feat: add spdx support for dhi

[ividalATSnyk]

• Ready for review
• Follows CONTRIBUTING rules
• Reviewed by Snyk internal team

What does this PR do?

Adds support for scanning Docker Hardened Images via parsing of SPDX SBOM files. Previously, packages that were only referenced in SPDX were ignored when scanning, leaving an incomplete dependency graph.

Where should the reviewer start?

SPDX parsing was added as a new analysis type under lib/analyzer/package-managers

The core logic exists in lib/analyzer/package-managers/spdx.ts, and is used in lib/inputs/spdx/static.ts, lib/analyzer/static-analyzer.ts, and lib/parser/index.ts. The latter contains logic for merging and deduplicating packages retrieved from SPDX with those from other sources.

How should this be manually tested?

You can verify that SPDX parsing is functioning by scanning snyklabs/dhi-python:3.13.8-debian13-dev which has two packages which are only found within the SPDX SBOM, pkg-binutils@2.45-debian13 and python@3.13.8.

1. Pull this branch
2. Build local snyk-docker-plugin with npm i && npm run build
3. Update cli to use local version of snyk-docker-plugin
4. Run the following command

snyk container monitor snyklabs/dhi-python:3.13.8-debian13-dev

5. Search for pkg-binutils@2.45-debian13 and python@3.13.8 under dependencies- nothing should come up

6. Run the following command

SNYK_API=https://app.snyk.io/api/v1 node index.js container monitor snyklabs/dhi-python:3.13.8-debian13-dev

8. Search for pkg-binutils@2.45-debian13 and python@3.13.8 again- you should now see them both
9. The total count of dependencies between both counts should differ by at least 2

What are the relevant tickets?

The relevant JIRA ticket is CN-561

Screenshots

Results when running snyk monitor snyklabs/dhi-python:3.13.8-debian13-dev before SPDX parsing

Results when running snyk monitor snyklabs/dhi-python:3.13.8-debian13-dev after SPDX parsing

Additional questions

• Open to other approaches for merging and deduplicating results