trivy fix(sbom): improve logic for determining Application type and filepath for non-Trivy SBOMs

Description

We currently detect Application type from properties only. FilePath for Application can be detected from component name only.

This PR adds new logic:

Detect Application type from purl (if exists)
Detect Application filePath from Files array.

Example:

test file:

{
    "SPDXID": "SPDXRef-DOCUMENT",
    "spdxVersion": "SPDX-2.3",
    "creationInfo": {
        "created": "2025-05-06T20:07:04Z",
        "creators": [
            "Organization: Broadcom Inc. and/or its subsidiaries."
        ]
    },
    "name": "SPDX document for Harbor 2.13.0",
    "dataLicense": "CC0-1.0",
    "documentDescribes": [
        "SPDXRef-Application-harbor-exporter"
    ],
    "documentNamespace": "pkg:bitnami/[email protected]?arch=arm64&distro=debian-12",
    "packages": [
        {
            "SPDXID": "SPDXRef-Application-harbor-exporter",
            "name": "harbor-exporter",
            "versionInfo": "2.13.0-3",
            "downloadLocation": "git+https://github.com/goharbor/harbor#refs/tags/v2.13.0",
            "licenseConcluded": "Apache-2.0",
            "licenseDeclared": "Apache-2.0",
            "filesAnalyzed": false,
            "externalRefs": [
                {
                    "referenceCategory": "SECURITY",
                    "referenceType": "cpe23Type",
                    "referenceLocator": "cpe:2.3:*:harbor-exporter:harbor-exporter:2.13.0:*:*:*:*:*:*:*"
                },
                {
                    "referenceCategory": "PACKAGE-MANAGER",
                    "referenceType": "purl",
                    "referenceLocator": "pkg:bitnami/[email protected]?arch=arm64&distro=debian-12"
                }
            ],
            "copyrightText": "NOASSERTION"
        },
        {
            "name": "github.com/CloudNativeAI/model-spec",
            "SPDXID": "SPDXRef-Package-768cb671cc7ce0ba",
            "versionInfo": "v0.0.3",
            "supplier": "NOASSERTION",
            "downloadLocation": "NONE",
            "filesAnalyzed": false,
            "sourceInfo": "opt/bitnami/harbor-exporter/bin/harbor_exporter",
            "licenseConcluded": "NOASSERTION",
            "licenseDeclared": "NOASSERTION",
            "externalRefs": [
                {
                    "referenceCategory": "PACKAGE-MANAGER",
                    "referenceType": "purl",
                    "referenceLocator": "pkg:golang/github.com/cloudnativeai/[email protected]"
                }
            ],
            "primaryPackagePurpose": "LIBRARY",
            "copyrightText": "NOASSERTION"
        }
    ],
    "files": [
        {
            "fileName": "opt/bitnami/harbor-exporter/bin/harbor_exporter",
            "SPDXID": "SPDXRef-File-7b0411c48a1a7bf5",
            "checksums": [
              {
                "algorithm": "SHA1",
                "checksumValue": "fd545010529c738b4fe0caff1922b99a0ab5f2e5"
              }
            ],
            "copyrightText": ""
          }
    ],
    "hasExtractedLicensingInfos": [],
    "relationships": [
        {
            "spdxElementId": "SPDXRef-DOCUMENT",
            "relationshipType": "CONTAINS",
            "relatedSpdxElement": "SPDXRef-Application-harbor-exporter"
        },
        {
            "spdxElementId": "SPDXRef-Application-harbor-exporter",
            "relatedSpdxElement": "SPDXRef-File-7b0411c48a1a7bf5",
            "relationshipType": "CONTAINS"
        },
        {
            "spdxElementId": "SPDXRef-Application-harbor-exporter",
            "relatedSpdxElement": "SPDXRef-Package-768cb671cc7ce0ba",
            "relationshipType": "DEPENDS_ON"
        }
    ]
}

Before:

➜  trivy -q sbom spdx-harbor-exporter.json 

Report Summary

┌────────┬──────────┬─────────────────┐
│ Target │   Type   │ Vulnerabilities │
├────────┼──────────┼─────────────────┤
│        │ bitnami  │        0        │
├────────┼──────────┼─────────────────┤
│        │ gobinary │        0        │
└────────┴──────────┴─────────────────┘

After:

➜  ./trivy -q sbom spdx-harbor-exporter.json

Report Summary

┌─────────────────────────────────────────────────┬─────────┬─────────────────┐
│                     Target                      │  Type   │ Vulnerabilities │
├─────────────────────────────────────────────────┼─────────┼─────────────────┤
│ opt/bitnami/harbor-exporter/bin/harbor_exporter │ bitnami │        0        │
└─────────────────────────────────────────────────┴─────────┴─────────────────┘

Related issues

Close #XXX

Related PRs

[ ] #XXX
[ ] #YYY

Remove this section if you don't have related PRs.

Checklist

[x] I've read the guidelines for contributing to this repository.
[x] I've followed the conventions in the PR title.
[x] I've added tests that prove my fix is effective or that my feature works.
[ ] I've updated the documentation with the relevant information (if needed).
[ ] I've added usage information (if the PR introduces new options)
[x] I've included a "before" and "after" example to the description (if the PR is a user interface change).

Jun 02 '25 07:06 DmitriyLewen

@DmitriyLewen can you please create an issue for this? or link to a relevant issue

Jun 03 '25 09:06 itaysk

@itaysk I'm still not sure about these changes, because these changes also affect KBOM (e.g. dependencies - https://github.com/aquasecurity/trivy/pull/8965#discussion_r2120744890).

I started working on it after https://github.com/aquasecurity/trivy/discussions/8863. But we are still discussing it with the bitnami team. Maybe we will find a way to solve their problem without these changes.

Jun 03 '25 10:06 DmitriyLewen

This PR is stale because it has been labeled with inactivity.

Aug 03 '25 00:08 github-actions[bot]

This PR is stale because it has been labeled with inactivity.

Oct 18 '25 00:10 github-actions[bot]