diff --git a/cmd/tool/main.go b/cmd/tool/main.go
index 58d3b32..c564c52 100644
--- a/cmd/tool/main.go
+++ b/cmd/tool/main.go
@@ -3,7 +3,7 @@ package main
import (
"os"
- codacy "github.com/codacy/codacy-engine-golang-seed/v6"
+ codacy "github.com/codacy/codacy-engine-golang-seed/v8"
"github.com/codacy/codacy-trivy/internal/tool"
"github.com/sirupsen/logrus"
)
diff --git a/docs/multiple-tests/pattern-vulnerability-critical/results.xml b/docs/multiple-tests/pattern-vulnerability-critical/results.xml
index f66be6e..fb9adff 100644
--- a/docs/multiple-tests/pattern-vulnerability-critical/results.xml
+++ b/docs/multiple-tests/pattern-vulnerability-critical/results.xml
@@ -7,6 +7,12 @@
message="Insecure dependency golang/stdlib@v1.21.4 (CVE-2024-24790: golang: net/netip: Unexpected behavior from Is methods for IPv4-mapped IPv6 addresses) (update to 1.21.11)"
severity="error"
/>
+
-
@@ -136,7 +130,7 @@
@@ -157,7 +151,7 @@
diff --git a/go.mod b/go.mod
index 390a4ce..0cb4754 100644
--- a/go.mod
+++ b/go.mod
@@ -6,7 +6,7 @@ require (
github.com/CycloneDX/cyclonedx-go v0.10.0
github.com/aquasecurity/trivy v0.69.1 // Also update .config.yml
github.com/aquasecurity/trivy-db v0.0.0-20251222105351-a833f47f8f0d
- github.com/codacy/codacy-engine-golang-seed/v6 v6.4.8
+ github.com/codacy/codacy-engine-golang-seed/v8 v8.0.0
github.com/google/go-cmp v0.7.0
github.com/package-url/packageurl-go v0.1.3
github.com/samber/lo v1.52.0
diff --git a/go.sum b/go.sum
index f5c9a57..c9288f7 100644
--- a/go.sum
+++ b/go.sum
@@ -240,8 +240,8 @@ github.com/cloudflare/circl v1.6.1/go.mod h1:uddAzsPgqdMAYatqJ0lsjX1oECcQLIlRpzZ
github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
github.com/cncf/xds/go v0.0.0-20251022180443-0feb69152e9f h1:Y8xYupdHxryycyPlc9Y+bSQAYZnetRJ70VMVKm5CKI0=
github.com/cncf/xds/go v0.0.0-20251022180443-0feb69152e9f/go.mod h1:HlzOvOjVBOfTGSRXRyY0OiCS/3J1akRGQQpRO/7zyF4=
-github.com/codacy/codacy-engine-golang-seed/v6 v6.4.8 h1:ap4d7hyShG4zaOVtDWhqWmM93ln3EPF13mE/MLt07X4=
-github.com/codacy/codacy-engine-golang-seed/v6 v6.4.8/go.mod h1:TwTOzAyljLXLzl9exy6ey5XAepkAWrFgObHDn0OWGZ4=
+github.com/codacy/codacy-engine-golang-seed/v8 v8.0.0 h1:p4zzkRnRZXiSnocoUMEFi9eKw/uzTovvoT+BisMWr8c=
+github.com/codacy/codacy-engine-golang-seed/v8 v8.0.0/go.mod h1:9RoS2cnJWCHyzykgXeD5dF1L3Dyt9Fm9eIj/bcU7/dU=
github.com/codahale/rfc6979 v0.0.0-20141003034818-6a90f24967eb h1:EDmT6Q9Zs+SbUoc7Ik9EfrFqcylYqgPZ9ANSbTAntnE=
github.com/codahale/rfc6979 v0.0.0-20141003034818-6a90f24967eb/go.mod h1:ZjrT6AXHbDs86ZSdt/osfBi5qfexBrKUdONk989Wnk4=
github.com/containerd/cgroups/v3 v3.1.0 h1:azxYVj+91ZgSnIBp2eI3k9y2iYQSR/ZQIgh9vKO+HSY=
diff --git a/internal/docgen/docgen.go b/internal/docgen/docgen.go
index a01741c..b50afce 100644
--- a/internal/docgen/docgen.go
+++ b/internal/docgen/docgen.go
@@ -6,7 +6,7 @@ import (
"os"
"path"
- codacy "github.com/codacy/codacy-engine-golang-seed/v6"
+ codacy "github.com/codacy/codacy-engine-golang-seed/v8"
"github.com/codacy/codacy-trivy/internal"
)
diff --git a/internal/docgen/rule.go b/internal/docgen/rule.go
index a36f7d7..3c0f363 100644
--- a/internal/docgen/rule.go
+++ b/internal/docgen/rule.go
@@ -1,6 +1,6 @@
package docgen
-import codacy "github.com/codacy/codacy-engine-golang-seed/v6"
+import codacy "github.com/codacy/codacy-engine-golang-seed/v8"
// Rule represents a static code analysis rule that an execution of `codacy-trivy` can trigger.
