trivy icon indicating copy to clipboard operation
trivy copied to clipboard
Published 3 weeks ago verified publisher icon aquasecurity

feat(cyclonedx): add support for custom package Properties

Open StounhandJ opened this issue 1 month ago • 4 comments

Description

This PR adds support for custom properties in SBOM packages by introducing the Properties field in ftypes.Package. The changes ensure that arbitrary component properties are preserved during both decoding and encoding of SBOMs.

Key changes:

  • Added Properties map[string]string to ftypes.Package
  • Populate Properties when decoding component properties in sbom/io/decode.go
  • Encode Properties back to component properties in sbom/io/encode.go
  • Updated unit tests to cover the decode/encode roundtrip with custom properties

This allows users to retain additional, non-standard metadata from components in generated SBOMs.

Checklist

  • [x] I've read the guidelines for contributing to this repository.
  • [x] I've followed the conventions in the PR title.
  • [x] I've added tests that prove my fix is effective or that my feature works.
  • [ ] I've updated the documentation with the relevant information (if needed).
  • [ ] I've added usage information (if the PR introduces new options)
  • [ ] I've included a "before" and "after" example to the description (if the PR is a user interface change).

StounhandJ avatar Dec 01 '25 13:12 StounhandJ

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
You have signed the CLA already but the status is still pending? Let us recheck it.

CLAassistant avatar Dec 01 '25 13:12 CLAassistant

Hi @StounhandJ , Thank you for your work!

Could you share more about the use cases for these changes?

When scanning an SBOM file and outputting the result as an SBOM, we simply reuse the original SBOM, so its properties should be preserved. When scanning an image or filesystem, Trivy doesn’t populate the new Package.Properties field. Right now, the only use case I can see is: scan an SBOM file and then view custom properties in the JSON report.

I’m not sure this is something users actually need, though.

Regards, Dmitriy

DmitriyLewen avatar Dec 02 '25 06:12 DmitriyLewen

Hi @DmitriyLewen,

We use trivy in the project as a vulnerability scanner, and we get sbom itself from other aggregators where there are additional fields in Properties that we would not like to lose for individual packages. This native implementation will allow you to transfer any fields via trivy and return them to their original state

StounhandJ avatar Dec 02 '25 08:12 StounhandJ

Using the External flag, we remove the addition of the namespace prefix for our custom properties

https://github.com/aquasecurity/trivy/blob/main/pkg/sbom/cyclonedx/marshal.go#L369-L370

StounhandJ avatar Dec 08 '25 16:12 StounhandJ

Hello @StounhandJ

I’m still not sure that we need to add this functionality to Trivy. Could you create a new discussion (https://github.com/aquasecurity/trivy/discussions)? If users need this in the future, we can add it.

DmitriyLewen avatar Dec 15 '25 05:12 DmitriyLewen