Add SBOM scan REST API (#20215)

Update swagger API for generate SBOM

Signed-off-by: stonezdj <daojunz@vmware.com>
Co-authored-by: stonezdj <daojunz@vmware.com>

api/v2.0/swagger.yaml

@@ -991,6 +991,12 @@ paths:
           type: boolean
           required: false
           default: false
+        - name: with_sbom_overview
+          in: query
+          description: Specify whether the SBOM overview is included in returning artifacts, when this option is true, the SBOM overview will be included in the response
+          type: boolean
+          required: false
+          default: false          
         - name: with_signature
           in: query
           description: Specify whether the signature is included inside the tags of the returning artifacts. Only works when setting "with_tag=true"
@@ -1096,6 +1102,12 @@ paths:
           type: boolean
           required: false
           default: false
+        - name: with_sbom_overview
+          in: query
+          description: Specify whether the SBOM overview is included in returning artifact, when this option is true, the SBOM overview will be included in the response
+          type: boolean
+          required: false
+          default: false
         - name: with_accessory
           in: query
           description: Specify whether the accessories are included of the returning artifacts.
@@ -1164,6 +1176,11 @@ paths:
         - $ref: '#/parameters/projectName'
         - $ref: '#/parameters/repositoryName'
         - $ref: '#/parameters/reference'
+        - name: scan_request_type
+          in: body
+          required: false
+          schema: 
+            $ref: '#/definitions/ScanRequestType'
       responses:
         '202':
           $ref: '#/responses/202'
@@ -1432,7 +1449,7 @@ paths:
           in: path
           description: The type of addition.
           type: string
-          enum: [build_history, values.yaml, readme.md, dependencies]
+          enum: [build_history, values.yaml, readme.md, dependencies, sbom]
           required: true
       responses:
         '200':
@@ -6592,6 +6609,9 @@ definitions:
       scan_overview:
         $ref: '#/definitions/ScanOverview'
         description: The overview of the scan result.
+      sbom_overview:
+        $ref: '#/definitions/SBOMOverview'
+        description: The overview of the generating SBOM progress
       accessories:
         type: array
         items:
@@ -6738,11 +6758,47 @@ definitions:
         type: string
         description: Version of the scanner adapter
         example: "v0.9.1"
+  ScanRequestType:
+    type: object
+    properties:
+      scan_type: 
+        type: string
+        description: 'The scan type for the scan request. Two options are currently supported, vulnerability and sbom'
+        enum: [vulnerability, sbom]
   ScanOverview:
     type: object
     description: 'The scan overview attached in the metadata of tag'
     additionalProperties:
       $ref: '#/definitions/NativeReportSummary'
+  SBOMOverview:
+    type: object
+    description: 'The generate SBOM overview information'
+    properties:
+      start_time:
+        type: string
+        format: date-time
+        description: 'The start time of the generating sbom report task'
+        example: '2006-01-02T14:04:05Z'
+      end_time:
+        type: string
+        format: date-time
+        description: 'The end time of the generating sbom report task'
+        example: '2006-01-02T15:04:05Z'
+      scan_status:
+        type: string
+        description: 'The status of the generating SBOM task'
+      sbom_digest:
+        type: string
+        description: 'The digest of the generated SBOM accessory'   
+      report_id:
+        type: string
+        description: 'id of the native scan report'
+        example: '5f62c830-f996-11e9-957f-0242c0a89008'   
+      duration: 
+        type: integer
+        format: int64
+        description: 'Time in seconds required to create the report'
+        example: 300
   NativeReportSummary:
     type: object
     description: 'The summary for the native report'
@@ -8368,6 +8424,11 @@ definitions:
         default: ""
         description: Indicate the healthy of the registration
         example: "healthy"
+      capabilities:
+        type: object
+        description: Indicates the capabilities of the scanner, e.g. support_vulnerability or support_sbom.
+        additionalProperties: True
+        example:  {"support_vulnerability": true, "support_sbom": true}
     
   ScannerRegistrationReq:
     type: object

src/controller/scan/options.go

@@ -18,6 +18,15 @@ package scan
 type Options struct {
 	ExecutionID int64  // The execution id to scan artifact
 	Tag         string // The tag of the artifact to scan
+	ScanType    string // The scan type could be sbom or vulnerability
+}
+
+// GetScanType returns the scan type. for backward compatibility, the default type is vulnerability.
+func (o *Options) GetScanType() string {
+	if len(o.ScanType) == 0 {
+		o.ScanType = "vulnerability"
+	}
+	return o.ScanType
 }
 
 // Option represents an option item by func template.
@@ -44,3 +53,11 @@ func WithTag(tag string) Option {
 		return nil
 	}
 }
+
+// WithScanType set the scanType
+func WithScanType(scanType string) Option {
+	return func(options *Options) error {
+		options.ScanType = scanType
+		return nil
+	}
+}

src/server/v2.0/handler/scan.go

@@ -82,6 +82,9 @@ func (s *scanAPI) ScanArtifact(ctx context.Context, params operation.ScanArtifac
 	if !distribution.IsDigest(params.Reference) {
 		options = append(options, scan.WithTag(params.Reference))
 	}
+	if params.ScanRequestType != nil && validScanType(params.ScanRequestType.ScanType) {
+		options = append(options, scan.WithScanType(params.ScanRequestType.ScanType))
+	}
 
 	if err := s.scanCtl.Scan(ctx, artifact, options...); err != nil {
 		return s.SendError(ctx, err)
@@ -112,3 +115,7 @@ func (s *scanAPI) GetReportLog(ctx context.Context, params operation.GetReportLo
 
 	return operation.NewGetReportLogOK().WithPayload(string(bytes))
 }
+
+func validScanType(scanType string) bool {
+	return scanType == "sbom" || scanType == "vulnerability"
+}