[SP-2874] feat: add licenses sub-command, add support for ingesting CDX, add CDX input validation (#131)

* [SP-2874] feat: add licenses sub-command, add support for ingesting CDX, add CDX input validation

* [SP-2874] feat: support CDX input file in crypto decoration commands

* [SP-2874] chore: update dependency versions, refactor to reduce method complexity

* [SP-2874] chore: use python 3.9 in all workflows

* [SP-2874] chore: update protobuf

* [SP-2874] chore: update all remaining protobufs

* [SP-2874] chore: bump version

* [SP-2874] chore: update changelog, documentation and dockerfile

* [SP-2874] chore: update scanoss.json

* [SP-2874] chore: update scanoss.json

* [SP-2874] chore: update changelog and version

* [SP-2991] fix: update to papi latest definitions

* [SP-2874] chore: update version and changelog

* [SP-2874] fix: adapt for new components request

* [SP-2874] feat: add REST support for licenses endpoint

* [SP-2874] chore: update workflow python version

* [SP-2874] fix: scancode dockerfile execution

* [SP-2874] chore: update pkg requirements

* [SP-2874] chore: fix click version as workaround for scancode-toolkit-mini

* [SP-2874] chore: add api key on github workflows

* [SP-2874] chore: add api key on github workflows

* add api key

* env cleanup

---------

Co-authored-by: eeisegn <[email protected]>

Author: matiasdaloia

.github/workflows/container-local-test.yml

@@ -5,10 +5,10 @@ on:
   workflow_dispatch:
   push:
     branches:
-      - 'main'
+      - "main"
   pull_request:
     branches:
-      - 'main'
+      - "main"
 
 env:
   IMAGE_BASE: scanoss/scanoss-py-base
@@ -27,7 +27,7 @@ jobs:
       - name: Set up Python
         uses: actions/setup-python@v5
         with:
-          python-version: '3.9.x'
+          python-version: "3.9.x"
 
       - name: Install Dependencies
         run: |
@@ -91,10 +91,11 @@ jobs:
           docker image ls -a
           docker run ${{ env.IMAGE_NAME }} version
           docker run ${{ env.IMAGE_NAME }} utils fast
-          docker run -v "$(pwd)":"/scanoss" ${{ env.IMAGE_NAME }} scan -o results.json tests
+          docker run -e SCANOSS_API_KEY="${{ secrets.SC_API_KEY }}" -v "$(pwd)":"/scanoss" ${{ env.IMAGE_NAME }} scan -o results.json tests
           id_count=$(cat results.json | grep '"id":' | wc -l)
           echo "ID Count: $id_count"
           if [[ $id_count -lt 1 ]]; then
             echo "Error: Scan test did not produce any results. Failing"
             exit 1
           fi
+

.github/workflows/container-publish-ghcr.yml

@@ -30,7 +30,7 @@ jobs:
       - name: Set up Python
         uses: actions/setup-python@v5
         with:
-          python-version: "3.9.x"
+          python-version: '3.9.x'
 
       - name: Install Dependencies
         run: |
@@ -130,7 +130,7 @@ jobs:
           docker pull ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest
           docker run ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} version
           docker run ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} utils fast
-          docker run -v "$(pwd)":"/scanoss" ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} scan -o results.json tests
+          docker run -e SCANOSS_API_KEY="${{ secrets.SC_API_KEY }}" -v "$(pwd)":"/scanoss" ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} scan -o results.json tests
           id_count=$(cat results.json | grep '"id":' | wc -l)
           echo "ID Count: $id_count"
           if [[ $id_count -lt 1 ]]; then

.github/workflows/python-local-test.yml

@@ -13,6 +13,9 @@ on:
 permissions:
   contents: read
 
+env:
+  SCANOSS_API_KEY: ${{ secrets.SC_API_KEY }}
+
 jobs:
   build:
     runs-on: ubuntu-latest
@@ -71,6 +74,7 @@ jobs:
             echo "Error: Scan test did not produce any results. Failing"
             exit 1
           fi
+      
 
       - name: Run Tests HPSM (fast winnowing)
         run: |
@@ -85,6 +89,7 @@ jobs:
             echo "Error: WFP test did not produce any results. Failing"
             exit 1
           fi
+      
 
