fix: add empty dep-graph when there are no dependencies

thomasschafer · thomasschafer · commit 03a1e8e24f62 · 2025-11-21T16:51:48.000Z
diff --git a/internal/depgraph/builder.go b/internal/depgraph/builder.go
@@ -22,7 +22,7 @@ const (
 
 func NewBuilder(pkgManager *PkgManager, rootPkg *PkgInfo) (*Builder, error) {
 	if pkgManager == nil {
-		return nil, errors.New("cannot create builder without a package manager")
+		return nil, errors.New("cannot create builder without a package manager") //nolint:wrapcheck // Code is copied from `dep-graph-go`
 	}
 
 	if rootPkg == nil {
diff --git a/internal/uv/uvclient.go b/internal/uv/uvclient.go
@@ -48,12 +48,14 @@ func (c client) ExportSBOM(inputDir string) (*scaplugin.Finding, error) {
 		return nil, fmt.Errorf("failed to execute uv export: %w", err)
 	}
 
-	if err := validateSBOM(output); err != nil {
+	metadata, err := validateSBOM(output)
+	if err != nil {
 		return nil, err
 	}
 
 	return &scaplugin.Finding{
-		Sbom: output,
+		Sbom:     output,
+		Metadata: *metadata,
 		FileExclusions: []string{
 			path.Join(inputDir, RequirementsTxtFileName),
 			path.Join(inputDir, PyprojectTomlFileName),
@@ -63,22 +65,29 @@ func (c client) ExportSBOM(inputDir string) (*scaplugin.Finding, error) {
 }
 
 // Verifies that the SBOM is valid JSON and has a root component.
-func validateSBOM(sbomData []byte) error {
+func validateSBOM(sbomData []byte) (*scaplugin.Metadata, error) {
 	var sbom struct {
 		Metadata struct {
-			Component json.RawMessage `json:"component"`
+			Component *struct {
+				Name    string `json:"name"`
+				Version string `json:"version"`
+			} `json:"component"`
 		} `json:"metadata"`
 	}
 
 	if err := json.Unmarshal(sbomData, &sbom); err != nil {
-		return fmt.Errorf("failed to parse SBOM: %w", err)
+		return nil, fmt.Errorf("failed to parse SBOM: %w", err)
 	}
 
-	if len(sbom.Metadata.Component) == 0 {
-		return fmt.Errorf("SBOM missing root component at metadata.component - uv project may be missing a root package")
+	if sbom.Metadata.Component == nil {
+		return nil, fmt.Errorf("SBOM missing root component at metadata.component - uv project may be missing a root package")
 	}
 
-	return nil
+	return &scaplugin.Metadata{
+		PackageManager: "pip",
+		Name:           sbom.Metadata.Component.Name,
+		Version:        sbom.Metadata.Component.Version,
+	}, nil
 }
 
 func (c *client) ShouldExportSBOM(inputDir string, logger *zerolog.Logger) bool {
diff --git a/internal/uv/uvclient_test.go b/internal/uv/uvclient_test.go
@@ -27,7 +27,8 @@ func TestUVClient_ExportSBOM_Success(t *testing.T) {
 			"component": {
 				"type": "library",
 				"bom-ref": "test-project-1",
-				"name": "test-project"
+				"name": "test-project",
+				"version": "1.2.3"
 			}
 		}
 	}`
@@ -45,7 +46,11 @@ func TestUVClient_ExportSBOM_Success(t *testing.T) {
 	result, err := client.ExportSBOM("/test/dir")
 
 	assert.NoError(t, err)
+	require.NotNil(t, result)
 	assert.JSONEq(t, validSBOM, string(result.Sbom))
+	assert.Equal(t, "pip", result.Metadata.PackageManager)
+	assert.Equal(t, "test-project", result.Metadata.Name)
+	assert.Equal(t, "1.2.3", result.Metadata.Version)
 }
 
 func TestUVClient_ExportSBOM_Error(t *testing.T) {
@@ -152,39 +157,110 @@ func TestParseAndValidateVersion_UnparseableOutput(t *testing.T) {
 
