147+
[TestCommand/one_specific_supported_sbom_with_vulns_using_-L_flag - 1]
1148+
Scanned <rootdir>/fixtures/sbom-insecure/alpine.cdx.xml file and found 15 packages
1149+
Filtered 1 local/unscannable package/s from the scan.
1150+
+--------------------------------+------+-----------+---------+-----------+---------------------------------------+
1151+
| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | SOURCE |
1152+
+--------------------------------+------+-----------+---------+-----------+---------------------------------------+
1153+
| https://osv.dev/CVE-2025-26519 | | Alpine | musl | 1.2.3-r4 | fixtures/sbom-insecure/alpine.cdx.xml |
1154+
| https://osv.dev/CVE-2018-25032 | 7.5 | Alpine | zlib | 1.2.10-r0 | fixtures/sbom-insecure/alpine.cdx.xml |
1155+
| https://osv.dev/CVE-2022-37434 | 9.8 | Alpine | zlib | 1.2.10-r0 | fixtures/sbom-insecure/alpine.cdx.xml |
1156+
+--------------------------------+------+-----------+---------+-----------+---------------------------------------+
1157+
1158+
---
1159+
1160+
[TestCommand/one_specific_supported_sbom_with_vulns_using_-L_flag - 2]
1161+
1162+
---
1163+
11061164
[TestCommand/one_specific_unsupported_lockfile - 1]
11071165
Scanning dir ./fixtures/locks-many/not-a-lockfile.toml
11081166

cmd/osv-scanner/scan/source/command.go

Lines changed: 8 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -28,9 +28,14 @@ func Command(stdout, stderr io.Writer) *cli.Command {
2828
TakesFile: true,
2929
},
3030
&cli.StringSliceFlag{
31-
Name: "sbom",
32-
Aliases: []string{"S"},
33-
Usage: "scan sbom file on this path, the sbom file name must follow the relevant spec",
31+
Name: "sbom",
32+
Aliases: []string{"S"},
33+
Usage: "[DEPRECATED] scan sbom file on this path, the sbom file name must follow the relevant spec",
34+
Action: func(_ context.Context, _ *cli.Command, _ []string) error {
35+
slog.Warn("Warning: --sbom has been deprecated in favor of -L")
36+
37+
return nil
38+
},
3439
TakesFile: true,
3540
},
3641
&cli.BoolFlag{

cmd/osv-scanner/scan/source/command_test.go

Lines changed: 20 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -37,24 +37,44 @@ func TestCommand(t *testing.T) {
3737
Args: []string{"", "source", "--config=./fixtures/osv-scanner-empty-config.toml", "--sbom", "./fixtures/sbom-insecure/alpine.cdx.xml"},
3838
Exit: 1,
3939
},
40+
{
41+
Name: "one specific supported sbom with vulns using -L flag",
42+
Args: []string{"", "source", "--config=./fixtures/osv-scanner-empty-config.toml", "-L", "./fixtures/sbom-insecure/alpine.cdx.xml"},
43+
Exit: 1,
44+
},
4045
// one specific supported sbom with vulns and invalid PURLs
4146
{
4247
Name: "one specific supported sbom with invalid PURLs",
4348
Args: []string{"", "source", "--config=./fixtures/osv-scanner-empty-config.toml", "--sbom", "./fixtures/sbom-insecure/bad-purls.cdx.xml"},
4449
Exit: 0,
4550
},
51+
{
52+
Name: "one specific supported sbom with invalid PURLs using -L flag",
53+
Args: []string{"", "source", "--config=./fixtures/osv-scanner-empty-config.toml", "-L", "./fixtures/sbom-insecure/bad-purls.cdx.xml"},
54+
Exit: 0,
55+
},
4656
// one specific supported sbom with duplicate PURLs
4757
{
4858
Name: "one specific supported sbom with duplicate PURLs",
4959
Args: []string{"", "source", "--config=./fixtures/osv-scanner-empty-config.toml", "--sbom", "./fixtures/sbom-insecure/with-duplicates.cdx.xml"},
5060
Exit: 1,
5161
},
62+
{
63+
Name: "one specific supported sbom with duplicate PURLs using -L flag",
64+
Args: []string{"", "source", "--config=./fixtures/osv-scanner-empty-config.toml", "-L", "./fixtures/sbom-insecure/with-duplicates.cdx.xml"},
65+
Exit: 1,
66+
},
5267
// one file that does not match the supported sbom file names
5368
{
5469
Name: "one file that does not match the supported sbom file names",
5570
Args: []string{"", "source", "--config=./fixtures/osv-scanner-empty-config.toml", "--sbom", "./fixtures/locks-many/composer.lock"},
5671
Exit: 127,
5772
},
73+
{
74+
Name: "one file that does not match the supported sbom file names using -L flag",
75+
Args: []string{"", "source", "--config=./fixtures/osv-scanner-empty-config.toml", "-L", "spdx:./fixtures/locks-many/composer.lock"},
76+
Exit: 127,
77+
},
5878
// one specific unsupported lockfile
5979
{
6080
Name: "one specific unsupported lockfile",

docs/scan-source.md

Lines changed: 8 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -37,17 +37,9 @@ There is a [known issue](https://github.com/google/osv-scanner/issues/209) that
3737

3838
The `--no-ignore` flag can be used to force the scanner to scan ignored files.
3939

40-
## Specify SBOM
40+
## SBOM scanning
4141

42-
If you want to check for known vulnerabilities only in dependencies in your SBOM, you can use the following command:
43-
44-
```bash
45-
osv-scanner scan source --sbom=/path/to/your/sbom.spdx.json
46-
```
47-
48-
[SPDX] and [CycloneDX] SBOMs using [Package URLs] are supported.
49-
50-
To identify the correct SBOM format, the file name must follow the SBOM specifications for each format:
42+
SBOMs will be automatically identified so long as their name follows the specification for the particular format:
5143

5244
- [SPDX Filenames]:
5345
- `*.spdx.json`
@@ -61,6 +53,12 @@ To identify the correct SBOM format, the file name must follow the SBOM specific
6153
- `bom.xml`
6254
- `*.cdx.xml`
6355

56+
```bash
57+
osv-scanner scan source -L /path/to/your/sbom.spdx.json
58+
```
59+
60+
[SPDX] and [CycloneDX] SBOMs using [Package URLs] are supported.
61+
6462
[SPDX]: https://spdx.dev/
6563
[SPDX Filenames]: https://spdx.github.io/spdx-spec/v2.3/conformance/
6664
[CycloneDX Filenames]: https://cyclonedx.org/specification/overview/#recognized-file-patterns

pkg/osvscanner/osvscanner.go

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -40,7 +40,6 @@ import (
4040

4141
type ScannerActions struct {
4242
LockfilePaths []string
43-
SBOMPaths []string
4443
DirectoryPaths []string
4544
GitCommits []string
4645
Recursive bool
@@ -61,6 +60,9 @@ type ScannerActions struct {
6160
ScanLicensesSummary bool
6261
ScanLicensesAllowlist []string
6362

63+
// Deprecated: in favor of LockfilePaths
64+
SBOMPaths []string
65+
6466
ExperimentalScannerActions
6567
}
6668

0 commit comments

Comments
 (0)