fix(reporter/sbom): add WindowsKB to SBOM output (#2454)

MaineK00n · web-flow · commit adbc4803e62e · 2026-03-12T10:59:08.000+09:00
diff --git a/reporter/sbom/cyclonedx.go b/reporter/sbom/cyclonedx.go
@@ -137,6 +137,20 @@ func osToCdxComponent(r models.ScanResult) *cdx.Component {
 			Value: r.RunningKernel.Version,
 		})
 	}
+	if r.WindowsKB != nil {
+		for _, kb := range r.WindowsKB.Applied {
+			props = append(props, cdx.Property{
+				Name:  "future-architect:vuls:WindowsKB:Applied",
+				Value: kb,
+			})
+		}
+		for _, kb := range r.WindowsKB.Unapplied {
+			props = append(props, cdx.Property{
+				Name:  "future-architect:vuls:WindowsKB:Unapplied",
+				Value: kb,
+			})
+		}
+	}
 	return &cdx.Component{
 		BOMRef:     uuid.NewString(),
 		Type:       cdx.ComponentTypeOS,
diff --git a/reporter/sbom/cyclonedx_test.go b/reporter/sbom/cyclonedx_test.go
@@ -0,0 +1,124 @@
+package sbom_test
+
+import (
+	"testing"
+	"time"
+
+	cdx "github.com/CycloneDX/cyclonedx-go"
+	"github.com/google/go-cmp/cmp"
+	"github.com/google/go-cmp/cmp/cmpopts"
+
+	"github.com/future-architect/vuls/models"
+	"github.com/future-architect/vuls/reporter/sbom"
+)
+
+func TestToCycloneDX(t *testing.T) {
+	tests := []struct {
+		name string
+		args models.ScanResult
+		want *cdx.BOM
+	}{
+		{
+			name: "windows",
+			args: models.ScanResult{
+				Family:           "windows",
+				Release:          "Windows Server 2022",
+				ReportedAt:       time.Date(2025, 1, 1, 0, 0, 0, 0, time.UTC),
+				ReportedVersion:  "v0.38.5",
+				ReportedRevision: "build-20260311_001506_6827f2d",
+				WindowsKB: &models.WindowsKB{
+					Applied:   []string{"5025221", "5022282"},
+					Unapplied: []string{"5026370"},
+				},
+			},
+			want: &cdx.BOM{
+				XMLNS:       "http://cyclonedx.org/schema/bom/1.6",
+				JSONSchema:  "http://cyclonedx.org/schema/bom-1.6.schema.json",
+				BOMFormat:   "CycloneDX",
+				SpecVersion: cdx.SpecVersion1_6,
+				Version:     1,
+				Metadata: &cdx.Metadata{
+					Timestamp: "2025-01-01T00:00:00Z",
+					Tools: &cdx.ToolsChoice{
+						Components: &[]cdx.Component{
+							{
+								Type:    cdx.ComponentTypeApplication,
+								Group:   "future-architect",
+								Name:    "vuls",
+								Version: "v0.38.5-build-20260311_001506_6827f2d",
+							},
+						},
+					},
+					Component: &cdx.Component{
+						Type:    cdx.ComponentTypeOS,
+						Name:    "windows",
+						Version: "Windows Server 2022",
+						Properties: &[]cdx.Property{
+							{Name: "future-architect:vuls:Type", Value: "windows"},
+							{Name: "future-architect:vuls:WindowsKB:Applied", Value: "5025221"},
+							{Name: "future-architect:vuls:WindowsKB:Applied", Value: "5022282"},
+							{Name: "future-architect:vuls:WindowsKB:Unapplied", Value: "5026370"},
+						},
+					},
+				},
+				Components:      new([]cdx.Component),
+				Dependencies:    &[]cdx.Dependency{},
+				Vulnerabilities: &[]cdx.Vulnerability{},
+			},
+		},
+		{
+			name: "non-windows",
+			args: models.ScanResult{
+				Family:           "centos",
+				Release:          "7",
+				ReportedAt:       time.Date(2025, 1, 1, 0, 0, 0, 0, time.UTC),
+				ReportedVersion:  "v0.38.5",
+				ReportedRevision: "build-20260311_001506_6827f2d",
+			},
+			want: &cdx.BOM{
+				XMLNS:       "http://cyclonedx.org/schema/bom/1.6",
