[SP-2874] feat: add licenses sub-command, add support for ingesting CDX, add CDX input validation

.github/workflows/container-local-test.yml

@@ -5,10 +5,10 @@ on:
   workflow_dispatch:
   push:
     branches:
-      - 'main'
+      - "main"
   pull_request:
     branches:
-      - 'main'
+      - "main"
 
 env:
   IMAGE_BASE: scanoss/scanoss-py-base
@@ -27,7 +27,7 @@ jobs:
       - name: Set up Python
         uses: actions/setup-python@v5
         with:
-          python-version: '3.9.x'
+          python-version: "3.10.x"
 
       - name: Install Dependencies
         run: |
@@ -98,3 +98,4 @@ jobs:
             echo "Error: Scan test did not produce any results. Failing"
             exit 1
           fi
+

.github/workflows/container-publish-ghcr.yml

@@ -30,7 +30,7 @@ jobs:
       - name: Set up Python
         uses: actions/setup-python@v5
         with:
-          python-version: "3.9.x"
+          python-version: '3.9.x'
 
       - name: Install Dependencies
         run: |

.github/workflows/python-publish-pypi.yml

@@ -16,7 +16,7 @@ jobs:
       - name: Set up Python
         uses: actions/setup-python@v5
         with:
-          python-version: "3.9.x"
+          python-version: '3.9.x'
 
       - name: Install dependencies
         run: |
@@ -70,7 +70,7 @@ jobs:
       - name: Set up Python
         uses: actions/setup-python@v5
         with:
-          python-version: "3.9.x"
+          python-version: '3.9.x'
 
       - name: Install Remote Package
         uses: nick-fields/retry@v3

.github/workflows/python-publish-testpypi.yml

@@ -15,7 +15,7 @@ jobs:
       - name: Set up Python
         uses: actions/setup-python@v5
         with:
-          python-version: "3.9.x"
+          python-version: '3.9.x'
 
       - name: Install Dependencies
         run: |
@@ -65,7 +65,7 @@ jobs:
       - name: Set up Python
         uses: actions/setup-python@v5
         with:
-          python-version: "3.9.x"
+          python-version: '3.9.x'
 
       - name: Install Remote Package
         run: |

.github/workflows/version-tag.yml

@@ -23,7 +23,7 @@ jobs:
       - name: Set up Python
         uses: actions/setup-python@v5
         with:
-          python-version: "3.9.x"
+          python-version: '3.9.x'
       - name: Determine Tag
         id: taggerVersion
         run: |

CHANGELOG.md

@@ -9,6 +9,12 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Added
 - Upcoming changes...
 
+## [1.33.0] - 2025-09-19
+### Added
+- Add `licenses` sub-command to `component` command
+- Add support for ingesting CDX to all decoration commands
+- Add CDX input validation
+
 ## [1.32.0] - 2025-09-01
 ### Added
 - Switched vulnerability and dependency APIs to use REST by default
@@ -176,7 +182,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [1.20.2] - 2025-02-26
 ### Fixed
-- Fixed provenance command 
+- Fixed provenance command
 
 ## [1.20.1] - 2025-02-18
 ### Added
@@ -238,7 +244,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ## [1.17.5] - 2024-11-12
 ### Fixed
 - Fix dependencies scan result structure
-  
+
 ## [1.17.4] - 2024-11-08
 ### Fixed
 - Fix backslashes in file paths on Windows
@@ -255,7 +261,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Added
 - Added supplier to SPDX packages
 ### Changed
-- Changed undeclared summary output 
+- Changed undeclared summary output
 
 ## [1.17.1] - 2024-10-24
 ### Fixed
@@ -288,7 +294,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Added
 - Added support for Python3.12
 - Module `pkg_resources` has been replaced with `importlib_resources`
-- Added support for UTF-16 filenames 
+- Added support for UTF-16 filenames
 
 ## [1.13.0] - 2024-06-05
 ### Added
@@ -367,11 +373,11 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ## [1.6.0] - 2023-06-16
 ### Added
 - Added support for High Precision Snippet Matching (`--hpsm` or `-H`) while scanning
-  - `scanoss-py scan --hpsm ...` 
+  - `scanoss-py scan --hpsm ...`
 
