Merge pull request #115 from scanoss/feature/mdaloia/es-213-add-container-scanning

feat: ES-213 Add container scanning

Author: matiasdaloia

CHANGELOG.md

@@ -9,6 +9,15 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Added
 - Upcoming changes...
 
+## [1.22.0] - 2025-04-23
+### Added
+- Add `container-scan` subcommand to scan container images.
+- Add `--container` flag to `dependency` subcommand to scan dependencies in container images.
+### Modified
+- Refactor CLI argument handling for output and format options.
+### Fixed
+- Fixed issue with wfp command where settings file was being loaded from the cwd instead of the scan root directory
+
 ## [1.21.0] - 2025-03-27
 ### Added
 - Add folder-scan subcommand
@@ -498,4 +507,5 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 [1.20.4]: https://github.com/scanoss/scanoss.py/compare/v1.20.3...v1.20.4
 [1.20.5]: https://github.com/scanoss/scanoss.py/compare/v1.20.4...v1.20.5
 [1.20.6]: https://github.com/scanoss/scanoss.py/compare/v1.20.5...v1.20.6
-[1.21.0]: https://github.com/scanoss/scanoss.py/compare/v1.20.6...v1.21.0
+[1.21.0]: https://github.com/scanoss/scanoss.py/compare/v1.20.6...v1.21.0
+[1.22.0]: https://github.com/scanoss/scanoss.py/compare/v1.21.0...v1.22.0

CLIENT_HELP.md

@@ -163,6 +163,11 @@ The dependency files of a project can be fingerprinted/parsed using the `dep` co
 scanoss-py dep -o src-deps.json src
 ```
 
+You can also analyze dependencies from a container image using the `--container` flag:
+```bash
+scanoss-py dep --container ubuntu:latest -o container-deps.json
+```
+
 This parsed dependency file can then be sent to the SCANOSS for decoration using the scanning command:
 ```bash
 scanoss-py scan --dep src-deps.json --dependencies-only -o scan-results.json
@@ -429,4 +434,13 @@ The new `folder-scan` subcommand performs a comprehensive scan on an entire dire
 **Usage:**
 ```shell
 scanoss-py folder-scan /path/to/folder -o folder-scan-results.json 
-```
+```
+
+### Container-Scan a Docker Image
+
+The `container-scan` subcommand allows you to scan Docker container images for dependencies. This command extracts and analyzes dependencies from container images, helping you identify open source components within containerized applications.
+
+**Usage:**
+```shell
+scanoss-py container-scan image_name:tag -o container-scan-results.json
+```

Dockerfile

@@ -10,9 +10,9 @@ FROM base AS builder
 
 # Setup the required build tooling
 RUN apt-get update \
- && apt-get install -y --no-install-recommends build-essential gcc \
- && apt-get clean \
- && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
+    && apt-get install -y --no-install-recommends build-essential gcc \
+    && apt-get clean \
+    && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
 
 # Create and activate virtual environment
 RUN python -m venv /opt/venv
@@ -56,9 +56,12 @@ ENV GRPC_POLL_STRATEGY=poll
 
 # Install jq and curl commands
 RUN apt-get update \
- && apt-get install -y --no-install-recommends jq curl \
- && apt-get clean \
- && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
+    && apt-get install -y --no-install-recommends jq curl \
+    && apt-get clean \
+    && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
+
+# Install syft
+RUN curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin
 
 # Setup working directory and user
 WORKDIR /scanoss

docs/source/index.rst

@@ -174,6 +174,8 @@ Scan source code for dependencies, but do not decorate them.
      - Description
    * - --output <file name>, -o <file name>
      - Output result file name (optional - default STDOUT)
+   * - --container <image_name:tag>
+     - Analyze dependencies from a Docker container image instead of a directory
    * - --sc-command SC_COMMAND
      - Scancode command and path if required (optional - default scancode)
    * - --sc-timeout SC_TIMEOUT
@@ -301,6 +303,39 @@ Both commands also support these general options:
    * --trace, -t: Enable trace messages
    * --quiet, -q: Enable quiet mode
 
+------------------------------------
+Container Scanning: container-scan, cs
+------------------------------------
+
+Scans Docker container images for dependencies, extracting and analyzing components within containerized applications.
+
+.. code-block:: bash
+
+   scanoss-py container-scan -i <image_name:tag>
+
+.. list-table:: 
+   :widths: 20 30
+   :header-rows: 1
+
+   * - Argument
+     - Description
+   * - --image <image_name:tag>, -i <image_name:tag>
+     - Docker image name and tag to scan (required)
+   * - --output <file name>, -o <file name>
+     - Output result file name (optional - default STDOUT)
+   * - --include-base-image
+     - Include base image dependencies in the scan results
+   * - --format <format>, -f <format>
+     - Output format: {json} (optional - default json)
+   * - --timeout <seconds>, -M <seconds>
+     - Timeout in seconds for API communication (optional - default 600)
+   * - --key <token>, -k <token>
+     - SCANOSS API Key token (optional - not required for default OSSKB URL)
+   * - --proxy <url>
+     - Proxy URL to use for connections
+   * - --ca-cert <file>
+     - Alternative certificate PEM file
+
 -----------------
 Component:
 -----------------
@@ -434,4 +469,4 @@ The Scanoss Open Source scanoss-py package is released under the MIT license.
 
    SCANOSS Website <https://www.scanoss.com/>
    GitHub <https://github.com/scanoss>
-   Software transparency foundation <https://www.softwaretransparency.org/>
+   Software transparency foundation <https://www.softwaretransparency.org/>

src/scanoss/__init__.py

@@ -22,4 +22,4 @@
   THE SOFTWARE.
 """
 
-__version__ = '1.21.0'
+__version__ = '1.22.0'