       - name: Run Unit Tests
         run: |

.github/workflows/python-publish-pypi.yml

@@ -7,6 +7,9 @@ on:
     tags:
       - "v*.*.*"
 
+env:
+  SCANOSS_API_KEY: ${{ secrets.SC_API_KEY }}
+
 jobs:
   deploy:
     runs-on: ubuntu-latest
@@ -16,7 +19,7 @@ jobs:
       - name: Set up Python
         uses: actions/setup-python@v5
         with:
-          python-version: "3.9.x"
+          python-version: '3.9.x'
 
       - name: Install dependencies
         run: |
@@ -70,7 +73,7 @@ jobs:
       - name: Set up Python
         uses: actions/setup-python@v5
         with:
-          python-version: "3.9.x"
+          python-version: '3.9.x'
 
       - name: Install Remote Package
         uses: nick-fields/retry@v3

.github/workflows/python-publish-testpypi.yml

@@ -6,6 +6,9 @@ on: [workflow_dispatch]
 permissions:
   contents: read
 
+env:
+  SCANOSS_API_KEY: ${{ secrets.SC_API_KEY }}
+
 jobs:
   deploy:
     runs-on: ubuntu-latest
@@ -15,7 +18,7 @@ jobs:
       - name: Set up Python
         uses: actions/setup-python@v5
         with:
-          python-version: "3.9.x"
+          python-version: '3.9.x'
 
       - name: Install Dependencies
         run: |
@@ -65,7 +68,7 @@ jobs:
       - name: Set up Python
         uses: actions/setup-python@v5
         with:
-          python-version: "3.9.x"
+          python-version: '3.9.x'
 
       - name: Install Remote Package
         run: |

.github/workflows/version-tag.yml

@@ -23,7 +23,7 @@ jobs:
       - name: Set up Python
         uses: actions/setup-python@v5
         with:
-          python-version: "3.9.x"
+          python-version: '3.9.x'
       - name: Determine Tag
         id: taggerVersion
         run: |

CHANGELOG.md

@@ -9,6 +9,12 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Added
 - Upcoming changes...
 
+## [1.33.0] - 2025-09-19
+### Added
+- Add `licenses` sub-command to `component` command
+- Add support for ingesting CDX to all decoration commands
+- Add CDX input validation
+
 ## [1.32.0] - 2025-09-01
 ### Added
 - Switched vulnerability and dependency APIs to use REST by default
@@ -176,7 +182,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [1.20.2] - 2025-02-26
 ### Fixed
-- Fixed provenance command 
+- Fixed provenance command
 
 ## [1.20.1] - 2025-02-18
 ### Added
@@ -238,7 +244,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ## [1.17.5] - 2024-11-12
 ### Fixed
 - Fix dependencies scan result structure
-  
+
 ## [1.17.4] - 2024-11-08
 ### Fixed
 - Fix backslashes in file paths on Windows
@@ -255,7 +261,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Added
 - Added supplier to SPDX packages
 ### Changed
-- Changed undeclared summary output 
+- Changed undeclared summary output
 
 ## [1.17.1] - 2024-10-24
 ### Fixed
@@ -288,7 +294,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Added
 - Added support for Python3.12
 - Module `pkg_resources` has been replaced with `importlib_resources`
-- Added support for UTF-16 filenames 
+- Added support for UTF-16 filenames
 
 ## [1.13.0] - 2024-06-05
 ### Added
@@ -367,11 +373,11 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ## [1.6.0] - 2023-06-16
 ### Added
 - Added support for High Precision Snippet Matching (`--hpsm` or `-H`) while scanning
-  - `scanoss-py scan --hpsm ...` 
+  - `scanoss-py scan --hpsm ...`
 
 ## [1.5.2] - 2023-06-13
 ### Added
-- Added retry limit option (`--retry`) while scanning 
+- Added retry limit option (`--retry`) while scanning
   - `--retry 0` will fail immediately
 
 ## [1.5.1] - 2023-04-21
@@ -660,4 +666,5 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 [1.31.3]: https://github.com/scanoss/scanoss.py/compare/v1.31.2...v1.31.3
 [1.31.4]: https://github.com/scanoss/scanoss.py/compare/v1.31.3...v1.31.4
 [1.31.5]: https://github.com/scanoss/scanoss.py/compare/v1.31.4...v1.31.5
-[1.31.5]: https://github.com/scanoss/scanoss.py/compare/v1.31.5...v1.32.0
+[1.32.0]: https://github.com/scanoss/scanoss.py/compare/v1.31.5...v1.32.0
+[1.33.0]: https://github.com/scanoss/scanoss.py/compare/v1.32.0...v1.33.0