 ## [1.5.2] - 2023-06-13
 ### Added
-- Added retry limit option (`--retry`) while scanning 
+- Added retry limit option (`--retry`) while scanning
   - `--retry 0` will fail immediately
 
 ## [1.5.1] - 2023-04-21
@@ -660,4 +666,5 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 [1.31.3]: https://github.com/scanoss/scanoss.py/compare/v1.31.2...v1.31.3
 [1.31.4]: https://github.com/scanoss/scanoss.py/compare/v1.31.3...v1.31.4
 [1.31.5]: https://github.com/scanoss/scanoss.py/compare/v1.31.4...v1.31.5
-[1.31.5]: https://github.com/scanoss/scanoss.py/compare/v1.31.5...v1.32.0
+[1.32.0]: https://github.com/scanoss/scanoss.py/compare/v1.31.5...v1.32.0
+[1.33.0]: https://github.com/scanoss/scanoss.py/compare/v1.32.0...v1.33.0

CLIENT_HELP.md

@@ -337,6 +337,44 @@ The following command provides the capability to search the SCANOSS KB for compo
 scanoss-py comp prov -p "pkg:github/unoconv/unoconv" --origin
 ```
 
+#### Component Licenses
+The following command provides the capability to search the SCANOSS KB for licenses for Open Source components:
+```bash
+scanoss-py comp licenses -p "pkg:github/jquery/jquery" -p "pkg:npm/express"
+```
+It is possible to supply multiple PURLs by repeating the `-p pkg` option, or providing a purl input file `-i purl-input.json` ([for example](tests/data/purl-input.json)):
+```bash
+scanoss-py comp licenses -i purl-input.json -o component-licenses.json
+```
+
+The licenses command also supports CycloneDX (CDX) input files. You can provide a CycloneDX SBOM file and retrieve license information for all components:
+```bash
+scanoss-py comp licenses -i cyclonedx-sbom.json -o component-licenses.json
+```
+
+### CDX Input Support for Component Commands
+Several component commands now support CycloneDX (CDX) input files. This allows you to analyze components from existing SBOM files:
+
+**Supported commands with CDX input:**
+- `comp vulns` - Analyze vulnerabilities from CDX file
+- `comp licenses` - Retrieve licenses from CDX file  
+- `comp crypto` - Detect cryptographic algorithms from CDX file
+- `comp semgrep` - Find semgrep issues from CDX file
+
+**Example using CDX input:**
+```bash
+# Analyze vulnerabilities from a CycloneDX SBOM
+scanoss-py comp vulns -i sbom.cdx.json -o vulnerabilities.json
+
+# Get licenses for all components in a CycloneDX SBOM
+scanoss-py comp licenses -i sbom.cdx.json -o licenses.json
+
+# Detect cryptographic usage from CDX
+scanoss-py comp crypto -i sbom.cdx.json -o crypto-findings.json
+```
+
+The CDX input file is automatically validated to ensure it's a valid CycloneDX format before processing.
+
 
 ### Results Commands
 The `results` command provides the capability to operate on scan results. For example:

requirements.txt

@@ -2,8 +2,9 @@ requests
 crc32c>=2.2
 binaryornot
 progress
-grpcio>1.42.0
+grpcio>=1.70.0
 protobuf>3.19.1
+protoc-gen-openapiv2
 pypac
 urllib3
 pyOpenSSL

scanoss.json

@@ -3,9 +3,9 @@
     "skip": {
       "patterns": {
         "scanning": [
-          "src/protoc_gen_swagger/",
-          "src/scanoss/api/",
-          "docs/make.bat"
+          "src/protoc_gen_swagger",
+          "docs",
+          "scanoss_common_pb2_grpc.py"
         ]
       },
       "sizes": {}
@@ -16,6 +16,8 @@
       {
         "purl": "pkg:github/scanoss/scanoss.py"
       }
-    ]
+    ],
+    "remove": []
   }
-}
+}
+

setup.cfg

@@ -29,8 +29,9 @@ install_requires =
     crc32c>=2.2
     binaryornot
     progress
-    grpcio>1.42.0
+    grpcio>=1.70.0
     protobuf>3.19.1
+    protoc-gen-openapiv2