type Rule struct {
diff --git a/internal/tool/malicious_packages_scanner.go b/internal/tool/malicious_packages_scanner.go
index 5ba02e3..ab06cdf 100644
--- a/internal/tool/malicious_packages_scanner.go
+++ b/internal/tool/malicious_packages_scanner.go
@@ -9,7 +9,7 @@ import (
"strings"
ptypes "github.com/aquasecurity/trivy/pkg/types"
- codacy "github.com/codacy/codacy-engine-golang-seed/v6"
+ codacy "github.com/codacy/codacy-engine-golang-seed/v8"
"github.com/samber/lo"
"golang.org/x/mod/semver"
)
diff --git a/internal/tool/malicious_packages_scanner_test.go b/internal/tool/malicious_packages_scanner_test.go
index d82cb66..3e84aab 100644
--- a/internal/tool/malicious_packages_scanner_test.go
+++ b/internal/tool/malicious_packages_scanner_test.go
@@ -7,7 +7,7 @@ import (
ftypes "github.com/aquasecurity/trivy/pkg/fanal/types"
ptypes "github.com/aquasecurity/trivy/pkg/types"
- codacy "github.com/codacy/codacy-engine-golang-seed/v6"
+ codacy "github.com/codacy/codacy-engine-golang-seed/v8"
"github.com/package-url/packageurl-go"
"github.com/stretchr/testify/assert"
)
diff --git a/internal/tool/tool.go b/internal/tool/tool.go
index d049529..abd6c5b 100644
--- a/internal/tool/tool.go
+++ b/internal/tool/tool.go
@@ -3,6 +3,7 @@ package tool
import (
"bufio"
"context"
+ "encoding/json"
"fmt"
"net/url"
"os"
@@ -20,7 +21,7 @@ import (
tresult "github.com/aquasecurity/trivy/pkg/result"
tcdx "github.com/aquasecurity/trivy/pkg/sbom/cyclonedx"
ptypes "github.com/aquasecurity/trivy/pkg/types"
- codacy "github.com/codacy/codacy-engine-golang-seed/v6"
+ codacy "github.com/codacy/codacy-engine-golang-seed/v8"
"github.com/codacy/codacy-trivy/internal"
"github.com/package-url/packageurl-go"
"github.com/samber/lo"
@@ -255,7 +256,17 @@ func (t codacyTrivy) getSBOM(ctx context.Context, report ptypes.Report) (codacy.
}
unencodeComponents(bom)
- return codacy.SBOM{BOM: *bom}, nil
+
+ bomStr, err := json.Marshal(bom)
+ if err != nil {
+ return codacy.SBOM{}, &ToolError{msg: "Failed to run Codacy Trivy", w: err}
+ }
+
+ return codacy.SBOM{
+ BomFormat: codacy.CycloneDXJSON,
+ SpecVersion: bom.SpecVersion.String(),
+ Sbom: string(bomStr),
+ }, nil
}
// Running Trivy for secret scanning is not as efficient as running for vulnerability scanning.
