test: trigger SBOM quality gate

bin/patch-sbom-root

@@ -2,6 +2,7 @@
 set -euo pipefail
 
 # Patch the root component of a bombon-generated CycloneDX SBOM.
+# shellcheck disable=SC2086
 #
 # bombon uses the symlinkJoin derivation name (e.g. "postgres-closure") as the
 # root component, which carries no meaningful metadata. This script rewrites it

bin/sbom-score

@@ -38,14 +38,18 @@ raw_output=$("$sbomqs_cmd" score "$sbom_file" --json 2>/dev/null) || {
 }
 
 # Transform sbomqs output into our structured format
+# sbomqs v2.0.4 uses .sbom_quality_score (not .avg_score) and
+# .comprehenssive[] (note double 's') with per-feature entries instead of
+# per-category .scores[].  We aggregate features by category.
 echo "$raw_output" | jq --arg image "$image" '
   .files[0] as $f |
   {
     image: $image,
-    score: $f.avg_score,
+    score: $f.sbom_quality_score,
     num_components: $f.num_components,
     categories: [
-      $f.scores[]? | {category: .category, score: .score, max_score: .max_score}
+      $f.comprehenssive // [] | group_by(.category)[] |
+      {category: .[0].category, score: ((map(.score) | add) / length)}
     ]
   }
 '

spec/sbom_report_spec.sh

@@ -5,21 +5,21 @@ Describe "bin/sbom-report"
 
     # Score result for postgres (improved)
     cat > "$RESULTS_DIR/score-postgres.json" <<'JSON'
-{"image":"postgres","score":7.2,"num_components":24,"categories":[{"category":"Licensing","score":6.5,"max_score":10.0}]}
+{"image":"postgres","score":7.2,"num_components":24,"categories":[{"category":"Licensing","score":6.5}]}
 JSON
 
     # Score result for redis (regressed)
     cat > "$RESULTS_DIR/score-redis.json" <<'JSON'
-{"image":"redis","score":6.0,"num_components":8,"categories":[{"category":"Licensing","score":5.0,"max_score":10.0}]}
+{"image":"redis","score":6.0,"num_components":8,"categories":[{"category":"Licensing","score":5.0}]}
 JSON
 
     # Baseline scores
     cat > "$RESULTS_DIR/baseline-postgres.json" <<'JSON'
-{"image":"postgres","score":7.0,"num_components":24,"categories":[{"category":"Licensing","score":6.0,"max_score":10.0}]}
+{"image":"postgres","score":7.0,"num_components":24,"categories":[{"category":"Licensing","score":6.0}]}
 JSON
 
     cat > "$RESULTS_DIR/baseline-redis.json" <<'JSON'
-{"image":"redis","score":6.5,"num_components":8,"categories":[{"category":"Licensing","score":5.5,"max_score":10.0}]}
+{"image":"redis","score":6.5,"num_components":8,"categories":[{"category":"Licensing","score":5.5}]}
 JSON
 
     # Compare result for postgres

spec/sbom_score_spec.sh

@@ -29,12 +29,12 @@ JSON
   Describe "sbomqs integration"
     # Mock sbomqs to avoid requiring the real binary in tests
     mock_sbomqs() {
-      # Create a fake sbomqs that outputs realistic JSON
+      # Create a fake sbomqs that outputs realistic v2.0.4 JSON
       MOCK_SBOMQS="$(mktemp)"
       cat > "$MOCK_SBOMQS" <<'SCRIPT'
 #!/bin/sh
 cat <<'MOCK'
-{"files":[{"avg_score":7.2,"num_components":24,"scores":[{"category":"Licensing","score":6.5,"max_score":10.0},{"category":"Structural","score":8.1,"max_score":10.0},{"category":"Completeness","score":7.0,"max_score":10.0}]}]}
+{"files":[{"sbom_quality_score":7.2,"num_components":24,"comprehenssive":[{"category":"Licensing","feature":"comp_with_license","score":6.0,"description":"complete","ignored":false},{"category":"Licensing","feature":"comp_valid_license","score":7.0,"description":"complete","ignored":false},{"category":"Structural","feature":"has_components","score":8.1,"description":"complete","ignored":false},{"category":"Completeness","feature":"comp_with_supplier","score":7.0,"description":"complete","ignored":false}]}]}
 MOCK
 SCRIPT
       chmod +x "$MOCK_SBOMQS"