feat: support RPM archives (#7628)

Signed-off-by: knqyf263 <knqyf263@gmail.com>

docs/docs/coverage/os/index.md

@@ -28,14 +28,14 @@ Trivy supports operating systems for
 | [Photon OS](photon.md)                | 1.0, 2.0, 3.0, 4.0                  | tndf/yum/rpm     |
 | [Debian GNU/Linux](debian.md)         | 7, 8, 9, 10, 11, 12                 | apt/dpkg         |
 | [Ubuntu](ubuntu.md)                   | All versions supported by Canonical | apt/dpkg         |
-| [OSs with installed Conda](conda.md)  | -                                   | conda            |
+| [OSs with installed Conda](../others/conda.md)  | -                                   | conda            |
 
 ## Supported container images
 
 | Container image                               | Supported Versions                  | Package Managers |
 |-----------------------------------------------|-------------------------------------|------------------|
 | [Google Distroless](google-distroless.md)[^2] | Any                                 | apt/dpkg         |
-| [Bitnami](bitnami.md)                         | Any                                 | -                |
+| [Bitnami](../others/bitnami.md)                         | Any                                 | -                |
 
 Each page gives more details.
 

docs/docs/coverage/others/bitnami.md

@@ -4,8 +4,8 @@
     Scanning results may be inaccurate.
 
 While it is not an OS, this page describes the details of the [container images provided by Bitnami](https://github.com/bitnami/containers).
-Bitnami images are based on [Debian](debian.md).
-Please see [the Debian page](debian.md) for OS packages.
+Bitnami images are based on [Debian](../os/debian.md).
+Please see [the Debian page](../os/debian.md) for OS packages.
 
 Trivy supports the following scanners for Bitnami packages.
 

docs/docs/coverage/others/rpm.md

@@ -0,0 +1,42 @@
+# RPM Archives
+
+!!! warning "EXPERIMENTAL"
+    This feature might change without preserving backwards compatibility.
+
+Trivy supports the following scanners for RPM archives.
+
+|    Scanner    | Supported |
+|:-------------:|:---------:|
+|     SBOM      |     ✓     |
+| Vulnerability |   ✓[^1]   |
+|    License    |     ✓     |
+
+The table below outlines the features offered by Trivy.
+
+## SBOM
+Trivy analyzes RPM archives matching `*.rpm`.
+This feature is currently disabled by default but can be enabled with an environment variable, `TRIVY_EXPERIMENTAL_RPM_ARCHIVE`.
+
+```shell
+TRIVY_EXPERIMENTAL_RPM_ARCHIVE=true trivy fs ./rpms --format cyclonedx --output rpms.cdx.json
+```
+
+!!! note
+    Currently, it works with `--format cyclonedx`, `--format spdx` or `--format spdx-json`.
+
+
+## Vulnerability
+Since RPM files don't have OS information, you need to generate SBOM, fill in the OS information manually and then scan the SBOM for vulnerabilities.
+
+For example:
+
+```shell
+$ TRIVY_EXPERIMENTAL_RPM_ARCHIVE=true trivy fs ./rpms -f cyclonedx -o rpms.cdx.json
+$ jq '(.components[] | select(.type == "operating-system")) |= (.name = "redhat" | .version = "7.9")' rpms.cdx.json > rpms-res.cdx.json
+$ trivy sbom ./rpms-res.cdx.json
+```
+
+## License
+If licenses are included in the RPM archive, Trivy extracts it.
+
+[^1]: Need to generate SBOM first and add OS information to that SBOM

docs/docs/supply-chain/sbom.md

@@ -743,7 +743,7 @@ Trivy searches for SBOM files in container images with the following extensions:
 - `.cdx`
 - `.cdx.json`
 
-In addition, Trivy automatically detects SBOM files in [Bitnami images](https://github.com/bitnami/containers), [see here](../coverage/os/bitnami.md) for more details.
+In addition, Trivy automatically detects SBOM files in [Bitnami images](https://github.com/bitnami/containers), [see here](../coverage/others/bitnami.md) for more details.
 
 It is enabled in the following targets.