fix: include packages unless it is not needed (#6765)

Signed-off-by: knqyf263 <[email protected]>

Author: knqyf263

docs/docs/references/configuration/cli/trivy_aws.md

@@ -89,7 +89,7 @@ trivy aws [flags]
       --ignorefile string                 specify .trivyignore file (default ".trivyignore")
       --include-deprecated-checks         include deprecated checks
       --include-non-failures              include successes and exceptions, available with '--scanners misconfig'
-      --list-all-pkgs                     enabling the option will output all packages regardless of vulnerability
+      --list-all-pkgs                     output all packages in the JSON report regardless of vulnerability
       --max-cache-age duration            The maximum age of the cloud cache. Cached data will be required from the cloud provider if it is older than this. (default 24h0m0s)
       --misconfig-scanners strings        comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan-json,terraformplan-snapshot])
   -o, --output string                     output file name

docs/docs/references/configuration/cli/trivy_convert.md

@@ -26,7 +26,7 @@ trivy convert [flags] RESULT_JSON
   -h, --help                       help for convert
       --ignore-policy string       specify the Rego file path to evaluate each vulnerability
       --ignorefile string          specify .trivyignore file (default ".trivyignore")
-      --list-all-pkgs              enabling the option will output all packages regardless of vulnerability
+      --list-all-pkgs              output all packages in the JSON report regardless of vulnerability
   -o, --output string              output file name
       --output-plugin-arg string   [EXPERIMENTAL] output plugin arguments
       --report string              specify a report format for the output (all,summary) (default "all")

docs/docs/references/configuration/cli/trivy_filesystem.md

@@ -55,7 +55,7 @@ trivy filesystem [flags] PATH
       --java-db-repository string         OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db:1")
       --license-confidence-level float    specify license classifier's confidence level (default 0.9)
       --license-full                      eagerly look for licenses in source code headers and license files
-      --list-all-pkgs                     enabling the option will output all packages regardless of vulnerability
+      --list-all-pkgs                     output all packages in the JSON report regardless of vulnerability
       --misconfig-scanners strings        comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan-json,terraformplan-snapshot])
       --module-dir string                 specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules")
       --no-progress                       suppress progress bar

docs/docs/references/configuration/cli/trivy_image.md

@@ -73,7 +73,7 @@ trivy image [flags] IMAGE_NAME
       --java-db-repository string         OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db:1")
       --license-confidence-level float    specify license classifier's confidence level (default 0.9)
       --license-full                      eagerly look for licenses in source code headers and license files
-      --list-all-pkgs                     enabling the option will output all packages regardless of vulnerability
+      --list-all-pkgs                     output all packages in the JSON report regardless of vulnerability
       --misconfig-scanners strings        comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan-json,terraformplan-snapshot])
       --module-dir string                 specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules")
       --no-progress                       suppress progress bar

docs/docs/references/configuration/cli/trivy_kubernetes.md

@@ -69,7 +69,7 @@ trivy kubernetes [flags] [CONTEXT]
       --java-db-repository string         OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db:1")
       --k8s-version string                specify k8s version to validate outdated api by it (example: 1.21.0)
       --kubeconfig string                 specify the kubeconfig file path to use
-      --list-all-pkgs                     enabling the option will output all packages regardless of vulnerability
+      --list-all-pkgs                     output all packages in the JSON report regardless of vulnerability
       --misconfig-scanners strings        comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan-json,terraformplan-snapshot])
       --no-progress                       suppress progress bar
       --node-collector-imageref string    indicate the image reference for the node-collector scan job (default "ghcr.io/aquasecurity/node-collector:0.2.1")

docs/docs/references/configuration/cli/trivy_repository.md

@@ -55,7 +55,7 @@ trivy repository [flags] (REPO_PATH | REPO_URL)
       --java-db-repository string         OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db:1")
       --license-confidence-level float    specify license classifier's confidence level (default 0.9)
       --license-full                      eagerly look for licenses in source code headers and license files
-      --list-all-pkgs                     enabling the option will output all packages regardless of vulnerability
+      --list-all-pkgs                     output all packages in the JSON report regardless of vulnerability
       --misconfig-scanners strings        comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan-json,terraformplan-snapshot])
       --module-dir string                 specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules")
       --no-progress                       suppress progress bar