+				JSONSchema:  "http://cyclonedx.org/schema/bom-1.6.schema.json",
+				BOMFormat:   "CycloneDX",
+				SpecVersion: cdx.SpecVersion1_6,
+				Version:     1,
+				Metadata: &cdx.Metadata{
+					Timestamp: "2025-01-01T00:00:00Z",
+					Tools: &cdx.ToolsChoice{
+						Components: &[]cdx.Component{
+							{
+								Type:    cdx.ComponentTypeApplication,
+								Group:   "future-architect",
+								Name:    "vuls",
+								Version: "v0.38.5-build-20260311_001506_6827f2d",
+							},
+						},
+					},
+					Component: &cdx.Component{
+						Type:    cdx.ComponentTypeOS,
+						Name:    "centos",
+						Version: "7",
+						Properties: &[]cdx.Property{
+							{Name: "future-architect:vuls:Type", Value: "centos"},
+						},
+					},
+				},
+				Components:      new([]cdx.Component),
+				Dependencies:    &[]cdx.Dependency{},
+				Vulnerabilities: &[]cdx.Vulnerability{},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got := sbom.ToCycloneDX(tt.args)
+
+			opts := cmp.Options{
+				cmpopts.IgnoreFields(cdx.BOM{}, "SerialNumber"),
+				cmpopts.IgnoreFields(cdx.Component{}, "BOMRef"),
+			}
+			if diff := cmp.Diff(tt.want, got, opts...); diff != "" {
+				t.Errorf("ToCycloneDX() mismatch (-want +got):\n%s", diff)
+			}
+		})
+	}
+}
diff --git a/reporter/sbom/spdx.go b/reporter/sbom/spdx.go
@@ -90,6 +90,14 @@ func osToSpdxPackage(r models.ScanResult) spdx.Package {
 	if r.RunningKernel.Version != "" {
 		annotations = appendAnnotation(annotations, "RunningKernelVersion", r.RunningKernel.Version, r.ReportedAt)
 	}
+	if r.WindowsKB != nil {
+		for _, kb := range r.WindowsKB.Applied {
+			annotations = appendAnnotation(annotations, "WindowsKB:Applied", kb, r.ReportedAt)
+		}
+		for _, kb := range r.WindowsKB.Unapplied {
+			annotations = appendAnnotation(annotations, "WindowsKB:Unapplied", kb, r.ReportedAt)
+		}
+	}
 
 	return spdx.Package{
 		PackageSPDXIdentifier:     generateSDPXIDentifier(elementOperatingSystem),
diff --git a/reporter/sbom/spdx_test.go b/reporter/sbom/spdx_test.go
@@ -0,0 +1,144 @@
+package sbom_test
+
+import (
+	"testing"
+	"time"
+
+	"github.com/google/go-cmp/cmp"
+	"github.com/google/go-cmp/cmp/cmpopts"
+	"github.com/spdx/tools-golang/spdx"
+	"github.com/spdx/tools-golang/spdx/v2/common"
+
+	"github.com/future-architect/vuls/models"
+	"github.com/future-architect/vuls/reporter/sbom"
+)
+
+func TestToSPDX(t *testing.T) {
+	tests := []struct {
+		name string
+		args models.ScanResult
+		want spdx.Document
+	}{
+		{
+			name: "windows",
+			args: models.ScanResult{
+				Family:           "windows",
+				Release:          "Windows Server 2022",
+				ReportedAt:       time.Date(2025, 1, 1, 0, 0, 0, 0, time.UTC),
+				ReportedVersion:  "v0.38.5",
+				ReportedRevision: "build-20260311_001506_6827f2d",
+				WindowsKB: &models.WindowsKB{
+					Applied:   []string{"5025221", "5022282"},
+					Unapplied: []string{"5026370"},
+				},
+			},
+			want: spdx.Document{
+				SPDXVersion:    spdx.Version,
+				DataLicense:    spdx.DataLicense,
+				SPDXIdentifier: "DOCUMENT",
+				DocumentName:   "windows",
+				CreationInfo: &spdx.CreationInfo{
+					Creators: []common.Creator{
+						{Creator: "future-architect", CreatorType: "Organization"},
+						{Creator: "test-tool", CreatorType: "Tool"},
+					},
+					Created: "2025-01-01T00:00:00Z",
