SBOM exports (#269)

* Add sbom command * Add SBOM generation as flag to scan command * Add format flag * Put CLI binary in root as well on make install and correctly specify that enterprise is required for SBOM export * Update goreleaser to latest version * go mod tidying --------- Co-authored-by: Oscar Reimer <[email protected]>
debricked · Oct 3, 2024 · 684f2eb · 684f2eb
1 parent 28d8144
commit 684f2eb
Show file tree

Hide file tree

Showing 18 changed files with 721 additions and 38 deletions.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -106,7 +106,7 @@ jobs:
           cd cmd/debricked
           go generate -v -x
 
-      - uses: goreleaser/goreleaser-action@v5
+      - uses: goreleaser/goreleaser-action@v6
         with:
           distribution: goreleaser
           version: latest

diff --git a/.gitignore b/.gitignore
@@ -46,3 +46,5 @@ test/resolve/testdata/gradle/gradle.debricked.lock
 debricked-call-graph.*
 internal/scan/testdata/npm/result.json
 /internal/file/testdata/misc/yarn.lock
+/internal/callgraph/finder/javafinder/testdata/guava/maven.debricked.lock
+/internal/resolution/pm/maven/testdata/guava/maven.debricked.lock
diff --git a/go.mod b/go.mod
@@ -9,13 +9,16 @@ require (
 	github.com/fatih/color v1.16.0
 	github.com/go-git/go-billy/v5 v5.5.0
 	github.com/go-git/go-git/v5 v5.11.0
+	github.com/golang-jwt/jwt v3.2.2+incompatible
 	github.com/hashicorp/go-retryablehttp v0.7.7
 	github.com/jedib0t/go-pretty/v6 v6.4.6
+	github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c
 	github.com/schollz/progressbar/v3 v3.13.1
 	github.com/spf13/cobra v1.7.0
 	github.com/spf13/viper v1.15.0
 	github.com/stretchr/testify v1.8.4
 	github.com/vifraa/gopom v0.2.1
+	github.com/zalando/go-keyring v0.2.5
 	golang.org/x/oauth2 v0.22.0
 	golang.org/x/tools v0.19.0
 	gopkg.in/yaml.v3 v3.0.1
@@ -27,18 +30,14 @@ require (
 	github.com/Microsoft/go-winio v0.6.1 // indirect
 	github.com/ProtonMail/go-crypto v0.0.0-20230828082145-3c4c8a2d2371 // indirect
 	github.com/alessio/shellescape v1.4.1 // indirect
-	github.com/cli/browser v1.0.0 // indirect
-	github.com/cli/safeexec v1.0.0 // indirect
 	github.com/cloudflare/circl v1.3.7 // indirect
 	github.com/cyphar/filepath-securejoin v0.2.4 // indirect
 	github.com/danieljoos/wincred v1.2.0 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/emirpasic/gods v1.18.1 // indirect
 	github.com/fsnotify/fsnotify v1.6.0 // indirect
 	github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect
-	github.com/go-oauth2/oauth2 v3.9.2+incompatible // indirect
 	github.com/godbus/dbus/v5 v5.1.0 // indirect
-	github.com/golang-jwt/jwt v3.2.2+incompatible // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
 	github.com/hashicorp/hcl v1.0.0 // indirect
@@ -54,7 +53,6 @@ require (
 	github.com/mitchellh/mapstructure v1.5.0 // indirect
 	github.com/pelletier/go-toml/v2 v2.0.7 // indirect
 	github.com/pjbgf/sha1cd v0.3.0 // indirect
-	github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/rivo/uniseg v0.4.4 // indirect
 	github.com/sergi/go-diff v1.3.1 // indirect
@@ -66,7 +64,6 @@ require (
 	github.com/stretchr/objx v0.5.0 // indirect
 	github.com/subosito/gotenv v1.4.2 // indirect
 	github.com/xanzy/ssh-agent v0.3.3 // indirect
-	github.com/zalando/go-keyring v0.2.5 // indirect
 	golang.org/x/crypto v0.21.0 // indirect
 	golang.org/x/mod v0.16.0 // indirect
 	golang.org/x/net v0.22.0 // indirect

