docs: No-Scan doc changes

README.md

@@ -161,6 +161,46 @@ If you want to integrate cve-bin-tool as a part of your github action pipeline,
 
 We also provide an example [GitHub action](https://github.com/intel/cve-bin-tool/blob/main/doc/how_to_guides/cve_scanner_gh_action.yml) if you wish to use the tool directly.  This may be a good choice for teams who want to store reports in an evidence locker or those who don't have access to the GitHub Security tab.
 
+### No-Scan Mode
+
+The `--no-scan` option enables a special mode that detects and reports software components without performing CVE vulnerability analysis. This mode is useful for:
+
+- **Component Discovery**: Quickly identify all software components and their versions in a codebase or binary
+- **SBOM Generation**: Create software bills of materials without vulnerability scanning overhead
+- **Inventory Management**: Build component inventories for compliance or asset tracking
+- **Performance Testing**: Assess component detection capabilities without database queries
+- **Offline Analysis**: Analyze software composition when CVE databases are unavailable
+
+**What it does:**
+- Scans files and directories for known software components using all available checkers
+- Identifies vendor, product name, and version information
+- Tracks file paths where components were found
+- Generates reports showing detected products without CVE data
+- Skips database initialization and CVE lookups for faster execution
+
+**Example commands:**
+
+```bash
+# Basic component detection without CVE scanning
+cve-bin-tool --no-scan /path/to/software
+
+# Generate SBOM from detected components
+cve-bin-tool --no-scan --sbom-type cyclonedx --sbom-format json --sbom-output inventory.json /path/to/software
+
+# Create component inventory in CSV format
+cve-bin-tool --no-scan -f csv -o components.csv /path/to/software
+
+# Combine with other options for detailed component analysis
+cve-bin-tool --no-scan --extract --detailed -f json,html -o report /path/to/software
+```
+
+**Output differences:**
+- Console reports show "NO-SCAN MODE" warning banner
+- Product tables display detected components without CVE counts
+- No vulnerability severity information is shown
+- File paths and component metadata are preserved
+- All output formats (CSV, JSON, HTML, PDF) work normally
+
 ## Output Options
 
 The CVE Binary Tool provides console-based output by default. If you wish to provide another format, you can specify this and a filename on the command line using `--format`. The valid formats are CSV, JSON, JSON2, console, HTML and PDF. The output filename can be specified using the `--output-file` flag.

