From da3f2d1a587af7fb7b9db49a33b6577e3524282f Mon Sep 17 00:00:00 2001
From: Yakira <yakira@wellmaintained.dev>
Date: Tue, 17 Mar 2026 11:04:56 +0000
Subject: [PATCH 1/2] =?UTF-8?q?=E2=98=95=20chore:=20add=20shellcheck=20dir?=
 =?UTF-8?q?ective=20to=20patch-sbom-root?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Trivial change to trigger SBOM quality gate workflow for testing.

Co-Authored-By: Yakriel (Claude) <noreply@anthropic.com>
---
 bin/patch-sbom-root | 1 +
 1 file changed, 1 insertion(+)

diff --git a/bin/patch-sbom-root b/bin/patch-sbom-root
index 1a55b5d..87725df 100755
--- a/bin/patch-sbom-root
+++ b/bin/patch-sbom-root
@@ -2,6 +2,7 @@
 set -euo pipefail
 
 # Patch the root component of a bombon-generated CycloneDX SBOM.
+# shellcheck disable=SC2086
 #
 # bombon uses the symlinkJoin derivation name (e.g. "postgres-closure") as the
 # root component, which carries no meaningful metadata. This script rewrites it

From 0d325166df3e6d3caded844e3e73ae43f6f332fd Mon Sep 17 00:00:00 2001
From: Yakira <yakira@wellmaintained.dev>
Date: Tue, 17 Mar 2026 11:18:58 +0000
Subject: [PATCH 2/2] =?UTF-8?q?=F0=9F=94=A7=20update=20(sbom):=20fix=20sbo?=
 =?UTF-8?q?m-score=20jq=20fields=20for=20sbomqs=20v2.0.4?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

sbomqs v2.0.4 changed its JSON schema:
- .files[0].avg_score → .sbom_quality_score
- .files[0].scores[] → .comprehenssive[] (per-feature, not per-category)

Updated bin/sbom-score to use the new field names and aggregate
per-feature scores into per-category averages.  Removed max_score
from output since the new schema doesn't provide it.

Updated test mocks and fixtures to match.

Co-Authored-By: Yakriel (Claude) <noreply@anthropic.com>
---
 bin/sbom-score           | 8 ++++++--
 spec/sbom_report_spec.sh | 8 ++++----
 spec/sbom_score_spec.sh  | 4 ++--
 3 files changed, 12 insertions(+), 8 deletions(-)

diff --git a/bin/sbom-score b/bin/sbom-score
index 43e7d4d..f93e356 100755
--- a/bin/sbom-score
+++ b/bin/sbom-score
@@ -38,14 +38,18 @@ raw_output=$("$sbomqs_cmd" score "$sbom_file" --json 2>/dev/null) || {
 }
 
 # Transform sbomqs output into our structured format
+# sbomqs v2.0.4 uses .sbom_quality_score (not .avg_score) and
+# .comprehenssive[] (note double 's') with per-feature entries instead of
+# per-category .scores[].  We aggregate features by category.
 echo "$raw_output" | jq --arg image "$image" '
   .files[0] as $f |
   {
     image: $image,
-    score: $f.avg_score,
+    score: $f.sbom_quality_score,
     num_components: $f.num_components,
     categories: [
-      $f.scores[]? | {category: .category, score: .score, max_score: .max_score}
+      $f.comprehenssive // [] | group_by(.category)[] |
+      {category: .[0].category, score: ((map(.score) | add) / length)}
     ]
   }
 '
diff --git a/spec/sbom_report_spec.sh b/spec/sbom_report_spec.sh
index 90679c4..ed531c6 100644
--- a/spec/sbom_report_spec.sh
+++ b/spec/sbom_report_spec.sh
@@ -5,21 +5,21 @@ Describe "bin/sbom-report"
 
     # Score result for postgres (improved)
     cat > "$RESULTS_DIR/score-postgres.json" <<'JSON'
-{"image":"postgres","score":7.2,"num_components":24,"categories":[{"category":"Licensing","score":6.5,"max_score":10.0}]}
+{"image":"postgres","score":7.2,"num_components":24,"categories":[{"category":"Licensing","score":6.5}]}
 JSON
 
     # Score result for redis (regressed)
     cat > "$RESULTS_DIR/score-redis.json" <<'JSON'
-{"image":"redis","score":6.0,"num_components":8,"categories":[{"category":"Licensing","score":5.0,"max_score":10.0}]}
+{"image":"redis","score":6.0,"num_components":8,"categories":[{"category":"Licensing","score":5.0}]}
 JSON
 
     # Baseline scores
     cat > "$RESULTS_DIR/baseline-postgres.json" <<'JSON'
-{"image":"postgres","score":7.0,"num_components":24,"categories":[{"category":"Licensing","score":6.0,"max_score":10.0}]}
+{"image":"postgres","score":7.0,"num_components":24,"categories":[{"category":"Licensing","score":6.0}]}
 JSON
 
     cat > "$RESULTS_DIR/baseline-redis.json" <<'JSON'
-{"image":"redis","score":6.5,"num_components":8,"categories":[{"category":"Licensing","score":5.5,"max_score":10.0}]}
+{"image":"redis","score":6.5,"num_components":8,"categories":[{"category":"Licensing","score":5.5}]}
 JSON
 
     # Compare result for postgres
diff --git a/spec/sbom_score_spec.sh b/spec/sbom_score_spec.sh
index 66ab12f..18b8520 100644
--- a/spec/sbom_score_spec.sh
+++ b/spec/sbom_score_spec.sh
@@ -29,12 +29,12 @@ JSON
   Describe "sbomqs integration"
     # Mock sbomqs to avoid requiring the real binary in tests
     mock_sbomqs() {
-      # Create a fake sbomqs that outputs realistic JSON
+      # Create a fake sbomqs that outputs realistic v2.0.4 JSON
       MOCK_SBOMQS="$(mktemp)"
       cat > "$MOCK_SBOMQS" <<'SCRIPT'
 #!/bin/sh
 cat <<'MOCK'
-{"files":[{"avg_score":7.2,"num_components":24,"scores":[{"category":"Licensing","score":6.5,"max_score":10.0},{"category":"Structural","score":8.1,"max_score":10.0},{"category":"Completeness","score":7.0,"max_score":10.0}]}]}
+{"files":[{"sbom_quality_score":7.2,"num_components":24,"comprehenssive":[{"category":"Licensing","feature":"comp_with_license","score":6.0,"description":"complete","ignored":false},{"category":"Licensing","feature":"comp_valid_license","score":7.0,"description":"complete","ignored":false},{"category":"Structural","feature":"has_components","score":8.1,"description":"complete","ignored":false},{"category":"Completeness","feature":"comp_with_supplier","score":7.0,"description":"complete","ignored":false}]}]}
 MOCK
 SCRIPT
       chmod +x "$MOCK_SBOMQS"