diff --git a/go.sum b/go.sum
@@ -60,14 +60,7 @@ github.com/chelnak/ysmrr v0.2.1/go.mod h1:9TEgLy2xDMGN62zJm9XZrEWY/fHoGoBslSVEkE
 github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI=
 github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI=
 github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU=
-github.com/cli/browser v1.0.0 h1:RIleZgXrhdiCVgFBSjtWwkLPUCWyhhhN5k5HGSBt1js=
-github.com/cli/browser v1.0.0/go.mod h1:IEWkHYbLjkhtjwwWlwTHW2lGxeS5gezEQBMLTwDHf5Q=
-github.com/cli/oauth v1.0.1 h1:pXnTFl/qUegXHK531Dv0LNjW4mLx626eS42gnzfXJPA=
-github.com/cli/oauth v1.0.1/go.mod h1:qd/FX8ZBD6n1sVNQO3aIdRxeu5LGw9WhKnYhIIoC2A4=
-github.com/cli/safeexec v1.0.0 h1:0VngyaIyqACHdcMNWfo6+KdUYnqEr2Sg+bSP1pdF+dI=
-github.com/cli/safeexec v1.0.0/go.mod h1:Z/D4tTN8Vs5gXYHDCbaM1S/anmEDnJb1iW0+EJ5zx3Q=
 github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
-github.com/cloudflare/circl v1.3.3 h1:fE/Qz0QdIGqeWfnwq0RE0R7MI51s0M2E4Ga9kq5AEMs=
 github.com/cloudflare/circl v1.3.3/go.mod h1:5XYMA4rFBvNIrhs50XuiBJ15vF2pZn4nnUKZrLbUZFA=
 github.com/cloudflare/circl v1.3.7 h1:qlCDlTPz2n9fu58M0Nh1J/JzcFpfgkFHHX3O35r5vcU=
 github.com/cloudflare/circl v1.3.7/go.mod h1:sRTcRWXGLrKw6yIGJ+l7amYJFfAXbZG0kBSc8r4zxgA=
@@ -91,8 +84,6 @@ github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1m
 github.com/envoyproxy/go-control-plane v0.9.7/go.mod h1:cwu0lG7PUMfa9snN8LXBig5ynNVH9qI8YYLbd1fK2po=
 github.com/envoyproxy/go-control-plane v0.9.9-0.20201210154907-fd9021fe5dad/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk=
 github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
-github.com/fatih/color v1.15.0 h1:kOqh6YHBtK8aywxGerMG2Eq3H6Qgoqeo13Bk2Mv/nBs=
-github.com/fatih/color v1.15.0/go.mod h1:0h5ZqXfHYED7Bhv2ZJamyIOUej9KtShiJESRwBDUSsw=
 github.com/fatih/color v1.16.0 h1:zmkK9Ngbjj+K0yRhTVONQh1p/HknKYSlNT+vZCzyokM=
 github.com/fatih/color v1.16.0/go.mod h1:fL2Sau1YI5c0pdGEVCbKQbLXB6edEj1ZgiY4NijnWvE=
 github.com/frankban/quicktest v1.14.3 h1:FJKSZTDHjyhriyC81FLQ0LY93eSai0ZyR/ZIkd3ZUKE=
@@ -109,8 +100,6 @@ github.com/go-git/go-git/v5 v5.11.0/go.mod h1:6GFcX2P3NM7FPBfpePbpLd21XxsgdAt+lK
 github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU=
 github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
 github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
-github.com/go-oauth2/oauth2 v3.9.2+incompatible h1:A8gSjq4110EgZDVk4ZtcpusynU2Fto9eM6sXvxL+EOs=
-github.com/go-oauth2/oauth2 v3.9.2+incompatible/go.mod h1:GGcZ+i513KxN4yS7zBYfmwo3P+cyGvCS675uCNmWv/g=
 github.com/godbus/dbus/v5 v5.1.0 h1:4KLkAxT3aOY8Li4FRJe/KvhoNFFxo0m6fNuFUO8QJUk=
 github.com/godbus/dbus/v5 v5.1.0/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
 github.com/golang-jwt/jwt v3.2.2+incompatible h1:IfV12K8xAKAnZqdXVzCZ+TOjboZ2keLg81eXfW3O+oY=
@@ -174,11 +163,7 @@ github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5m
 github.com/googleapis/google-cloud-go-testing v0.0.0-20200911160855-bcd43fbb19e8/go.mod h1:dvDLG8qkwmyD9a/MJJN3XJcT3xFxOKAvTZGvuZmac9g=
 github.com/hashicorp/go-cleanhttp v0.5.2 h1:035FKYIWjmULyFRBKPs8TBQoi0x6d9G4xc9neXJWAZQ=
 github.com/hashicorp/go-cleanhttp v0.5.2/go.mod h1:kO/YDlP8L1346E6Sodw+PrpBSV4/SoxCXGY6BqNFT48=
-github.com/hashicorp/go-hclog v0.9.2/go.mod h1:5CU+agLiy3J7N7QjHK5d05KxGsuXiQLrjA0H7acj2lQ=
-github.com/hashicorp/go-hclog v1.2.0 h1:La19f8d7WIlm4ogzNHB0JGqs5AUDAZ2UfCY4sJXcJdM=
 github.com/hashicorp/go-hclog v1.6.3 h1:Qr2kF+eVWjTiYmU7Y31tYlP1h0q/X3Nl3tPGdaB11/k=
-github.com/hashicorp/go-retryablehttp v0.7.2 h1:AcYqCvkpalPnPF2pn0KamgwamS42TqUDDYFRKq/RAd0=
-github.com/hashicorp/go-retryablehttp v0.7.2/go.mod h1:Jy/gPYAdjqffZ/yFGCFV2doI5wjtH1ewM9u8iYVjtX8=
 github.com/hashicorp/go-retryablehttp v0.7.7 h1:C8hUCYzor8PIfXHa4UrZkU4VvK8o9ISHxT2Q8+VepXU=
 github.com/hashicorp/go-retryablehttp v0.7.7/go.mod h1:pkQpWZeYWskR+D1tR2O5OcBFOxfA7DoAO6xtkuQnHTk=
 github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
@@ -213,8 +198,6 @@ github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxec
 github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg=
 github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
 github.com/mattn/go-isatty v0.0.17/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
-github.com/mattn/go-isatty v0.0.18 h1:DOKFKCQ7FNG2L1rbrmstDN4QVRdS89Nkh85u68Uwp98=
-github.com/mattn/go-isatty v0.0.18/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
 github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
 github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
 github.com/mattn/go-runewidth v0.0.13/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w=
@@ -457,8 +440,6 @@ golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.3.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.18.0 h1:DBdB3niSjOA/O0blCZBqDefyWNYveAYMNF1Wum0DYQ4=
-golang.org/x/sys v0.18.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.20.0 h1:Od9JTbYCk261bKm4M/mw7AklTlFYIa0bIp9BgSm1S8Y=
 golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=