diff --git a/internal/tool/tool_test.go b/internal/tool/tool_test.go
index 731d8da..e38dd09 100644
--- a/internal/tool/tool_test.go
+++ b/internal/tool/tool_test.go
@@ -5,6 +5,7 @@ package tool
import (
"compress/gzip"
"context"
+ "encoding/json"
"fmt"
"os"
"path/filepath"
@@ -18,7 +19,7 @@ import (
ftypes "github.com/aquasecurity/trivy/pkg/fanal/types"
"github.com/aquasecurity/trivy/pkg/flag"
ptypes "github.com/aquasecurity/trivy/pkg/types"
- codacy "github.com/codacy/codacy-engine-golang-seed/v6"
+ codacy "github.com/codacy/codacy-engine-golang-seed/v8"
"github.com/google/go-cmp/cmp"
"github.com/google/go-cmp/cmp/cmpopts"
"github.com/package-url/packageurl-go"
@@ -333,105 +334,102 @@ func TestRun(t *testing.T) {
expectedMetadataComponentBOMRef := "b804b498-f626-41c5-a47f-45e1471acf33"
expectedRootComponentBOMRef := "d16d6083-4370-442f-a6ab-c5146a215dbe"
expectedRooComponentName := "file-802713450"
- expectedSBOM := codacy.SBOM{
- BOM: cyclonedx.BOM{
- XMLNS: "http://cyclonedx.org/schema/bom/1.6",
- JSONSchema: "http://cyclonedx.org/schema/bom-1.6.schema.json",
- BOMFormat: "CycloneDX",
- SpecVersion: cyclonedx.SpecVersion(7),
- SerialNumber: "urn:uuid:181e846e-fede-46b6-8be7-206a0f393caa", // different every run
- Version: 1,
- Metadata: &cyclonedx.Metadata{
- Timestamp: "2024-09-19T09:41:02.021Z", // different every run
- Tools: &cyclonedx.ToolsChoice{
- Components: &[]cyclonedx.Component{
- {
- Type: "application",
- Manufacturer: &cyclonedx.OrganizationalEntity{
- Name: "Aqua Security Software Ltd.",
- },
- Group: "aquasecurity",
- Name: "trivy",
- Version: "dev",
- },
- },
- },
- Component: &cyclonedx.Component{
- BOMRef: expectedMetadataComponentBOMRef,
- Type: "application",
- Properties: &[]cyclonedx.Property{
- {
- Name: "aquasecurity:trivy:SchemaVersion",
- Value: "0",
+ expectedBOM := cyclonedx.BOM{
+ JSONSchema: "http://cyclonedx.org/schema/bom-1.6.schema.json",
+ BOMFormat: "CycloneDX",
+ SpecVersion: cyclonedx.SpecVersion1_6,
+ SerialNumber: "urn:uuid:181e846e-fede-46b6-8be7-206a0f393caa", // different every run
+ Version: 1,
+ Metadata: &cyclonedx.Metadata{
+ Timestamp: "2024-09-19T09:41:02.021Z", // different every run
+ Tools: &cyclonedx.ToolsChoice{
+ Components: &[]cyclonedx.Component{
+ {
+ Type: "application",
+ Manufacturer: &cyclonedx.OrganizationalEntity{
+ Name: "Aqua Security Software Ltd.",
},
+ Group: "aquasecurity",
+ Name: "trivy",
+ Version: "dev",
},
},
},
- Components: &[]cyclonedx.Component{
- {
- BOMRef: expectedRootComponentBOMRef,
- Type: "application",
- Name: "file-802713450",
- Properties: &[]cyclonedx.Property{
- {
- Name: "aquasecurity:trivy:Class",
- Value: "lang-pkgs",
- },
- {
- Name: "aquasecurity:trivy:Type",
- },
+ Component: &cyclonedx.Component{
+ BOMRef: expectedMetadataComponentBOMRef,
+ Type: "application",
+ Properties: &[]cyclonedx.Property{
+ {
+ Name: "aquasecurity:trivy:SchemaVersion",
+ Value: "0",
},
},
- {
- BOMRef: "no-purl",
- Type: "library",
- Properties: &[]cyclonedx.Property{},
- },
- {
- BOMRef: "pkg:type/@namespace/package-1@version+incompatible",
- Type: "library",
- Properties: &[]cyclonedx.Property{},
- PackageURL: "pkg:type/@namespace/package-1@version+incompatible",
- Version: "version+incompatible",
- },
- {
- BOMRef: "pkg:type/@namespace/package-2@version+RC",
- Type: "library",
- Properties: &[]cyclonedx.Property{},
- PackageURL: "pkg:type/@namespace/package-2@version+RC",
- Version: "version+RC",
- },
},
- Dependencies: &[]cyclonedx.Dependency{
- {
- Ref: expectedMetadataComponentBOMRef,
- Dependencies: &[]string{
- expectedRootComponentBOMRef,
+ },
+ Components: &[]cyclonedx.Component{
+ {
+ BOMRef: expectedRootComponentBOMRef,
