Vulnerability in `sbomqs` Command Execution: Missing `--` Separator Allows Option Injection via Filename

A critical vulnerability has been identified in the `sbomqs` command execution within the software supply chain security tooling. The flaw stems from a missing `--` separator and an unsafe argument order, which allows a maliciously named file to be interpreted as a command-line option. Specifically, the vulnerable code executes `sbomqs score <filename> --json`, placing the user-supplied filename before the `--json` flag. This creates a path for option injection, where a file named something like `-version.cdx.json` would pass standard path validation but be processed by the underlying tool as a flag, potentially altering the command's behavior.

The affected code is located in `atr/tasks/sbom.py` between lines 157 and 164. While the execution uses parameterized subprocess calls, preventing traditional shell injection, the absence of the `--` separator is the critical oversight. The `--` convention is a standard security practice in Unix-like systems, signaling that all following arguments should be treated as filenames, not options, thereby neutralizing this class of attack.

The recommended remediation is straightforward but essential: reorder the arguments to place flags before the filename and insert the `--` separator. The fix would change the subprocess call to a pattern like `sbomqs score --json -- <filename>`. This vulnerability highlights a subtle but significant security gap in software composition analysis (SCA) and Software Bill of Materials (SBOM) tooling pipelines, where the integrity of the analysis itself can be compromised by the very artifacts it is meant to evaluate. It underscores the need for rigorous security hygiene even in ancillary tooling scripts that handle external input.