diff --git a/internal/cmd/report/report.go b/internal/cmd/report/report.go
@@ -2,8 +2,10 @@ package report
 
 import (
 	"github.com/debricked/cli/internal/cmd/report/license"
+	"github.com/debricked/cli/internal/cmd/report/sbom"
 	"github.com/debricked/cli/internal/cmd/report/vulnerability"
 	licenseReport "github.com/debricked/cli/internal/report/license"
+	sbomReport "github.com/debricked/cli/internal/report/sbom"
 	vulnerabilityReport "github.com/debricked/cli/internal/report/vulnerability"
 	"github.com/spf13/cobra"
 	"github.com/spf13/viper"
@@ -12,19 +14,21 @@ import (
 func NewReportCmd(
 	licenseReporter licenseReport.Reporter,
 	vulnerabilityReporter vulnerabilityReport.Reporter,
+	sbomReporter sbomReport.Reporter,
 ) *cobra.Command {
 	cmd := &cobra.Command{
 		Use:   "report",
 		Short: "Generate reports",
 		Long: `Generate reports.
-This is a premium feature. Please visit https://debricked.com/pricing/ for more info.`,
+Premium is required for license and vulnerability reports. Enterprise is required for SBOM reports. Please visit https://debricked.com/pricing/ for more info.`,
 		PreRun: func(cmd *cobra.Command, _ []string) {
 			_ = viper.BindPFlags(cmd.Flags())
 		},
 	}
 
 	cmd.AddCommand(license.NewLicenseCmd(licenseReporter))
 	cmd.AddCommand(vulnerability.NewVulnerabilityCmd(vulnerabilityReporter))
+	cmd.AddCommand(sbom.NewSBOMCmd(sbomReporter))
 
 	return cmd
 }
diff --git a/internal/cmd/report/report_test.go b/internal/cmd/report/report_test.go
@@ -4,20 +4,22 @@ import (
 	"testing"
 