+ Type: "application",
+ Name: "file-802713450",
+ Properties: &[]cyclonedx.Property{
+ {
+ Name: "aquasecurity:trivy:Class",
+ Value: "lang-pkgs",
},
- },
- {
- Ref: expectedRootComponentBOMRef,
- Dependencies: &[]string{
- "no-purl",
- "pkg:type/@namespace/package-1@version+incompatible",
- "pkg:type/@namespace/package-2@version+RC",
+ {
+ Name: "aquasecurity:trivy:Type",
},
},
- {
- Ref: "no-purl",
- Dependencies: &[]string{},
- },
- {
- Ref: "pkg:type/@namespace/package-1@version+incompatible",
- Dependencies: &[]string{},
+ },
+ {
+ BOMRef: "no-purl",
+ Type: "library",
+ Properties: &[]cyclonedx.Property{},
+ },
+ {
+ BOMRef: "pkg:type/@namespace/package-1@version+incompatible",
+ Type: "library",
+ Properties: &[]cyclonedx.Property{},
+ PackageURL: "pkg:type/@namespace/package-1@version+incompatible",
+ Version: "version+incompatible",
+ },
+ {
+ BOMRef: "pkg:type/@namespace/package-2@version+RC",
+ Type: "library",
+ Properties: &[]cyclonedx.Property{},
+ PackageURL: "pkg:type/@namespace/package-2@version+RC",
+ Version: "version+RC",
+ },
+ },
+ Dependencies: &[]cyclonedx.Dependency{
+ {
+ Ref: expectedMetadataComponentBOMRef,
+ Dependencies: &[]string{
+ expectedRootComponentBOMRef,
},
- {
- Ref: "pkg:type/@namespace/package-2@version+RC",
- Dependencies: &[]string{},
+ },
+ {
+ Ref: expectedRootComponentBOMRef,
+ Dependencies: &[]string{
+ "no-purl",
+ "pkg:type/@namespace/package-1@version+incompatible",
+ "pkg:type/@namespace/package-2@version+RC",
},
},
- Vulnerabilities: &[]cyclonedx.Vulnerability{},
+ {
+ Ref: "no-purl",
+ Dependencies: &[]string{},
+ },
+ {
+ Ref: "pkg:type/@namespace/package-1@version+incompatible",
+ Dependencies: &[]string{},
+ },
+ {
+ Ref: "pkg:type/@namespace/package-2@version+RC",
+ Dependencies: &[]string{},
+ },
},
+ Vulnerabilities: &[]cyclonedx.Vulnerability{},
}
sboms := lo.Filter(results, func(result codacy.Result, _ int) bool {
switch result.(type) {
@@ -442,17 +440,21 @@ func TestRun(t *testing.T) {
}
})
+ var obtainedBOM *cyclonedx.BOM
+ err := json.Unmarshal([]byte(sboms[0].(codacy.SBOM).Sbom), &obtainedBOM)
+ assert.NoError(t, err)
+
// Set values that change on every run to known values.
// This allows us to test the relationship between components.
- oldMetadataComponentBOMRef := sboms[0].(codacy.SBOM).Metadata.Component.BOMRef
- sboms[0].(codacy.SBOM).Metadata.Component.BOMRef = expectedMetadataComponentBOMRef
+ oldMetadataComponentBOMRef := obtainedBOM.Metadata.Component.BOMRef
+ obtainedBOM.Metadata.Component.BOMRef = expectedMetadataComponentBOMRef
// Components are always in declaration order, with the root component (created automatically) coming first
- cs := *sboms[0].(codacy.SBOM).Components
+ cs := *obtainedBOM.Components
oldRootComponentBOMRef := cs[0].BOMRef
cs[0].BOMRef = expectedRootComponentBOMRef
cs[0].Name = expectedRooComponentName
// Dependencies are not always in order we must take care to change the correct value
- ds := *sboms[0].(codacy.SBOM).Dependencies
+ ds := *obtainedBOM.Dependencies
for i, d := range ds {
if d.Ref == oldMetadataComponentBOMRef {
ds[i].Ref = expectedMetadataComponentBOMRef
@@ -469,14 +471,16 @@ func TestRun(t *testing.T) {
// Only one SBOM result is produced
assert.Len(t, sboms, 1)
+ assert.Equal(t, sboms[0].(codacy.SBOM).BomFormat, codacy.CycloneDXJSON)
+ assert.Equal(t, sboms[0].(codacy.SBOM).SpecVersion, "1.6")
assert.True(
t,
cmp.Equal(
- expectedSBOM,
- sboms[0],
+ expectedBOM,
+ *obtainedBOM,
cmp.Options{
// Ignore fields that change each run
- cmpopts.IgnoreFields(codacy.SBOM{}, "SerialNumber"),
+ cmpopts.IgnoreFields(cyclonedx.BOM{}, "SerialNumber"),
cmpopts.IgnoreFields(cyclonedx.Metadata{}, "Timestamp"),
},
),