chore: align sbom importer with csaf importer

backend/README.md

@@ -16,12 +16,11 @@ Connect to PSQL:
 env PGPASSWORD=eggs psql -U postgres -d huevos -h localhost -p 5432
 ```
 
-Import data:
+Import data (also see: [importer/README.md](importer/README.md) for more options):
 
 ```shell
-cargo run --bin huevos-cli importer csaf --source ../../trustification/data/ds1/csaf --db-user postgres --db-password eggs
-
-cargo run --bin huevos-cli importer sbom --source ../../trustification/data/ds1/sbom --db-user postgres --db-password eggs
+env DB_USER=postgres DB_PASSWORD=eggs cargo run -p trustify-cli -- importer csaf https://www.redhat.com
+env DB_USER=postgres DB_PASSWORD=eggs cargo run -p trustify-cli -- importer sbom https://access.redhat.com/security/data/sbom/beta/
 ```
 
 ## Notes on models

backend/importer/README.md

@@ -15,7 +15,13 @@ cargo run -p trustify-cli -- importer csaf https://www.redhat.com --only-prefix
 Or, using a locally cached version:
 
 ```bash
-mkdir data/csaf
+mkdir -p data/csaf
+csaf sync https://www.redhat.com --only-prefix cve-2023- -d data/csaf -3
+```
+
+If you need to sync the content without validation, you can use the `download` command:
+
+```bash
 csaf download https://www.redhat.com --only-prefix cve-2023- -d data/csaf
 ```
 
@@ -26,3 +32,26 @@ cargo run -p trustify-cli -- importer csaf data/csaf
 ```
 
 ## Importing SBOMs
+
+```bash
+cargo run -p trustify-cli -- importer sbom https://access.redhat.com/security/data/sbom/beta/
+```
+
+Or, using a locally cached version:
+
+```bash
+mkdir -p data/sbom
+sbom sync https://access.redhat.com/security/data/sbom/beta/ -d data/sbom --key https://access.redhat.com/security/data/97f5eac4.txt#77E79ABE93673533ED09EBE2DCE3823597F5EAC4 -3
+```
+
+If you need to sync the content without validation, you can use the `download` command:
+
+```bash
+sbom download https://access.redhat.com/security/data/sbom/beta/ -d data/sbom --key https://access.redhat.com/security/data/97f5eac4.txt#77E79ABE93673533ED09EBE2DCE3823597F5EAC4
+```
+
+And then:
+
+```bash
+cargo run -p trustify-cli -- importer sbom data/sbom
+```

backend/importer/src/sbom/mod.rs

@@ -1,7 +1,7 @@
 use crate::progress::init_log_and_progress;
 use sbom_walker::{
     retrieve::RetrievingVisitor,
-    source::{DispatchSource, FileSource, HttpSource},
+    source::{DispatchSource, FileSource, HttpOptions, HttpSource},
     validation::ValidationVisitor,
     walker::Walker,
 };
@@ -20,8 +20,11 @@ pub struct ImportSbomCommand {
     #[command(flatten)]
     pub database: Database,
 
+    /// GPG key used to sign SBOMs, use the fragment of the URL as fingerprint.
+    #[arg(long, env)]
+    pub key: Vec<Url>,
+
     /// Source URL or path
-    #[arg(short, long)]
     pub source: String,
 }
 
@@ -34,12 +37,19 @@ impl ImportSbomCommand {
         let system = InnerSystem::with_external_config(&self.database).await?;
 
         let source: DispatchSource = match Url::parse(&self.source) {
-            Ok(url) => HttpSource::new(
-                url,
-                Fetcher::new(Default::default()).await?,
-                Default::default(),
-            )
-            .into(),
+            Ok(url) => {
+                let keys = self
+                    .key
+                    .into_iter()
+                    .map(|key| key.into())
+                    .collect::<Vec<_>>();
+                HttpSource::new(
+                    url,
+                    Fetcher::new(Default::default()).await?,
+                    HttpOptions::new().keys(keys),
+                )
+                .into()
+            }
             Err(_) => FileSource::new(&self.source, None)?.into(),
         };
 

backend/importer/src/sbom/process.rs

@@ -50,9 +50,10 @@ impl ProcessVisitor {
         };
 
         if Sbom::try_parse_any(&data).is_ok() {
-            println!(
+            log::info!(
                 "Storing: {} (modified: {:?})",
-                doc.url, doc.metadata.last_modification
+                doc.url,
+                doc.metadata.last_modification
             );
 
             let sbom = self