feat(sbom): Add unmarshal for spdx (#2868)

Signed-off-by: knqyf263 <knqyf263@gmail.com>
Co-authored-by: knqyf263 <knqyf263@gmail.com>

pkg/fanal/artifact/sbom/sbom.go

@@ -20,6 +20,7 @@ import (
 	"github.com/aquasecurity/trivy/pkg/log"
 	"github.com/aquasecurity/trivy/pkg/sbom"
 	"github.com/aquasecurity/trivy/pkg/sbom/cyclonedx"
+	"github.com/aquasecurity/trivy/pkg/sbom/spdx"
 )
 
 type Artifact struct {
@@ -83,6 +84,9 @@ func (a Artifact) Inspect(_ context.Context) (types.ArtifactReference, error) {
 	switch format {
 	case sbom.FormatCycloneDXJSON, sbom.FormatCycloneDXXML, sbom.FormatAttestCycloneDXJSON:
 		artifactType = types.ArtifactCycloneDX
+	case sbom.FormatSPDXTV, sbom.FormatSPDXJSON:
+		artifactType = types.ArtifactSPDX
+
 	}
 
 	return types.ArtifactReference{
@@ -117,6 +121,13 @@ func (a Artifact) Decode(f io.Reader, format sbom.Format) (sbom.SBOM, error) {
 			},
 		}
 		decoder = json.NewDecoder(f)
+	case sbom.FormatSPDXJSON:
+		v = &spdx.SPDX{SBOM: &bom}
+		decoder = json.NewDecoder(f)
+	case sbom.FormatSPDXTV:
+		v = &spdx.SPDX{SBOM: &bom}
+		decoder = spdx.NewTVDecoder(f)
+
 	default:
 		return sbom.SBOM{}, xerrors.Errorf("%s scanning is not yet supported", format)