feat(report): Implement SBOM SPDX-JSON format reporter

[ReiPenguin]

What did you implement:

• New feature: Implement SBOM SPDX(version 2.3) JSON format reporter. Refered SPDX SPecification Version 2.3

Type of change

Please delete options that are not relevant.

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• This change requires a documentation update

How Has This Been Tested?

$ vuls report -format-spdx-json -to-localfile

Checklist:

You don't have to satisfy all of the following.

• Write tests
• Write documentation
• Check that there aren't other open pull requests for the same issue/feature
• Format your source code by make fmt
• Pass the test by make test
• Provide verification config / commands
• Enable "Allow edits from maintainers" for this PR
• Update the messages below

Is this ready for review?: YES

Reference

• https://spdx.github.io/spdx-spec/v2.3/

[MaineK00n]

@ReiPenguin
It seems that SPDX v3.0 has been released, but why did you choose v2.3?
https://spdx.github.io/spdx-spec/v3.0.1/

[ReiPenguin]

@ReiPenguin It seems that SPDX v3.0 has been released, but why did you choose v2.3? https://spdx.github.io/spdx-spec/v3.0.1/

The spec for SPDX v3.0 is out, but we're only supporting up to v2.3 for the time being for a couple of reasons:

• The official spdx/tools-golang library doesn't support v3.0 yet (PR)
• Most SBOM generation tools still only support up to v2.3, so we feel it's more important to support that first.

[MaineK00n]

use cmp.Or, cmp.Compare

https://pkg.go.dev/cmp#Compare

[MaineK00n]

If you are just looping through urls, you don't need to evaluate exists.

Suggested change

	if urls, exists := packageToURLMap[pack.Name]; exists {
	for _, url := range urls {
	externalRefs = appendExternalRefs(externalRefs, categorySecurity, securityAdvisory, url)
	}
	}
	for _, url := range packageToURLMap[pack.Name] {
	externalRefs = appendExternalRefs(externalRefs, categorySecurity, securityAdvisory, url)
	}

[shino]

Just a memo to save my brain memory.

When report is executed twice, there will be an error in parsing spdx json files:

## First time
% go run ./cmd/vuls report -format-spdx-json -to-localfile
[Oct 22 13:41:59]  INFO [localhost] vuls-`make build` or `make install` will show the version-
[snip]
[Oct 22 13:42:00]  INFO [localhost] : 0 CVEs filtered by --confidence-over=80

## Second time
% go run ./cmd/vuls report -format-spdx-json -to-localfile
[Oct 22 13:42:03]  INFO [localhost] vuls-`make build` or `make install` will show the version-
[Oct 22 13:42:03]  INFO [localhost] Validating config...
[Oct 22 13:42:03]  INFO [localhost] cveDict.type=sqlite3, cveDict.url=, cveDict.SQLite3Path=/data/vulsctl/docker/cve.sqlite3
[Oct 22 13:42:03]  INFO [localhost] ovalDict.type=sqlite3, ovalDict.url=, ovalDict.SQLite3Path=/data/vulsctl/docker/oval.sqlite3
[Oct 22 13:42:03]  INFO [localhost] gost.type=sqlite3, gost.url=, gost.SQLite3Path=/home/shino/g/vuls/gost.sqlite3
[Oct 22 13:42:03]  INFO [localhost] exploit.type=sqlite3, exploit.url=, exploit.SQLite3Path=/data/vulsctl/docker/go-exploitdb.sqlite3
[Oct 22 13:42:03]  INFO [localhost] metasploit.type=sqlite3, metasploit.url=, metasploit.SQLite3Path=/data/vulsctl/docker/go-msfdb.sqlite3
[Oct 22 13:42:03]  INFO [localhost] kevuln.type=sqlite3, kevuln.url=, kevuln.SQLite3Path=/data/vulsctl/docker/go-kev.sqlite3
[Oct 22 13:42:03]  INFO [localhost] cti.type=sqlite3, cti.url=, cti.SQLite3Path=/data/vulsctl/docker/go-cti.sqlite3
[Oct 22 13:42:04] ERROR [localhost] Failed to parse /home/shino/g/vuls-another/results/2025-09-29T19-38-53+0900/ubuntu_2004_spdx.json: json: cannot unmarshal array into Go struct field ScanResult.packages of type models.Packages
exit status 1

Also, two files are created under results/:

% ll results/
total 16K
drwx------ 2 shino shino 4.0K Oct 22 13:42 2025-09-29T19-38-53+0900/
-rw------- 1 shino shino 5.6K Oct 22 13:42 2025-09-29T19-38-53+0900.json
-rw------- 1 shino shino  412 Oct 22 13:42 2025-09-29T19-38-53+0900_spdx.json

---

For cdx format, no error happens but two extra strange files are created

---

If we can not come up with a nice idea to fix these, It's acceptable for now, I think, they are "known bugs", isn't it?
If so, this comment should be an separate issue.

[shino]

The goal is in sight!

[shino]

Almost done! Some nitpicky comments added.

[shino]

Great feature! Thanks a lot!! 🍻 🍶 🍷 🥂