     pypac
     pyOpenSSL
     google-api-core

src/protoc_gen_swagger/options/annotations_pb2.pyi

@@ -0,0 +1,48 @@
+"""
+@generated by mypy-protobuf.  Do not edit manually!
+isort:skip_file
+"""
+
+import builtins
+import google.protobuf.descriptor
+import google.protobuf.descriptor_pb2
+import google.protobuf.internal.extension_dict
+import protoc_gen_swagger.options.openapiv2_pb2
+
+DESCRIPTOR: google.protobuf.descriptor.FileDescriptor
+
+OPENAPIV2_SWAGGER_FIELD_NUMBER: builtins.int
+OPENAPIV2_OPERATION_FIELD_NUMBER: builtins.int
+OPENAPIV2_SCHEMA_FIELD_NUMBER: builtins.int
+OPENAPIV2_TAG_FIELD_NUMBER: builtins.int
+OPENAPIV2_FIELD_FIELD_NUMBER: builtins.int
+openapiv2_swagger: google.protobuf.internal.extension_dict._ExtensionFieldDescriptor[google.protobuf.descriptor_pb2.FileOptions, protoc_gen_swagger.options.openapiv2_pb2.Swagger]
+"""ID assigned by [email protected] for grpc-gateway project.
+
+All IDs are the same, as assigned. It is okay that they are the same, as they extend
+different descriptor messages.
+"""
+openapiv2_operation: google.protobuf.internal.extension_dict._ExtensionFieldDescriptor[google.protobuf.descriptor_pb2.MethodOptions, protoc_gen_swagger.options.openapiv2_pb2.Operation]
+"""ID assigned by [email protected] for grpc-gateway project.
+
+All IDs are the same, as assigned. It is okay that they are the same, as they extend
+different descriptor messages.
+"""
+openapiv2_schema: google.protobuf.internal.extension_dict._ExtensionFieldDescriptor[google.protobuf.descriptor_pb2.MessageOptions, protoc_gen_swagger.options.openapiv2_pb2.Schema]
+"""ID assigned by [email protected] for grpc-gateway project.
+
+All IDs are the same, as assigned. It is okay that they are the same, as they extend
+different descriptor messages.
+"""
+openapiv2_tag: google.protobuf.internal.extension_dict._ExtensionFieldDescriptor[google.protobuf.descriptor_pb2.ServiceOptions, protoc_gen_swagger.options.openapiv2_pb2.Tag]
+"""ID assigned by [email protected] for grpc-gateway project.
+
+All IDs are the same, as assigned. It is okay that they are the same, as they extend
+different descriptor messages.
+"""
+openapiv2_field: google.protobuf.internal.extension_dict._ExtensionFieldDescriptor[google.protobuf.descriptor_pb2.FieldOptions, protoc_gen_swagger.options.openapiv2_pb2.JSONSchema]
+"""ID assigned by [email protected] for grpc-gateway project.
+
+All IDs are the same, as assigned. It is okay that they are the same, as they extend
+different descriptor messages.
+"""

src/protoc_gen_swagger/options/annotations_pb2_grpc.py

@@ -1,4 +1,24 @@
 # Generated by the gRPC Python protocol compiler plugin. DO NOT EDIT!
 """Client and server classes corresponding to protobuf-defined services."""
 import grpc
+import warnings
 
+
+GRPC_GENERATED_VERSION = '1.73.1'
+GRPC_VERSION = grpc.__version__
+_version_not_supported = False
+
+try:
+    from grpc._utilities import first_version_is_lower
+    _version_not_supported = first_version_is_lower(GRPC_VERSION, GRPC_GENERATED_VERSION)
+except ImportError:
+    _version_not_supported = True
+
+if _version_not_supported:
+    raise RuntimeError(
+        f'The grpc package installed is at version {GRPC_VERSION},'
+        + f' but the generated code in protoc_gen_swagger/options/annotations_pb2_grpc.py depends on'
+        + f' grpcio>={GRPC_GENERATED_VERSION}.'
+        + f' Please upgrade your grpc module to grpcio>={GRPC_GENERATED_VERSION}'
+        + f' or downgrade your generated code using grpcio-tools<={GRPC_VERSION}.'
+    )