invalid structure for multiple licenses for cyclonedx SBOM format

[LesSyner]

Description

Currently trivy produces cyclonedx based on 1.5 schema but for multiple licenses case with invalid array of expression objects (which was valid for 1.4 schema).

"licenses": [
        {
          "expression": "BSD-3-Clause"
        },
        {
          "expression": "FSFULLR"
        },
        {
          "expression": "FSFUL"
        },
        {
          "expression": "Expat"
        },
        {
          "expression": "GPL-2.0"
        },
        {
          "expression": "public-domain"
        }
      ],

According to 1.5 cyclonedx json schema for licenses object it has to be EITHER (list of SPDX licenses and/or named licenses) OR (tuple of one SPDX License Expression) with additional clarification for SPDX Expression option that it has to be a tuple of exactly one SPDX License Expression.

Desired Behavior

licenses object with multiple licenses aligned with cyclonedx 1.5 json schema.

Actual Behavior

Invalid licenses object for multiple licenses for cyclonedx 1.5 SBOM output

Reproduction Steps

1. trivy image --scanners license ubuntu:22.04 -f cyclonedx

Target

Container Image

Scanner

License

Output Format

CycloneDX

Mode

Standalone

Debug Output

DEBUG	["cyclonedx" "spdx" "spdx-json" "github"] automatically enables '--list-all-pkgs'.
DEBUG	Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
DEBUG	Ignore statuses	{"statuses": null}
DEBUG	cache dir:  .
INFO	License scanning is enabled
DEBUG	Image ID: sha256:37f74891464b2067aacbde60d9e2888e002af047a0d5dfc0b06b701928e0b473
DEBUG	Diff IDs: [sha256:c5ca84f245d30117a9a2720cb4297cedf3642816471d4d699f4d77e39e13a39c]
DEBUG	Base Layers: []

Operating System

macOS Ventura 13.5

Version

Version: 0.44.0
Vulnerability DB:
  Version: 2
  UpdatedAt: 2023-07-26 06:08:40.049602013 +0000 UTC
  NextUpdate: 2023-07-26 12:08:40.049601613 +0000 UTC
  DownloadedAt: 2023-07-26 10:10:28.217628 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2023-07-31 00:51:48.861488562 +0000 UTC
  NextUpdate: 2023-08-03 00:51:48.861488162 +0000 UTC
  DownloadedAt: 2023-07-31 15:11:35.839586 +0000 UTC

Checklist

• Run trivy image --reset
• Read the troubleshooting

[knqyf263]

@nscuro Is it a breaking change in CycloneDX 1.5?

[DmitriyLewen]

Hello @LesSyner
Thanks for your report!

We fixed this problem in #4941.
v0.44.1 will include this fix.

Regards, Dmitriy