CLIENT_HELP.md

@@ -337,6 +337,44 @@ The following command provides the capability to search the SCANOSS KB for compo
 scanoss-py comp prov -p "pkg:github/unoconv/unoconv" --origin
 ```
 
+#### Component Licenses
+The following command provides the capability to search the SCANOSS KB for licenses for Open Source components:
+```bash
+scanoss-py comp licenses -p "pkg:github/jquery/jquery" -p "pkg:npm/express"
+```
+It is possible to supply multiple PURLs by repeating the `-p pkg` option, or providing a purl input file `-i purl-input.json` ([for example](tests/data/purl-input.json)):
+```bash
+scanoss-py comp licenses -i purl-input.json -o component-licenses.json
+```
+
+The licenses command also supports CycloneDX (CDX) input files. You can provide a CycloneDX SBOM file and retrieve license information for all components:
+```bash
+scanoss-py comp licenses -i cyclonedx-sbom.json -o component-licenses.json
+```
+
+### CDX Input Support for Component Commands
+Several component commands now support CycloneDX (CDX) input files. This allows you to analyze components from existing SBOM files:
+
+**Supported commands with CDX input:**
+- `comp vulns` - Analyze vulnerabilities from CDX file
+- `comp licenses` - Retrieve licenses from CDX file  
+- `comp crypto` - Detect cryptographic algorithms from CDX file
+- `comp semgrep` - Find semgrep issues from CDX file
+
+**Example using CDX input:**
+```bash
+# Analyze vulnerabilities from a CycloneDX SBOM
+scanoss-py comp vulns -i sbom.cdx.json -o vulnerabilities.json
+
+# Get licenses for all components in a CycloneDX SBOM
+scanoss-py comp licenses -i sbom.cdx.json -o licenses.json
+
+# Detect cryptographic usage from CDX
+scanoss-py comp crypto -i sbom.cdx.json -o crypto-findings.json
+```
+
+The CDX input file is automatically validated to ensure it's a valid CycloneDX format before processing.
+
 
 ### Results Commands
 The `results` command provides the capability to operate on scan results. For example:

Dockerfile

@@ -29,6 +29,7 @@ RUN pip3 install --no-cache-dir /install/scanoss-*-py3-none-any.whl
 RUN pip3 install --no-cache-dir scanoss_winnowing
 RUN pip3 install --no-cache-dir -r /install/requirements-dev.txt
 RUN pip3 install --no-cache-dir scancode-toolkit-mini
+RUN pip3 install --no-cache-dir click==8.2.1 # Temporary workaround for scancode-toolkit-mini (https://github.com/aboutcode-org/scancode-toolkit/issues/4573)
 
 # Download compile and install typecode-libmagic from source (as there is not ARM wheel available)
 ADD https://github.com/nexB/typecode_libmagic_from_sources/archive/refs/tags/v5.39.210212.tar.gz /install/
@@ -66,7 +67,7 @@ RUN curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh |
 # Setup working directory and user
 WORKDIR /scanoss
 # Run scancode once to setup any initial files, etc. so that it'll run faster later
-RUN scancode -p --only-findings --quiet --json /scanoss/scancode-dependencies.json /scanoss && rm -f /scanoss/scancode-dependencies.json
+RUN scancode --package --only-findings --quiet --json /scanoss/scancode-dependencies.json /scanoss && rm -f /scanoss/scancode-dependencies.json
 
 # Image with no default entry point
 FROM no_entry_point AS jenkins

requirements.txt

@@ -2,8 +2,9 @@ requests
 crc32c>=2.2
 binaryornot
 progress
-grpcio>1.42.0
-protobuf>3.19.1
+grpcio>=1.73.1
+protobuf>=6.3.1
+protoc-gen-openapiv2
 pypac
 urllib3
 pyOpenSSL
@@ -13,5 +14,4 @@ packageurl-python
 pathspec
 jsonschema
 crc
-protoc-gen-openapiv2
 cyclonedx-python-lib[validation]