docs: non-packaged and sbom clarifications (#6975)

Co-authored-by: Teppei Fukuda <knqyf263@gmail.com>

Author: itaysk

docs/docs/coverage/language/golang.md

@@ -66,7 +66,7 @@ such as `go mod download`, `go mod tidy`, etc.
 Trivy traverses `$GOPATH/pkg/mod` and collects those extra information.
 
 ### Go binaries
-Trivy scans binaries built by Go.
+Trivy scans binaries built by Go, which include [module information](https://tip.golang.org/doc/go1.18#go-version).
 If there is a Go binary in your container image, Trivy automatically finds and scans it.
 
 Also, you can scan your local binaries.

docs/docs/scanner/vulnerability.md

@@ -1,13 +1,12 @@
 # Vulnerability Scanning
-Trivy detects known vulnerabilities according to the versions of installed packages.
+Trivy detects known vulnerabilities in software components that it finds in the scan target.
 
-The following packages are supported.
+The following are supported:
 
 - [OS packages](#os-packages)
 - [Language-specific packages](#language-specific-packages)
-- [Kubernetes components (control plane, node and addons)](#kubernetes)
-
-Trivy also detects known vulnerabilities in Kubernetes components using KBOM (Kubernetes bill of Material) scanning. To learn more, see the [documentation for Kubernetes scanning](../target/kubernetes.md#KBOM).
+- [Non-packaged software](#non-packaged-software)
+- [Kubernetes components](#kubernetes)
 
 ## OS Packages
 Trivy is capable of automatically detecting installed OS packages when scanning container images, VM images and running hosts.
@@ -138,9 +137,18 @@ See [here](../coverage/language/index.md#supported-languages) for the supported
 
 [^1]: Intentional delay between vulnerability disclosure and registration in the DB
 
+## Non-packaged software
+
+If you have software that is not managed by a package manager, Trivy can still detect vulnerabilities in it in some cases:
+
+- [Using SBOM from Sigstore Rekor](../supply-chain/attestation/rekor/#non-packaged-binaries)
+- [Go Binaries with embedded module information](../coverage/language/golang/#go-binaries)
+- [Rust Binaries with embedded information](../coverage/language/rust/#binaries)
+- [SBOM embedded in container images](../supply-chain/container-image/#sbom-embedded-in-container-images)
+
 ## Kubernetes
 
-Trivy can detect vulnerabilities in Kubernetes clusters and components.
+Trivy can detect vulnerabilities in Kubernetes clusters and components by scanning a Kubernetes Cluster, or a KBOM (Kubernetes bill of Material). To learn more, see the [documentation for Kubernetes scanning](../target/kubernetes.md).
 
 ### Data Sources
 

docs/docs/supply-chain/sbom.md

@@ -731,17 +731,20 @@ $ cat result.spdx.json | jq .
 </details>
 
 ## Scanning
-Trivy can take SBOM documents as input for scanning.
+
+### SBOM as Target
+Trivy can take SBOM documents as input for scanning, e.g `trivy sbom ./sbom.spdx`.
 See [here](../target/sbom.md) for more details.
 
-Also, Trivy searches for SBOM files in container images.
+### SBOM Detection inside Targets
+Trivy searches for SBOM files in container images with the following extensions:
+- `.spdx`
+- `.spdx.json`
+- `.cdx`
+- `.cdx.json`
 
-```bash
-$ trivy image bitnami/elasticsearch:8.7.1
-```
+In addition, Trivy automatically detects SBOM files in [Bitnami images](https://github.com/bitnami/containers), [see here](../coverage/os/bitnami.md) for more details.
 
-For example, [Bitnami images](https://github.com/bitnami/containers) contain SBOM files in `/opt/bitnami` directory.
-Trivy automatically detects the SBOM files and uses them for scanning.
 It is enabled in the following targets.
 
 |     Target      | Enabled |
@@ -755,6 +758,9 @@ It is enabled in the following targets.
 |       AWS       |         |
 |      SBOM       |         |
 
+### SBOM Discovery for Container Images
+
+When scanning container images, Trivy can discover SBOM for those images. [See here](../target/container_image.md) for more details.
 
 [spdx]: https://spdx.dev/wp-content/uploads/sites/41/2020/08/SPDX-specification-2-2.pdf