 func TestValidateSBOM_Success(t *testing.T) {
 	tests := []struct {
-		name string
-		sbom string
+		name            string
+		sbom            string
+		expectedName    string
+		expectedVersion string
 	}{
 		{
-			name: "valid SBOM with component",
+			name: "valid SBOM with full component",
 			sbom: `{
 				"bomFormat": "CycloneDX",
 				"specVersion": "1.5",
 				"metadata": {
 					"component": {
 						"type": "library",
 						"name": "test-project",
+						"version": "1.0.0",
 						"bom-ref": "test-project-1"
 					}
 				}
 			}`,
+			expectedName:    "test-project",
+			expectedVersion: "1.0.0",
 		},
 		{
 			name: "valid SBOM with minimal component",
 			sbom: `{
 				"metadata": {
 					"component": {
-						"name": "my-project"
+						"name": "my-project",
+						"version": "0.1.0"
+					}
+				}
+			}`,
+			expectedName:    "my-project",
+			expectedVersion: "0.1.0",
+		},
+		{
+			name: "component without version",
+			sbom: `{
+				"bomFormat": "CycloneDX",
+				"specVersion": "1.5",
+				"metadata": {
+					"component": {
+						"name": "project-no-version"
+					}
+				}
+			}`,
+			expectedName:    "project-no-version",
+			expectedVersion: "",
+		},
+		{
+			name: "component with empty version string",
+			sbom: `{
+				"metadata": {
+					"component": {
+						"name": "project-empty-version",
+						"version": ""
+					}
+				}
+			}`,
+			expectedName:    "project-empty-version",
+			expectedVersion: "",
+		},
+		{
+			name: "component with hyphenated name",
+			sbom: `{
+				"metadata": {
+					"component": {
+						"name": "my-complex-project-name",
+						"version": "2.3.4-beta.1"
+					}
+				}
+			}`,
+			expectedName:    "my-complex-project-name",
+			expectedVersion: "2.3.4-beta.1",
+		},
+		{
+			name: "component with additional fields",
+			sbom: `{
+				"bomFormat": "CycloneDX",
+				"specVersion": "1.5",
+				"metadata": {
+					"component": {
+						"type": "application",
+						"name": "complex-project",
+						"version": "3.0.0",
+						"bom-ref": "pkg:pypi/complex-project@3.0.0",
+						"description": "A complex project",
+						"licenses": []
 					}
 				}
 			}`,
+			expectedName:    "complex-project",
+			expectedVersion: "3.0.0",
 		},
 	}
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			err := validateSBOM([]byte(tt.sbom))
+			metadata, err := validateSBOM([]byte(tt.sbom))
 			assert.NoError(t, err)
+			require.NotNil(t, metadata)
+			assert.Equal(t, "pip", metadata.PackageManager)
+			assert.Equal(t, tt.expectedName, metadata.Name)
+			assert.Equal(t, tt.expectedVersion, metadata.Version)
 		})
 	}
 }
@@ -215,16 +291,18 @@ func TestValidateSBOM_MissingComponent(t *testing.T) {
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			err := validateSBOM([]byte(tt.sbom))
+			metadata, err := validateSBOM([]byte(tt.sbom))
 			require.Error(t, err)
+			assert.Nil(t, metadata)
 			assert.Contains(t, err.Error(), "SBOM missing root component at metadata.component")
 		})
 	}
 }
 
 func TestValidateSBOM_InvalidJSON(t *testing.T) {
-	err := validateSBOM([]byte("invalid json"))
+	metadata, err := validateSBOM([]byte("invalid json"))
 	require.Error(t, err)
+	assert.Nil(t, metadata)
 	assert.Contains(t, err.Error(), "failed to parse SBOM")
 }
 
diff --git a/pkg/depgraph/sbom_resolution.go b/pkg/depgraph/sbom_resolution.go
@@ -8,6 +8,7 @@ import (
 	"strings"
 
 	"github.com/rs/zerolog"
+	"github.com/snyk/cli-extension-dep-graph/internal/depgraph"
 	"github.com/snyk/cli-extension-dep-graph/internal/snykclient"
 	"github.com/snyk/cli-extension-dep-graph/internal/uv"
 	scaplugin "github.com/snyk/cli-extension-dep-graph/pkg/sca_plugin"
@@ -81,7 +82,7 @@ func handleSBOMResolutionDI(
 	// Convert SBOMs to workflow.Data
 	workflowData := []workflow.Data{}
 	for _, f := range findings { // Could be parallelised in future
-		data, err := sbomToWorkflowData(f, snykClient, logger, remoteRepoURL)
+		data, err := sbomToWorkflowData(&f, snykClient, logger, remoteRepoURL)
 		if err != nil {
 			return nil, fmt.Errorf("error converting SBOM: %w", err)
 		}
@@ -150,7 +151,7 @@ func executeLegacyWorkflow(
 	return nil, fmt.Errorf("error handling legacy workflow: %w", err)
 }
 
