fix: add empty dep-graph when there are no dependencies

thomasschafer · thomasschafer · commit 100985899761 · 2025-11-21T16:07:09.000Z
diff --git a/internal/uv/uvclient.go b/internal/uv/uvclient.go
@@ -48,12 +48,14 @@ func (c client) ExportSBOM(inputDir string) (*scaplugin.Finding, error) {
 		return nil, fmt.Errorf("failed to execute uv export: %w", err)
 	}
 
-	if err := validateSBOM(output); err != nil {
+	metadata, err := validateSBOM(output)
+	if err != nil {
 		return nil, err
 	}
 
 	return &scaplugin.Finding{
-		Sbom: output,
+		Sbom:     output,
+		Metadata: *metadata,
 		FileExclusions: []string{
 			path.Join(inputDir, RequirementsTxtFileName),
 			path.Join(inputDir, PyprojectTomlFileName),
@@ -63,22 +65,30 @@ func (c client) ExportSBOM(inputDir string) (*scaplugin.Finding, error) {
 }
 
 // Verifies that the SBOM is valid JSON and has a root component.
-func validateSBOM(sbomData []byte) error {
+func validateSBOM(sbomData []byte) (*scaplugin.Metadata, error) {
 	var sbom struct {
 		Metadata struct {
-			Component json.RawMessage `json:"component"`
+			// TODO: test this with and without component
+			Component *struct {
+				Name    string `json:"name"`
+				Version string `json:"version"`
+			} `json:"component"`
 		} `json:"metadata"`
 	}
 
 	if err := json.Unmarshal(sbomData, &sbom); err != nil {
-		return fmt.Errorf("failed to parse SBOM: %w", err)
+		return nil, fmt.Errorf("failed to parse SBOM: %w", err)
 	}
 
-	if len(sbom.Metadata.Component) == 0 {
-		return fmt.Errorf("SBOM missing root component at metadata.component - uv project may be missing a root package")
+	if sbom.Metadata.Component == nil {
+		return nil, fmt.Errorf("SBOM missing root component at metadata.component - uv project may be missing a root package")
 	}
 
-	return nil
+	return &scaplugin.Metadata{
+		PackageManager: "pip",
+		Name:           sbom.Metadata.Component.Name,
+		Version:        sbom.Metadata.Component.Version,
+	}, nil
 }
 
 func (c *client) ShouldExportSBOM(inputDir string, logger *zerolog.Logger) bool {
diff --git a/pkg/depgraph/sbom_resolution.go b/pkg/depgraph/sbom_resolution.go
@@ -8,6 +8,7 @@ import (
 	"strings"
 
 	"github.com/rs/zerolog"
+	"github.com/snyk/cli-extension-dep-graph/internal/depgraph"
 	"github.com/snyk/cli-extension-dep-graph/internal/snykclient"
 	"github.com/snyk/cli-extension-dep-graph/internal/uv"
 	scaplugin "github.com/snyk/cli-extension-dep-graph/pkg/sca_plugin"
@@ -81,7 +82,7 @@ func handleSBOMResolutionDI(
 	// Convert SBOMs to workflow.Data
 	workflowData := []workflow.Data{}
 	for _, f := range findings { // Could be parallelised in future
-		data, err := sbomToWorkflowData(f, snykClient, logger, remoteRepoURL)
+		data, err := sbomToWorkflowData(&f, snykClient, logger, remoteRepoURL)
 		if err != nil {
 			return nil, fmt.Errorf("error converting SBOM: %w", err)
 		}
@@ -150,7 +151,7 @@ func executeLegacyWorkflow(
 	return nil, fmt.Errorf("error handling legacy workflow: %w", err)
 }
 