docs/docs/references/configuration/cli/trivy_rootfs.md

@@ -57,7 +57,7 @@ trivy rootfs [flags] ROOTDIR
       --java-db-repository string         OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db:1")
       --license-confidence-level float    specify license classifier's confidence level (default 0.9)
       --license-full                      eagerly look for licenses in source code headers and license files
-      --list-all-pkgs                     enabling the option will output all packages regardless of vulnerability
+      --list-all-pkgs                     output all packages in the JSON report regardless of vulnerability
       --misconfig-scanners strings        comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan-json,terraformplan-snapshot])
       --module-dir string                 specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules")
       --no-progress                       suppress progress bar

docs/docs/references/configuration/cli/trivy_sbom.md

@@ -39,7 +39,7 @@ trivy sbom [flags] SBOM_PATH
       --ignored-licenses strings    specify a list of license to ignore
       --ignorefile string           specify .trivyignore file (default ".trivyignore")
       --java-db-repository string   OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db:1")
-      --list-all-pkgs               enabling the option will output all packages regardless of vulnerability
+      --list-all-pkgs               output all packages in the JSON report regardless of vulnerability
       --no-progress                 suppress progress bar
       --offline-scan                do not issue API requests to identify dependencies
   -o, --output string               output file name

docs/docs/references/configuration/cli/trivy_vm.md

@@ -49,7 +49,7 @@ trivy vm [flags] VM_IMAGE
       --ignorefile string                 specify .trivyignore file (default ".trivyignore")
       --include-non-failures              include successes and exceptions, available with '--scanners misconfig'
       --java-db-repository string         OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db:1")
-      --list-all-pkgs                     enabling the option will output all packages regardless of vulnerability
+      --list-all-pkgs                     output all packages in the JSON report regardless of vulnerability
       --misconfig-scanners strings        comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan-json,terraformplan-snapshot])
       --module-dir string                 specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules")
       --no-progress                       suppress progress bar

integration/client_server_test.go

@@ -39,10 +39,10 @@ type csArgs struct {
 
 func TestClientServer(t *testing.T) {
 	tests := []struct {
-		name    string
-		args    csArgs
-		golden  string
-		wantErr string
+		name     string
+		args     csArgs
+		golden   string
+		override func(t *testing.T, want, got *types.Report)
 	}{
 		{
 			name: "alpine 3.9",
@@ -270,6 +270,9 @@ func TestClientServer(t *testing.T) {
 				Target:           "https://github.com/knqyf263/trivy-ci-test",
 			},
 			golden: "testdata/test-repo.json.golden",
+			override: func(t *testing.T, want, got *types.Report) {
+				want.ArtifactName = "https://github.com/knqyf263/trivy-ci-test"
+			},
 		},
 	}
 
@@ -284,7 +287,7 @@ func TestClientServer(t *testing.T) {
 			}
 
 			runTest(t, osArgs, tt.golden, "", types.FormatJSON, runOptions{
-				override: overrideUID,
+				override: overrideFuncs(overrideUID, tt.override),
 			})
 		})
 	}

integration/repo_test.go

@@ -234,6 +234,14 @@ func TestRepository(t *testing.T) {
 			},
 			golden: "testdata/composer.lock.json.golden",
 		},
+		{
+			name: "multiple lockfiles",
+			args: args{
+				scanner: types.VulnerabilityScanner,
+				input:   "testdata/fixtures/repo/trivy-ci-test",
+			},
+			golden: "testdata/test-repo.json.golden",
+		},
 		{
 			name: "dockerfile",
 			args: args{

integration/testdata/fixtures/repo/trivy-ci-test/Cargo.lock

@@ -1,7 +1,7 @@
 {
   "SchemaVersion": 2,
   "CreatedAt": "2021-08-25T12:20:30.000000005Z",
-  "ArtifactName": "https://github.com/knqyf263/trivy-ci-test",
+  "ArtifactName": "testdata/fixtures/repo/trivy-ci-test",
   "ArtifactType": "repository",
   "Metadata": {
     "ImageConfig": {
@@ -109,6 +109,11 @@
           "LastModifiedDate": "2021-08-16T16:37:00Z"
         }
       ]
+    },
+    {
+      "Target": "Pipfile.lock",
+      "Class": "lang-pkgs",
+      "Type": "pipenv"
     }
   ]
 }