-func sbomToWorkflowData(finding scaplugin.Finding, snykClient *snykclient.SnykClient, logger *zerolog.Logger, remoteRepoURL string) ([]workflow.Data, error) {
+func sbomToWorkflowData(finding *scaplugin.Finding, snykClient *snykclient.SnykClient, logger *zerolog.Logger, remoteRepoURL string) ([]workflow.Data, error) {
 	sbomReader := bytes.NewReader(finding.Sbom)
 
 	scans, warnings, err := snykClient.SBOMConvert(context.Background(), logger, sbomReader, remoteRepoURL)
@@ -166,11 +167,32 @@ func sbomToWorkflowData(finding scaplugin.Finding, snykClient *snykclient.SnykCl
 	}
 
 	if len(depGraphsData) == 0 {
-		return nil, fmt.Errorf("no dependency graphs found in SBOM conversion response")
+		depGraph, err := emptyDepGraph(finding)
+		if err != nil {
+			return nil, fmt.Errorf("failed to create empty depgraph: %w", err)
+		}
+
+		data, err := workflowDataFromDepGraph(depGraph, finding.NormalisedTargetFile, "")
+		if err != nil {
+			return nil, fmt.Errorf("failed to create workflow data: %w", err)
+		}
+		depGraphsData = append(depGraphsData, data)
 	}
 	return depGraphsData, nil
 }
 
+func emptyDepGraph(finding *scaplugin.Finding) (*depgraph.DepGraph, error) {
+	builder, err := depgraph.NewBuilder(
+		&depgraph.PkgManager{Name: finding.Metadata.Name},
+		&depgraph.PkgInfo{Name: finding.Metadata.Name, Version: finding.Metadata.Version},
+	)
+	if err != nil {
+		return nil, fmt.Errorf("failed to build depgraph: %w", err)
+	}
+	depGraph := builder.Build()
+	return depGraph, nil
+}
+
 func extractDepGraphsFromScans(scans []*snykclient.ScanResult, targetFile string) ([]workflow.Data, error) {
 	var depGraphList []workflow.Data
 
@@ -180,20 +202,11 @@ func extractDepGraphsFromScans(scans []*snykclient.ScanResult, targetFile string
 			if fact.Type != "depGraph" {
 				continue
 			}
-			// Marshal the depgraph data to JSON bytes
-			depGraphBytes, err := json.Marshal(fact.Data)
-			if err != nil {
-				return nil, fmt.Errorf("failed to marshal depgraph data: %w", err)
-			}
 
 			// Create workflow data with the depgraph
-			data := workflow.NewData(DataTypeID, contentTypeJSON, depGraphBytes)
-
-			data.SetMetaData(contentLocationKey, targetFile)
-			data.SetMetaData(MetaKeyNormalisedTargetFile, targetFile)
-
-			if scan.Identity.Type != "" {
-				data.SetMetaData(MetaKeyTargetFileFromPlugin, scan.Identity.Type)
+			data, err := workflowDataFromDepGraph(fact.Data, targetFile, scan.Identity.Type)
+			if err != nil {
+				return nil, fmt.Errorf("failed to create workflow data: %w", err)
 			}
 
 			depGraphList = append(depGraphList, data)
@@ -202,3 +215,21 @@ func extractDepGraphsFromScans(scans []*snykclient.ScanResult, targetFile string
 
 	return depGraphList, nil
 }
+
+func workflowDataFromDepGraph(depGraph any, normalisedTargetFile, targetFileFromPlugin string) (workflow.Data, error) {
+	depGraphBytes, err := json.Marshal(depGraph)
+	if err != nil {
+		return nil, fmt.Errorf("failed to marshal depgraph data: %w", err)
+	}
+
+	data := workflow.NewData(DataTypeID, contentTypeJSON, depGraphBytes)
+
+	data.SetMetaData(contentLocationKey, normalisedTargetFile)
+	data.SetMetaData(MetaKeyNormalisedTargetFile, normalisedTargetFile)
+
+	if targetFileFromPlugin != "" {
+		data.SetMetaData(MetaKeyTargetFileFromPlugin, targetFileFromPlugin)
+	}
+
+	return data, nil
+}
diff --git a/pkg/sca_plugin/interface.go b/pkg/sca_plugin/interface.go
@@ -4,8 +4,15 @@ import "github.com/rs/zerolog"
 
 type Options struct{}
 
+type Metadata struct {
+	PackageManager string
+	Name           string
+	Version        string
+}
+
 type Finding struct {
 	Sbom                 Sbom     // The raw SBOM bytes
+	Metadata             Metadata // Information about the finding
 	FileExclusions       []string // Paths for files that other plugins should ignore
 	NormalisedTargetFile string   // The target file name without any qualifiers, e.g. `uv.lock` (and not `dir/uv.lock`)
 }

Original file line number	Diff line number	Diff line change
`@@ -22,7 +22,7 @@ const (`
`22`	`22`
`23`	`23`	`func NewBuilder(pkgManager PkgManager, rootPkg PkgInfo) (*Builder, error) {`
`24`	`24`	`if pkgManager == nil {`
`25`		`- return nil, errors.New("cannot create builder without a package manager")`
	`25`	+ return nil, errors.New("cannot create builder without a package manager") //nolint:wrapcheck // Code is copied from `dep-graph-go`
`26`	`26`	`}`
`27`	`27`
`28`	`28`	`if rootPkg == nil {`