 	"github.com/debricked/cli/internal/report/license"
+	"github.com/debricked/cli/internal/report/sbom"
 	"github.com/debricked/cli/internal/report/vulnerability"
 	"github.com/stretchr/testify/assert"
 )
 
 func TestNewReportCmd(t *testing.T) {
-	cmd := NewReportCmd(license.Reporter{}, vulnerability.Reporter{})
+	cmd := NewReportCmd(license.Reporter{}, vulnerability.Reporter{}, sbom.Reporter{})
 	commands := cmd.Commands()
-	nbrOfCommands := 2
+	nbrOfCommands := 3
 	assert.Lenf(t, commands, nbrOfCommands, "failed to assert that there were %d sub commands connected", nbrOfCommands)
 }
 
 func TestPreRun(t *testing.T) {
 	var licenseReporter license.Reporter
 	var vulnReporter vulnerability.Reporter
-	cmd := NewReportCmd(licenseReporter, vulnReporter)
+	var sbomReporter sbom.Reporter
+	cmd := NewReportCmd(licenseReporter, vulnReporter, sbomReporter)
 	cmd.PreRun(cmd, nil)
 }
diff --git a/internal/cmd/report/sbom/sbom.go b/internal/cmd/report/sbom/sbom.go
@@ -0,0 +1,94 @@
+package sbom
+
+import (
+	"fmt"
+
+	"github.com/debricked/cli/internal/report"
+	"github.com/debricked/cli/internal/report/sbom"
+	"github.com/fatih/color"
+	"github.com/spf13/cobra"
+	"github.com/spf13/viper"
+)
+
+var commitId string
+var repositoryId string
+var branch string
+var format string
+var vulnerabilities bool
+var licenses bool
+var output string
+
+const CommitFlag = "commit"
+const RepositorylFlag = "repository"
+const TokenFlag = "token"
+const BranchFlag = "branch"
+const VulnerabilitiesFlag = "vulnerabilities"
+const LicensesFlag = "licenses"
+const OutputFlag = "output"
+const FormatFlag = "format"
+
+func NewSBOMCmd(reporter report.IReporter) *cobra.Command {
+	cmd := &cobra.Command{
+		Use:   "sbom",
+		Short: "Generate SBOM report",
+		Long: `Generate SBOM report for chosen commit and repository. 
+For an example of the SBOM format see https://github.com/debricked/blog-snippets/blob/main/example-sbom-report/SBOM_2022-12-14.json.
+
+This is an enterprise feature. Please visit https://debricked.com/pricing/ for more info.`,
+		PreRun: func(cmd *cobra.Command, _ []string) {
+			_ = viper.BindPFlags(cmd.Flags())
+		},
+		RunE: RunE(reporter),
+	}
+
+	cmd.Flags().StringVarP(&commitId, CommitFlag, "c", "", "The commit that you want an SBOM report for")
+	_ = cmd.MarkFlagRequired(CommitFlag)
+	viper.MustBindEnv(CommitFlag)
+
+	cmd.Flags().StringVarP(&repositoryId, RepositorylFlag, "r", "", "The repository that you want an SBOM report for")
+	_ = cmd.MarkFlagRequired(RepositorylFlag)
+	viper.MustBindEnv(RepositorylFlag)
+
+	cmd.Flags().StringVarP(&branch, BranchFlag, "b", "", "The branch that you want an SBOM report for")
+	viper.MustBindEnv(BranchFlag)
+
+	cmd.Flags().StringVarP(&format, FormatFlag, "f", "", `The format that you want the SBOM report in.
+
+Supported options are: 'CycloneDX', 'SPDX'`,
+	)
+	viper.MustBindEnv(FormatFlag)
+
+	cmd.Flags().BoolVar(&vulnerabilities, VulnerabilitiesFlag, true, "Toggle SBOM vulnerability data inclusion")
+	viper.MustBindEnv(VulnerabilitiesFlag)
+
+	cmd.Flags().BoolVar(&licenses, LicensesFlag, true, "Toggle SBOM license data inclusion")
+	viper.MustBindEnv(LicensesFlag)
+
+	cmd.Flags().StringVarP(&output, OutputFlag, "o", "", `Set output path for downloaded SBOM json file.
+
+If no output path is set the file is created in the format <repository_id>-<commit_id>.sbom.json`,
+	)
+	viper.MustBindEnv(OutputFlag)
+
+	return cmd
+}
+
+func RunE(r report.IReporter) func(_ *cobra.Command, args []string) error {
+	return func(_ *cobra.Command, _ []string) error {
+		orderArgs := sbom.OrderArgs{
+			RepositoryID:    viper.GetString(RepositorylFlag),
+			CommitID:        viper.GetString(CommitFlag),
+			Branch:          viper.GetString(BranchFlag),
+			Vulnerabilities: viper.GetBool(VulnerabilitiesFlag),
+			Licenses:        viper.GetBool(LicensesFlag),
+			Output:          viper.GetString(OutputFlag),
+			Format:          viper.GetString(FormatFlag),
+		}
+
+		if err := r.Order(orderArgs); err != nil {
+			return fmt.Errorf("%s %s", color.RedString("⨯"), err.Error())
+		}
+
+		return nil
+	}
+}
diff --git a/internal/cmd/report/sbom/sbom_test.go b/internal/cmd/report/sbom/sbom_test.go
@@ -0,0 +1,63 @@
+package sbom
+
+import (
+	"errors"
+	"testing"
+
+	"github.com/debricked/cli/internal/cmd/report/testdata"
+	"github.com/debricked/cli/internal/report"
+	"github.com/spf13/viper"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestNewSBOMCmd(t *testing.T) {
+	var r report.IReporter
+	cmd := NewSBOMCmd(r)
+	commands := cmd.Commands()
+	nbrOfCommands := 0
+	assert.Len(t, commands, nbrOfCommands)
+
+	viperKeys := viper.AllKeys()
+	flags := cmd.Flags()
+	flagAssertions := map[string]string{
+		CommitFlag:      "c",
+		RepositorylFlag: "r",
+	}
+	for name, shorthand := range flagAssertions {
+		flag := flags.Lookup(name)
+		assert.NotNil(t, flag)
+		assert.Equalf(t, shorthand, flag.Shorthand, "failed to assert that %s flag shorthand %s was set correctly", name, shorthand)
+
+		match := false
+		for _, key := range viperKeys {
+			if key == name {
+				match = true
+			}
+		}
+		assert.Truef(t, match, "failed to assert that %s was present", name)
+	}
+}
+
+func TestRunEError(t *testing.T) {
+	reporterMock := testdata.NewReporterMock()
+	reporterMock.SetError(errors.New(""))
+	runeE := RunE(reporterMock)
+
+	err := runeE(nil, nil)
+
+	assert.ErrorContains(t, err, "⨯")
+}
+
+func TestRunE(t *testing.T) {
+	reporterMock := testdata.NewReporterMock()
+	runeE := RunE(reporterMock)
+
+	err := runeE(nil, nil)
+
+	assert.NoError(t, err)
+}
+
+func TestPreRun(t *testing.T) {
+	cmd := NewSBOMCmd(nil)
+	cmd.PreRun(cmd, nil)
+}
diff --git a/internal/cmd/resolve/resolve.go b/internal/cmd/resolve/resolve.go
@@ -67,7 +67,7 @@ Examples:
 $ debricked scan . --include '**/node_modules/**'`)
 	regenerateDoc := strings.Join(
 		[]string{
-			"Toggles regeneration of already existing lock files between 3 modes:\n",
+			"Toggle regeneration of already existing lock files between 3 modes:\n",
 			"Force Regeneration Level | Meaning",
 			"------------------------ | -------",
 			"0 (default)              | No regeneration",