integration/testdata/fixtures/repo/trivy-ci-test/Pipfile.lock

@@ -197,6 +197,7 @@ func TestFlags(t *testing.T) {
 				scanners: types.Scanners{
 					types.VulnerabilityScanner,
 					types.SecretScanner,
+					types.SBOMScanner,
 				},
 			},
 		},
@@ -216,6 +217,7 @@ func TestFlags(t *testing.T) {
 				scanners: types.Scanners{
 					types.VulnerabilityScanner,
 					types.SecretScanner,
+					types.SBOMScanner,
 				},
 			},
 		},
@@ -237,6 +239,7 @@ func TestFlags(t *testing.T) {
 				scanners: types.Scanners{
 					types.VulnerabilityScanner,
 					types.SecretScanner,
+					types.SBOMScanner,
 				},
 			},
 		},
@@ -257,6 +260,7 @@ func TestFlags(t *testing.T) {
 				scanners: types.Scanners{
 					types.VulnerabilityScanner,
 					types.SecretScanner,
+					types.SBOMScanner,
 				},
 			},
 		},

integration/testdata/test-repo.json.golden

@@ -538,7 +538,6 @@ func initScannerConfig(opts flag.Options, cacheClient cache.Cache) (ScannerConfi
 		Scanners:            opts.Scanners,
 		ImageConfigScanners: opts.ImageConfigScanners, // this is valid only for 'image' subcommand
 		ScanRemovedPackages: opts.ScanRemovedPkgs,     // this is valid only for 'image' subcommand
-		ListAllPackages:     opts.ListAllPkgs,
 		LicenseCategories:   opts.LicenseCategories,
 		FilePatterns:        opts.FilePatterns,
 		IncludeDevDeps:      opts.IncludeDevDeps,

pkg/commands/app_test.go

@@ -354,16 +354,7 @@ type Options struct {
 
 // Align takes consistency of options
 func (o *Options) Align() error {
-	if o.Format == types.FormatSPDX || o.Format == types.FormatSPDXJSON {
-		log.Info(`"--format spdx" and "--format spdx-json" disable security scanning`)
-		o.Scanners = nil
-	}
-
-	// Vulnerability scanning is disabled by default for CycloneDX.
-	if o.Format == types.FormatCycloneDX && !viper.IsSet(ScannersFlag.ConfigName) {
-		log.Info(`"--format cyclonedx" disables security scanning. Specify "--scanners vuln" explicitly if you want to include vulnerabilities in the CycloneDX report.`)
-		o.Scanners = nil
-	}
+	o.enableSBOM()
 
 	if o.Compliance.Spec.ID != "" {
 		if viper.IsSet(ScannersFlag.ConfigName) {
@@ -394,6 +385,32 @@ func (o *Options) Align() error {
 	return nil
 }
 
+func (o *Options) enableSBOM() {
+	// Always need packages when the vulnerability scanner is enabled
+	if o.Scanners.Enabled(types.VulnerabilityScanner) {
+		o.Scanners.Enable(types.SBOMScanner)
+	}
+
+	// Enable the SBOM scanner when a list of packages is necessary.
+	if o.ListAllPkgs || slices.Contains(types.SupportedSBOMFormats, o.Format) {
+		o.Scanners.Enable(types.SBOMScanner)
+	}
+
+	if o.Format == types.FormatSPDX || o.Format == types.FormatSPDXJSON {
+		log.Info(`"--format spdx" and "--format spdx-json" disable security scanning`)
+		o.Scanners = types.Scanners{types.SBOMScanner}
+	}
+
+	if o.Format == types.FormatCycloneDX {
+		// Vulnerability scanning is disabled by default for CycloneDX.
+		if !viper.IsSet(ScannersFlag.ConfigName) {
+			log.Info(`"--format cyclonedx" disables security scanning. Specify "--scanners vuln" explicitly if you want to include vulnerabilities in the CycloneDX report.`)
+			o.Scanners = nil
+		}
+		o.Scanners.Enable(types.SBOMScanner)
+	}
+}
+
 // RegistryOpts returns options for OCI registries
 func (o *Options) RegistryOpts() ftypes.RegistryOptions {
 	return ftypes.RegistryOptions{

