Issue with files array in v0.41.0

[gongomgra]

Description

SPDX-JSON files generated with Trivy version v0.41.0 produces the next warning several times in the SPDX validation tool:

 [object instance has properties which are not allowed by the schema: ["files"] for {"pointer":"/packages/1"}

This is caused by the files array being included for each package instead of being part of the top level document. This seems to be a bug introduced in the v0.41.0 release, as v0.40.0 generates correct SPDX files (according to the same validation tool). Also the hasFiles property is missing from SPDX files generated with v0.41.0.

Desired Behavior

files array is properly generated at the top level of the document.

"...": "...",
    "packages": [
        {
            "SPDXID": "SPDXRef-Package-fff4d108d760be2b",
            "attributionTexts": [
                "PkgID: yargs-parser@21.1.1"
            ],
            "downloadLocation": "NONE",
            "externalRefs": [
                {
                    "referenceCategory": "PACKAGE-MANAGER",
                    "referenceLocator": "pkg:npm/yargs-parser@21.1.1",
                    "referenceType": "purl"
                }
            ],
            "filesAnalyzed": false,
            "hasFiles": [
                "SPDXRef-File-64aa64f15d12369f"
            ],
            "licenseConcluded": "ISC",
            "licenseDeclared": "ISC",
            "name": "yargs-parser",
            "versionInfo": "21.1.1"
        },
        "...": "..."
     ],
    "files": [
        {
            "SPDXID": "SPDXRef-File-1010a4443f9f02d3",
            "checksums": [
                {
                    "algorithm": "SHA1",
                    "checksumValue": "187001da3bcc96d0cbc6fe2123580aff0a4234f6"
                }
            ],
            "fileName": "versions/5.49.1/node_modules/@stdlib/assert-is-int16array/package.json"
        },
        "...": "..."
     ],
    "...": "..."
}

Actual Behavior

    {
      "name": "yargs-parser",
      "SPDXID": "SPDXRef-Package-fc96800f938e217",
      "versionInfo": "20.2.9",
      "supplier": "NOASSERTION",
      "downloadLocation": "NONE",
      "licenseConcluded": "ISC",
      "licenseDeclared": "ISC",
      "copyrightText": "",
      "externalRefs": [
        {
          "referenceCategory": "PACKAGE-MANAGER",
          "referenceType": "purl",
          "referenceLocator": "pkg:npm/yargs-parser@20.2.9"
        }
      ],
      "attributionTexts": [
        "PkgID: yargs-parser@20.2.9"
      ],
      "primaryPackagePurpose": "LIBRARY",
      "files": [
        {
          "fileName": "versions/5.49.1/node_modules/yargs/node_modules/yargs-parser/package.json",
          "SPDXID": "SPDXRef-File-4f7412cc84bc2865",
          "checksums": [
            {
              "algorithm": "SHA1",
              "checksumValue": "c4aa01b308d7c68b34051999c3e144d24851c392"
            }
          ],
          "copyrightText": ""
        }
      ]
    },

Reproduction Steps

1. Scan a folder with version `v0.41.0`.
2. Scan the same folder with version `v0.40.0`.
3. Check differences.

Target

Filesystem

Scanner

None

Output Format

SPDX

Mode

Standalone

Debug Output

$ cat /etc/os-release
PRETTY_NAME="Debian GNU/Linux 11 (bullseye)"
NAME="Debian GNU/Linux"
VERSION_ID="11"
VERSION="11 (bullseye)"
VERSION_CODENAME=bullseye
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"

$ trivy rootfs /opt/bitnami/ghost --format spdx-json --list-all-pkgs --license-full --debug --output /tmp/trivy-spdx.json

(view attached file)

### Operating System

Debian 11

### Version

```bash
$ trivy --version
Version: 0.41.0

Checklist

• Run trivy --reset
• Read the troubleshooting

[gongomgra]

Please find attached the output of running trivy --debug

output.log

[knqyf263]

@DmitriyLewen Can you please take a look?

[DmitriyLewen]

This is indeed a bug.
I created #4511

[knqyf263]

I'm sure the SPDX library used to move files under packages to top-level files with hasFile. I suspect the latest version changed the behavior.
#4058

[DmitriyLewen]

You are right. I am creating fix for that.

[gongomgra]

Great, thanks!

[knqyf263]

It is a breaking change on the SPDX library end...