-func sbomToWorkflowData(finding scaplugin.Finding, snykClient *snykclient.SnykClient, logger *zerolog.Logger, remoteRepoURL string) ([]workflow.Data, error) {
+func sbomToWorkflowData(finding *scaplugin.Finding, snykClient *snykclient.SnykClient, logger *zerolog.Logger, remoteRepoURL string) ([]workflow.Data, error) {
 	sbomReader := bytes.NewReader(finding.Sbom)
 
 	scans, warnings, err := snykClient.SBOMConvert(context.Background(), logger, sbomReader, remoteRepoURL)
@@ -166,11 +167,32 @@ func sbomToWorkflowData(finding scaplugin.Finding, snykClient *snykclient.SnykCl
 	}
 
 	if len(depGraphsData) == 0 {
-		return nil, fmt.Errorf("no dependency graphs found in SBOM conversion response")
+		depGraph, err := emptyDepGraph(finding)
+		if err != nil {
+			return nil, fmt.Errorf("failed to create empty depgraph: %w", err)
+		}
+
+		data, err := workflowDataFromDepGraph(depGraph, finding.TargetFile, "")
+		if err != nil {
+			return nil, fmt.Errorf("failed to create workflow data: %w", err)
+		}
+		depGraphsData = append(depGraphsData, data)
 	}
 	return depGraphsData, nil
 }
 
+func emptyDepGraph(finding *scaplugin.Finding) (*depgraph.DepGraph, error) {
+	builder, err := depgraph.NewBuilder(
+		&depgraph.PkgManager{Name: finding.Metadata.Name},
+		&depgraph.PkgInfo{Name: finding.Metadata.Name, Version: finding.Metadata.Version},
+	)
+	if err != nil {
+		return nil, fmt.Errorf("failed to build depgraph: %w", err)
+	}
+	depGraph := builder.Build()
+	return depGraph, nil
+}
+
 func extractDepGraphsFromScans(scans []*snykclient.ScanResult, targetFile string) ([]workflow.Data, error) {
 	var depGraphList []workflow.Data
 
@@ -180,20 +202,11 @@ func extractDepGraphsFromScans(scans []*snykclient.ScanResult, targetFile string
 			if fact.Type != "depGraph" {
 				continue
 			}
-			// Marshal the depgraph data to JSON bytes
-			depGraphBytes, err := json.Marshal(fact.Data)
-			if err != nil {
-				return nil, fmt.Errorf("failed to marshal depgraph data: %w", err)
-			}
 
 			// Create workflow data with the depgraph
-			data := workflow.NewData(DataTypeID, contentTypeJSON, depGraphBytes)
-
-			data.SetMetaData(contentLocationKey, targetFile)
-			data.SetMetaData(MetaKeyNormalisedTargetFile, targetFile)
-
-			if scan.Identity.Type != "" {
-				data.SetMetaData(MetaKeyTargetFileFromPlugin, scan.Identity.Type)
+			data, err := workflowDataFromDepGraph(fact.Data, targetFile, scan.Identity.Type)
+			if err != nil {
+				return nil, fmt.Errorf("failed to create workflow data: %w", err)
 			}
 
 			depGraphList = append(depGraphList, data)
@@ -202,3 +215,21 @@ func extractDepGraphsFromScans(scans []*snykclient.ScanResult, targetFile string
 
 	return depGraphList, nil
 }
+
+func workflowDataFromDepGraph(depGraph any, normalisedTargetFile, targetFileFromPlugin string) (workflow.Data, error) {
+	depGraphBytes, err := json.Marshal(depGraph)
+	if err != nil {
+		return nil, fmt.Errorf("failed to marshal depgraph data: %w", err)
+	}
+
+	data := workflow.NewData(DataTypeID, contentTypeJSON, depGraphBytes)
+
+	data.SetMetaData(contentLocationKey, normalisedTargetFile)
+	data.SetMetaData(MetaKeyNormalisedTargetFile, normalisedTargetFile)
+
+	if targetFileFromPlugin != "" {
+		data.SetMetaData(MetaKeyTargetFileFromPlugin, targetFileFromPlugin)
+	}
+
+	return data, nil
+}
diff --git a/pkg/sca_plugin/interface.go b/pkg/sca_plugin/interface.go
@@ -4,8 +4,15 @@ import "github.com/rs/zerolog"
 
 type Options struct{}
 
+type Metadata struct {
+	PackageManager string
+	Name           string
+	Version        string
+}
+
 type Finding struct {
 	Sbom                 Sbom     // The raw SBOM bytes
+	Metadata             Metadata // Information about the finding
 	FileExclusions       []string // Paths for files that other plugins should ignore
 	NormalisedTargetFile string   // The target file name without any qualifiers, e.g. `uv.lock` (and not `dir/uv.lock`)
 }