pkg/commands/artifact/run.go

@@ -54,7 +54,7 @@ var (
 	ListAllPkgsFlag = Flag[bool]{
 		Name:       "list-all-pkgs",
 		ConfigName: "list-all-pkgs",
-		Usage:      "enabling the option will output all packages regardless of vulnerability",
+		Usage:      "output all packages in the JSON report regardless of vulnerability",
 	}
 	IgnoreFileFlag = Flag[string]{
 		Name:       "ignorefile",
@@ -208,10 +208,10 @@ func (f *ReportFlagGroup) ToOptions() (ReportOptions, error) {
 		}
 	}
 
-	// "--list-all-pkgs" option is unavailable with "--format table".
-	// If user specifies "--list-all-pkgs" with "--format table", we should warn it.
-	if listAllPkgs && format == types.FormatTable {
-		log.Warn(`"--list-all-pkgs" cannot be used with "--format table". Try "--format json" or other formats.`)
+	// "--list-all-pkgs" option is unavailable with other than "--format json".
+	// If user specifies "--list-all-pkgs" with "--format table" or other formats, we should warn it.
+	if listAllPkgs && format != types.FormatJSON {
+		log.Warn(`"--list-all-pkgs" is only valid for the JSON format, for other formats a list of packages is automatically included.`)
 	}
 
 	// "--dependency-tree" option is available only with "--format table".
@@ -224,11 +224,6 @@ func (f *ReportFlagGroup) ToOptions() (ReportOptions, error) {
 		}
 	}
 
-	// Enable '--list-all-pkgs' if needed
-	if f.forceListAllPkgs(format, listAllPkgs, dependencyTree) {
-		listAllPkgs = true
-	}
-
 	cs, err := loadComplianceTypes(f.Compliance.Value())
 	if err != nil {
 		return ReportOptions{}, xerrors.Errorf("unable to load compliance spec: %w", err)
@@ -273,23 +268,6 @@ func loadComplianceTypes(compliance string) (spec.ComplianceSpec, error) {
 	return cs, nil
 }
 
-func (f *ReportFlagGroup) forceListAllPkgs(format types.Format, listAllPkgs, dependencyTree bool) bool {
-	if slices.Contains(types.SupportedSBOMFormats, format) && !listAllPkgs {
-		log.Debugf("%q automatically enables '--list-all-pkgs'.", types.SupportedSBOMFormats)
-		return true
-	}
-	// We need this flag to insert dependency locations into Sarif('Package' struct contains 'Locations')
-	if format == types.FormatSarif && !listAllPkgs {
-		log.Debug("Sarif format automatically enables '--list-all-pkgs' to get locations")
-		return true
-	}
-	if dependencyTree && !listAllPkgs {
-		log.Debug("'--dependency-tree' enables '--list-all-pkgs'.")
-		return true
-	}
-	return false
-}
-
 func toSeverity(severity []string) []dbTypes.Severity {
 	if len(severity) == 0 {
 		return nil