+				},
+				Packages: []*spdx.Package{
+					{
+						PackageName:             "windows",
+						PackageVersion:          "Windows Server 2022",
+						PackageDownloadLocation: "NONE",
+						PrimaryPackagePurpose:   "OPERATING-SYSTEM",
+						Annotations: []spdx.Annotation{
+							{
+								Annotator:         spdx.Annotator{Annotator: "future-architect:vuls", AnnotatorType: "Tool"},
+								AnnotationDate:    "2025-01-01T00:00:00Z",
+								AnnotationType:    "Other",
+								AnnotationComment: "OsFamily: windows",
+							},
+							{
+								Annotator:         spdx.Annotator{Annotator: "future-architect:vuls", AnnotatorType: "Tool"},
+								AnnotationDate:    "2025-01-01T00:00:00Z",
+								AnnotationType:    "Other",
+								AnnotationComment: "WindowsKB:Applied: 5022282",
+							},
+							{
+								Annotator:         spdx.Annotator{Annotator: "future-architect:vuls", AnnotatorType: "Tool"},
+								AnnotationDate:    "2025-01-01T00:00:00Z",
+								AnnotationType:    "Other",
+								AnnotationComment: "WindowsKB:Applied: 5025221",
+							},
+							{
+								Annotator:         spdx.Annotator{Annotator: "future-architect:vuls", AnnotatorType: "Tool"},
+								AnnotationDate:    "2025-01-01T00:00:00Z",
+								AnnotationType:    "Other",
+								AnnotationComment: "WindowsKB:Unapplied: 5026370",
+							},
+						},
+					},
+				},
+				Relationships: []*spdx.Relationship{
+					{Relationship: "DESCRIBES"},
+				},
+			},
+		},
+		{
+			name: "non-windows",
+			args: models.ScanResult{
+				Family:           "centos",
+				Release:          "7",
+				ReportedAt:       time.Date(2025, 1, 1, 0, 0, 0, 0, time.UTC),
+				ReportedVersion:  "v0.38.5",
+				ReportedRevision: "build-20260311_001506_6827f2d",
+			},
+			want: spdx.Document{
+				SPDXVersion:    spdx.Version,
+				DataLicense:    spdx.DataLicense,
+				SPDXIdentifier: "DOCUMENT",
+				DocumentName:   "centos",
+				CreationInfo: &spdx.CreationInfo{
+					Creators: []common.Creator{
+						{Creator: "future-architect", CreatorType: "Organization"},
+						{Creator: "test-tool", CreatorType: "Tool"},
+					},
+					Created: "2025-01-01T00:00:00Z",
+				},
+				Packages: []*spdx.Package{
+					{
+						PackageName:             "centos",
+						PackageVersion:          "7",
+						PackageDownloadLocation: "NONE",
+						PrimaryPackagePurpose:   "OPERATING-SYSTEM",
+						Annotations: []spdx.Annotation{
+							{
+								Annotator:         spdx.Annotator{Annotator: "future-architect:vuls", AnnotatorType: "Tool"},
+								AnnotationDate:    "2025-01-01T00:00:00Z",
+								AnnotationType:    "Other",
+								AnnotationComment: "OsFamily: centos",
+							},
+						},
+					},
+				},
+				Relationships: []*spdx.Relationship{
+					{Relationship: "DESCRIBES"},
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got := sbom.ToSPDX(tt.args, "test-tool")
+
+			opts := cmp.Options{
+				cmpopts.IgnoreUnexported(spdx.Package{}),
+				cmpopts.IgnoreFields(spdx.Document{}, "DocumentNamespace"),
+				cmpopts.IgnoreFields(spdx.Package{}, "PackageSPDXIdentifier"),
+				cmpopts.IgnoreFields(spdx.Relationship{}, "RefA", "RefB"),
+			}
+			if diff := cmp.Diff(tt.want, got, opts...); diff != "" {
+				t.Errorf("ToSPDX() mismatch (-want +got):\n%s", diff)
+			}
+		})
+	}
+}