diff --git a/internal/cmd/root/root.go b/internal/cmd/root/root.go
@@ -42,7 +42,7 @@ Read more: https://docs.debricked.com/product/administration/generate-access-tok
 	var debClient = container.DebClient()
 	debClient.SetAccessToken(&accessToken)
 
-	rootCmd.AddCommand(report.NewReportCmd(container.LicenseReporter(), container.VulnerabilityReporter()))
+	rootCmd.AddCommand(report.NewReportCmd(container.LicenseReporter(), container.VulnerabilityReporter(), container.SBOMReporter()))
 	rootCmd.AddCommand(files.NewFilesCmd(container.Finder()))
 	rootCmd.AddCommand(scan.NewScanCmd(container.Scanner()))
 	rootCmd.AddCommand(fingerprint.NewFingerprintCmd(container.Fingerprinter()))

diff --git a/internal/cmd/root/root_test.go b/internal/cmd/root/root_test.go
@@ -35,7 +35,7 @@ func TestNewRootCmd(t *testing.T) {
 		}
 	}
 	assert.Truef(t, match, "failed to assert that flag was present: "+AccessTokenFlag)
-	assert.Len(t, viperKeys, 15)
+	assert.Len(t, viperKeys, 21)
 }
 
 func TestPreRun(t *testing.T) {