pkg/flag/options.go

@@ -46,34 +46,12 @@ func TestReportFlagGroup_ToOptions(t *testing.T) {
 		{
 			name: "happy path with an cyclonedx",
 			fields: fields{
-				severities:  "CRITICAL",
-				format:      "cyclonedx",
-				listAllPkgs: true,
-			},
-			want: flag.ReportOptions{
-				Severities:  []dbTypes.Severity{dbTypes.SeverityCritical},
-				Format:      types.FormatCycloneDX,
-				ListAllPkgs: true,
-			},
-		},
-		{
-			name: "happy path with an cyclonedx option list-all-pkgs is false",
-			fields: fields{
-				severities:  "CRITICAL",
-				format:      "cyclonedx",
-				listAllPkgs: false,
-				debug:       true,
-			},
-			wantLogs: []string{
-				`["cyclonedx" "spdx" "spdx-json" "github"] automatically enables '--list-all-pkgs'.`,
-				`Parsed severities	severities=[CRITICAL]`,
+				severities: "CRITICAL",
+				format:     "cyclonedx",
 			},
 			want: flag.ReportOptions{
-				Severities: []dbTypes.Severity{
-					dbTypes.SeverityCritical,
-				},
-				Format:      types.FormatCycloneDX,
-				ListAllPkgs: true,
+				Severities: []dbTypes.Severity{dbTypes.SeverityCritical},
+				Format:     types.FormatCycloneDX,
 			},
 		},
 		{
@@ -128,7 +106,7 @@ func TestReportFlagGroup_ToOptions(t *testing.T) {
 				listAllPkgs: true,
 			},
 			wantLogs: []string{
-				`"--list-all-pkgs" cannot be used with "--format table". Try "--format json" or other formats.`,
+				`"--list-all-pkgs" is only valid for the JSON format, for other formats a list of packages is automatically included.`,
 			},
 			want: flag.ReportOptions{
 				Format:      "table",
@@ -224,7 +202,7 @@ func TestReportFlagGroup_ToOptions(t *testing.T) {
 
 			got, err := f.ToOptions()
 			require.NoError(t, err)
-			assert.Equalf(t, tt.want, got, "ToOptions()")
+			assert.EqualExportedValuesf(t, tt.want, got, "ToOptions()")
 
 			// Assert log messages
 			assert.Equal(t, tt.wantLogs, out.Messages(), tt.name)

pkg/flag/report_flags.go

@@ -6,18 +6,30 @@ import (
 	"fmt"
 	"io"
 
+	"github.com/samber/lo"
 	"golang.org/x/xerrors"
 
 	"github.com/aquasecurity/trivy/pkg/types"
 )
 
 // JSONWriter implements result Writer
 type JSONWriter struct {
-	Output io.Writer
+	Output      io.Writer
+	ListAllPkgs bool
 }
 
 // Write writes the results in JSON format
-func (jw JSONWriter) Write(ctx context.Context, report types.Report) error {
+func (jw JSONWriter) Write(_ context.Context, report types.Report) error {
+	if !jw.ListAllPkgs {
+		// Delete packages
+		for i := range report.Results {
+			report.Results[i].Packages = nil
+		}
+	}
+	report.Results = lo.Filter(report.Results, func(r types.Result, _ int) bool {
+		return r.Target != "" || !r.IsEmpty()
+	})
+
 	output, err := json.MarshalIndent(report, "", "  ")
 	if err != nil {
 		return xerrors.Errorf("failed to marshal json: %w", err)

pkg/flag/report_flags_test.go

@@ -55,7 +55,10 @@ func Write(ctx context.Context, report types.Report, option flag.Options) (err e
 			IgnoredLicenses:      option.IgnoredLicenses,
 		}
 	case types.FormatJSON:
-		writer = &JSONWriter{Output: output}
+		writer = &JSONWriter{
+			Output:      output,
+			ListAllPkgs: option.ListAllPkgs,
+		}
 	case types.FormatGitHub:
 		writer = &github.Writer{
 			Output:  output,
@@ -76,7 +79,6 @@ func Write(ctx context.Context, report types.Report, option flag.Options) (err e
 			}
 			break
 		}
-		var err error
 		if writer, err = NewTemplateWriter(output, option.Template, option.AppVersion); err != nil {
 			return xerrors.Errorf("failed to initialize template writer: %w", err)
 		}

pkg/report/json.go

@@ -84,7 +84,6 @@ func (s Scanner) Scan(ctx context.Context, target, artifactKey string, blobKeys
 			Options: &rpc.ScanOptions{
 				VulnType:          opts.VulnType,
 				Scanners:          xstrings.ToStringSlice(opts.Scanners),
-				ListAllPackages:   opts.ListAllPackages,
 				LicenseCategories: licenseCategories,
 				IncludeDevDeps:    opts.IncludeDevDeps,
 			},