doc/no-scan.md

@@ -0,0 +1,242 @@
+# No-Scan Mode Documentation
+
+## Architecture Diagram
+![No-Scan Mode Architecture Overview](images/No-Scan.png)
+
+## Overview
+
+No-scan mode is a specialized operating mode in CVE Binary Tool that enables component detection and analysis without performing CVE vulnerability scanning. This mode is designed for scenarios where users need to identify software components quickly without the overhead of vulnerability database queries.
+
+## Motivation
+
+The no-scan mode was implemented to address several use cases:
+
+1. **Component Discovery**: Quickly identify all software components in a codebase or binary without waiting for CVE database downloads
+2. **SBOM Generation**: Create software bills of materials efficiently when vulnerability analysis isn't immediately needed
+3. **Performance Testing**: Evaluate component detection capabilities without database initialization overhead
+4. **Offline Analysis**: Work in environments where CVE databases are unavailable or network access is restricted
+5. **Inventory Management**: Build comprehensive software inventories for compliance and asset tracking
+6. **CI/CD Integration**: Enable fast component scanning in build pipelines where vulnerability analysis can be deferred
+
+## Implementation Details
+
+### Core Changes
+
+#### 1. VersionScanner Class (`cve_bin_tool/version_scanner.py`)
+
+- **Constructor Parameter**: Added `no_scan=False` parameter
+- **Database Initialization**: When `no_scan=True`, sets `self.cve_db = None`
+- **Checker Loading**: Still loads all available checkers for component detection
+- **File Processing**: Continues to scan files and extract components normally
+
+```python
+def __init__(self, ..., no_scan=False):
+    self.no_scan = no_scan
+    # ... other initialization code ...
+
+    if self.no_scan:
+        self.cve_db = None
+    else:
+        self.cve_db = CVEDB(sources=sources)
+```
+
+#### 2. CVEScanner Class (`cve_bin_tool/cve_scanner.py`)
+
+- **Constructor Parameter**: Added `no_scan: bool = False` parameter
+- **CVE Processing**: Modified `get_cves()` method to handle no-scan mode
+- **Product Data Population**: Populates product data without CVE lookups
+- **Path Tracking**: Maintains file path information for detected components
+
+```python
+def get_cves(self, product_info: ProductInfo, triage_data: TriageData):
+    # Handle no-scan mode
+    if self.no_scan:
+        # Populate product data without CVE scanning
+        if product_info not in self.all_product_data:
+            self.logger.debug(f"Add product {product_info} (no-scan mode)")
+            self.all_product_data[product_info] = 0
+
+        # Populate all_cve_data with empty CVE list and paths
+        if product_info not in self.all_cve_data:
+            self.all_cve_data[product_info] = {"cves": [], "paths": set()}
+
+        # Update paths
+        self.all_cve_data[product_info]["paths"] |= set(triage_data["paths"])
+        return
+```
+
+#### 3. CLI Interface (`cve_bin_tool/cli.py`)
+
+- **Command Line Option**: Added `--no-scan` flag as a store_true action
+- **Argument Group**: Placed in the output group with other scanning options
+- **Help Text**: Provides clear description of the mode
+
+```python
+output_group.add_argument(
+    "--no-scan", action="store_true", help="No-Scan Mode", default=False
+)
+```
+
+#### 4. Console Output (`cve_bin_tool/output_engine/console.py`)
+
+- **Mode Indicator**: Shows prominent warning banner when no-scan mode is active
+- **Conditional Display**: Hides CVE-related tables and metrics in no-scan mode
+- **Product Tables**: Displays detected components without vulnerability information
+- **Path Information**: Preserves and displays file paths where components were found
+
+```python
+# Show no-scan mode message if applicable
+if no_scan:
+    console.print(
+        Panel(
+            "[yellow]⚠️  NO-SCAN MODE[/yellow]\n"
+            "CVE scanning was disabled. This report shows only the products and versions "
+            "that were detected, without any vulnerability analysis.",
+            title="[yellow]No-Scan Mode Active[/yellow]",
+            border_style="yellow",
+        )
+    )
+```
+
+### Data Flow Changes
+
+1. **Input Processing**: No changes - files are processed normally
+2. **Component Detection**: No changes - all checkers run normally
+3. **Database Queries**: Skipped when `no_scan=True`
+4. **Output Generation**: Modified to show component data without CVE information
+5. **Report Formats**: All output formats work normally with adjusted content
+
+## Results and Behavior
+
+### What No-Scan Mode Provides
+
+- **Component Detection**: Full detection of software components using all available checkers
+- **Version Information**: Accurate version identification for detected components
+- **File Paths**: Complete tracking of where components were found
+- **Vendor Information**: Vendor identification where available
+- **Metadata**: All component metadata except vulnerability data
+
+### What No-Scan Mode Skips
+
+- **CVE Database**: No database initialization or updates
+- **Vulnerability Lookups**: No CVE queries or scoring
+- **Exploit Information**: No exploit database queries
+- **Risk Assessment**: No vulnerability severity analysis
+- **Affected Versions**: No version vulnerability mapping
+
+### Output Differences
+
+#### Console Output
+- **Warning Banner**: Prominent "NO-SCAN MODE" indicator
+- **Product Tables**: Shows components without CVE counts
+- **No CVE Summary**: CVE-related tables are hidden
+- **Path Information**: File paths are preserved and displayed
+
+#### File Outputs
+- **CSV**: Component data without vulnerability columns
+- **JSON**: Component structure with empty CVE arrays
+- **HTML**: Component-focused reports without vulnerability sections
+- **PDF**: Component inventory without security analysis
+
+## Testing the No-Scan Mode
+
+### Prerequisites
+
+1. **Test Environment**: Set up a development environment with CVE Binary Tool
+2. **Test Data**: Prepare test files/directories with known components
+3. **Database State**: Ensure CVE database is available for comparison testing
+
+### Test Scenarios
+
+#### 1. Basic Functionality Test
+
+```bash
+# Test basic no-scan mode
+cve-bin-tool --no-scan /path/to/test/directory
+
+# Verify output shows no-scan warning
+# Verify components are detected
+# Verify no CVE information is displayed
+```
+
+#### 2. Comparison Test
+
+```bash
+# Run normal scan
+cve-bin-tool /path/to/test/directory > normal_scan.txt
+
+# Run no-scan mode
+cve-bin-tool --no-scan /path/to/test/directory > no_scan.txt
+
+# Compare outputs to ensure:
+# - Same components are detected
+# - No CVE data in no-scan output
+# - File paths are preserved
+```
+
+#### 3. Output Format Tests
+
+```bash
+# Test CSV output
+cve-bin-tool --no-scan -f csv -o test.csv /path/to/test/directory
+
+# Test JSON output
+cve-bin-tool --no-scan -f json -o test.json /path/to/test/directory
+
+# Test HTML output
+cve-bin-tool --no-scan -f html -o test.html /path/to/test/directory
+
+# Verify each format contains component data but no CVE information
+```
+
+#### 4. SBOM Generation Test
+
+```bash
+# Test SBOM generation in no-scan mode
+cve-bin-tool --no-scan --sbom-type cyclonedx --sbom-format json --sbom-output test_sbom.json /path/to/test/directory
+
+# Verify SBOM contains:
+# - All detected components
+# - Version information
+# - File paths
+# - No vulnerability data
+```
+
+#### 5. Performance Test
+
+```bash
+# Measure normal scan time
+time cve-bin-tool /path/to/test/directory
+
+# Measure no-scan mode time
+time cve-bin-tool --no-scan /path/to/test/directory
+
+# Verify no-scan mode is significantly faster
+# (especially on first run when database would be downloaded)
+```
+
+### Test Data Requirements
+
+#### Binary Files
+- **Known Components**: Files with components that have known CVEs
+- **Multiple Formats**: Different file types (ELF, PE, etc.)
+- **Archived Files**: Compressed/archived files to test extraction
+- **Mixed Content**: Directories with various file types
+
+#### Language Files
+- **Package Managers**: requirements.txt, package.json, Cargo.lock, etc.
+- **SBOM Files**: Existing SBOMs in various formats
+- **Lock Files**: Dependency lock files from different ecosystems
+
+### Debug Commands
+
+```bash
+# Enable debug logging
+cve-bin-tool --no-scan --log debug /path/to/test/directory
+
+# Check checker loading
+cve-bin-tool --no-scan --log info /path/to/test/directory
+`
+# Verify no-scan mode is active
+cve-bin-tool --no-scan --help | grep no-scan
+```