Incorrect using of AttributionText in SPDX output

[goneall]

Description

In the produced SPDX document, it looks like the attributionTexts field on packages is being used to record information about the scanning results. For example:

"attributionTexts": [
        "Class: lang-pkgs",
        "Type: npm"
      ],

From the SPDX spec - the Attribution Text intent id described as "This field provides a place for the SPDX document creator to record, at the package level, acknowledgements that might be required to be communicated in some contexts. "

For example, if a software package has a contributor, the attribution text could include "... was a contributor to this project".

Desired Behavior

From the data in the fields, it looks like these should be Annotations on the package.

For example:

"annotations" : [ {
    "annotationDate" : "2024-10-29T18:30:22Z",
    "annotationType" : "OTHER",
    "annotator" : "Tool: Trivy ()",
    "comment" : "Class: lang-pkgs"
  },
  {
    "annotationDate" : "2024-10-29T18:30:22Z",
    "annotationType" : "OTHER",
    "annotator" : "Tool: Trivy ()",
    "comment" : "Type: npm"
  },

Actual Behavior

Attribution texts being used instead of annotations

Reproduction Steps

1. Run trivy fs --scanners license,vuln --format spdx-json .
2. Review the SPDX JSON output searching for `attributionTexts`
3.
...

Target

Filesystem

Scanner

License

Output Format

SPDX

Mode

Standalone

Debug Output

trivy fs --scanners license,vuln --format spdx-json --debug .
2024-10-10T15:49:59-07:00       DEBUG   No plugins loaded
2024-10-10T15:49:59-07:00       DEBUG   Default config file "file_path=trivy.yaml" not found, using built in values
2024-10-10T15:49:59-07:00       DEBUG   Cache dir       dir="C:\\Users\\gary\\AppData\\Local\\trivy"
2024-10-10T15:49:59-07:00       DEBUG   Cache dir       dir="C:\\Users\\gary\\AppData\\Local\\trivy"
2024-10-10T15:49:59-07:00       DEBUG   Parsed severities       severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2024-10-10T15:49:59-07:00       DEBUG   Ignore statuses statuses=[]
2024-10-10T15:49:59-07:00       DEBUG   DB update was skipped because the local DB is the latest
2024-10-10T15:49:59-07:00       DEBUG   DB info schema=2 updated_at=2024-10-10T12:16:40.822906715Z next_update=2024-10-11T12:16:40.822906214Z downloaded_at=2024-10-10T17:58:21.4052752Z
2024-10-10T15:49:59-07:00       DEBUG   [pkg] Package types     types=[os library]
2024-10-10T15:49:59-07:00       DEBUG   [pkg] Package relationships     relationships=[unknown root direct indirect]
2024-10-10T15:49:59-07:00       INFO    [vuln] Vulnerability scanning is enabled
2024-10-10T15:49:59-07:00       INFO    [license] License scanning is enabled
2024-10-10T15:49:59-07:00       DEBUG   Enabling misconfiguration scanners      scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2024-10-10T15:49:59-07:00       DEBUG   Initializing scan cache...      type="memory"
2024-10-10T15:49:59-07:00       DEBUG   Skipping path   path="dev"
2024-10-10T15:50:00-07:00       DEBUG   OS is not detected.
2024-10-10T15:50:00-07:00       INFO    Suppressing dependencies for development and testing. To display them, try the '--include-dev-deps' flag.
2024-10-10T15:50:00-07:00       DEBUG   Detected OS: unknown
2024-10-10T15:50:00-07:00       INFO    Number of language-specific files       num=1
2024-10-10T15:50:00-07:00       INFO    [npm] Detecting vulnerabilities...
2024-10-10T15:50:00-07:00       DEBUG   [npm] Scanning packages for vulnerabilities     file_path="package-lock.json"
2024-10-10T15:50:00-07:00       DEBUG   [vex] VEX filtering is disabled
{
  "spdxVersion": "SPDX-2.3",
  "dataLicense": "CC0-1.0",
  "SPDXID": "SPDXRef-DOCUMENT",
  "name": ".",
  "documentNamespace": "http://aquasecurity.github.io/trivy/filesystem/.-a022f4ee-f78f-41fb-8f06-d3e91fbb3536",
  "creationInfo": {
    "creators": [
      "Organization: aquasecurity",
      "Tool: trivy-dev"
    ],
    "created": "2024-10-10T22:50:00Z"
  },
  "packages": [
    {
      "name": "package-lock.json",
      "SPDXID": "SPDXRef-Application-23fade0ea7b1493e",
      "downloadLocation": "NONE",
      "filesAnalyzed": false,
      "attributionTexts": [
        "Class: lang-pkgs",
        "Type: npm"
      ],
      "primaryPackagePurpose": "APPLICATION"
    },
    {
      "name": "uuid",
      "SPDXID": "SPDXRef-Package-172a646591d3df32",
      "versionInfo": "9.0.1",
      "supplier": "NOASSERTION",
      "downloadLocation": "NONE",
      "filesAnalyzed": false,
      "sourceInfo": "package found in: package-lock.json",
      "licenseConcluded": "MIT",
      "licenseDeclared": "MIT",
      "externalRefs": [
        {
          "referenceCategory": "PACKAGE-MANAGER",
          "referenceType": "purl",
          "referenceLocator": "pkg:npm/[email protected]"
        }
      ],
      "attributionTexts": [
        "PkgID: [email protected]",
        "PkgType: npm"
      ],
      "primaryPackagePurpose": "LIBRARY"
    },
    {
      "name": ".",
      "SPDXID": "SPDXRef-Filesystem-1465386cfbe4e9c7",
      "downloadLocation": "NONE",
      "filesAnalyzed": false,
      "attributionTexts": [
        "SchemaVersion: 2"
      ],
      "primaryPackagePurpose": "SOURCE"
    }
  ],
  "relationships": [
    {
      "spdxElementId": "SPDXRef-Application-23fade0ea7b1493e",
      "relatedSpdxElement": "SPDXRef-Package-172a646591d3df32",
      "relationshipType": "CONTAINS"
    },
    {
      "spdxElementId": "SPDXRef-DOCUMENT",
      "relatedSpdxElement": "SPDXRef-Filesystem-1465386cfbe4e9c7",
      "relationshipType": "DESCRIBES"
    },
    {
      "spdxElementId": "SPDXRef-Filesystem-1465386cfbe4e9c7",
      "relatedSpdxElement": "SPDXRef-Application-23fade0ea7b1493e",
      "relationshipType": "CONTAINS"
    }
  ]
}

Operating System

Windows 11

Version

Dev - from v0.55.2 tag

Checklist

• Run trivy clean --all
• Read the troubleshooting

[knqyf263]

Thanks for reporting. #7756