pkg/report/writer.go

@@ -47,10 +47,9 @@ func (s *ScanServer) Scan(ctx context.Context, in *rpcScanner.ScanRequest) (*rpc
 		return types.Scanner(s)
 	})
 	options := types.ScanOptions{
-		VulnType:        in.Options.VulnType,
-		Scanners:        scanners,
-		ListAllPackages: in.Options.ListAllPackages,
-		IncludeDevDeps:  in.Options.IncludeDevDeps,
+		VulnType:       in.Options.VulnType,
+		Scanners:       scanners,
+		IncludeDevDeps: in.Options.IncludeDevDeps,
 	}
 	results, os, err := s.localScanner.Scan(ctx, in.Target, in.ArtifactId, in.BlobIds, options)
 	if err != nil {

pkg/rpc/client/client.go

@@ -54,10 +54,8 @@ func (s *scanner) Scan(ctx context.Context, target types.ScanTarget, opts types.
 			Type:   app.Type,
 		}
 
-		if opts.ListAllPackages {
-			sort.Sort(app.Packages)
-			result.Packages = app.Packages
-		}
+		sort.Sort(app.Packages)
+		result.Packages = app.Packages
 
 		if opts.Scanners.Enabled(types.VulnerabilityScanner) {
 			var err error

pkg/rpc/server/server.go

@@ -153,7 +153,7 @@ func (s Scanner) ScanTarget(ctx context.Context, target types.ScanTarget, option
 
 func (s Scanner) scanVulnerabilities(ctx context.Context, target types.ScanTarget, options types.ScanOptions) (
 	types.Results, bool, error) {
-	if !options.ListAllPackages && !options.Scanners.Enabled(types.VulnerabilityScanner) {
+	if !options.Scanners.AnyEnabled(types.SBOMScanner, types.VulnerabilityScanner) {
 		return nil, false, nil
 	}
 

pkg/scanner/langpkg/scan.go

@@ -42,10 +42,8 @@ func (s *scanner) Scan(ctx context.Context, target types.ScanTarget, opts types.
 		Type:   target.OS.Family,
 	}
 
-	if opts.ListAllPackages {
-		sort.Sort(target.Packages)
-		result.Packages = target.Packages
-	}
+	sort.Sort(target.Packages)
+	result.Packages = target.Packages
 
 	if !opts.Scanners.Enabled(types.VulnerabilityScanner) {
 		// Return packages only

pkg/scanner/local/scan.go

@@ -26,7 +26,6 @@ type ScanOptions struct {
 	Scanners            Scanners
 	ImageConfigScanners Scanners // Scanners for container image configuration
 	ScanRemovedPackages bool
-	ListAllPackages     bool
 	LicenseCategories   map[types.LicenseCategory][]string
 	FilePatterns        []string
 	IncludeDevDeps      bool

pkg/scanner/local/scan_test.go

@@ -29,6 +29,9 @@ const (
 	// NoneScanner is the scanner of none
 	NoneScanner = Scanner("none")
 
+	// SBOMScanner is the virtual scanner of SBOM, which cannot be enabled by the user
+	SBOMScanner = Scanner("sbom")
+
 	// VulnerabilityScanner is the scanner of vulnerabilities
 	VulnerabilityScanner = Scanner("vuln")
 
@@ -70,12 +73,18 @@ var (
 	}
 )
 
-func (scanners Scanners) Enabled(s Scanner) bool {
-	return slices.Contains(scanners, s)
+func (scanners *Scanners) Enable(s Scanner) {
+	if !scanners.Enabled(s) {
+		*scanners = append(*scanners, s)
+	}
+}
+
+func (scanners *Scanners) Enabled(s Scanner) bool {
+	return slices.Contains(*scanners, s)
 }
 
 // AnyEnabled returns true if any of the passed scanners is included.
-func (scanners Scanners) AnyEnabled(ss ...Scanner) bool {
+func (scanners *Scanners) AnyEnabled(ss ...Scanner) bool {
 	for _, s := range ss {
 		if scanners.Enabled(s) {
 			return true

pkg/scanner/ospkg/scan.go

@@ -25,9 +25,10 @@ message Licenses {
 message ScanOptions {
   repeated string       vuln_type          = 1;
   repeated string       scanners           = 2;
-  bool                  list_all_packages  = 3;
   map<string, Licenses> license_categories = 4;
   bool                  include_dev_deps   = 5;
+
+  reserved 3;  // deleted 'list_all_packages'
 }
 
 message ScanResponse {