fix: add empty dep-graph when there are no dependencies

thomasschafer · thomasschafer · commit a6187de4ce08 · 2025-11-24T15:32:03.000Z
diff --git a/internal/depgraph/builder.go b/internal/depgraph/builder.go
@@ -22,7 +22,7 @@ const (
 
 func NewBuilder(pkgManager *PkgManager, rootPkg *PkgInfo) (*Builder, error) {
 	if pkgManager == nil {
-		return nil, errors.New("cannot create builder without a package manager")
+		return nil, errors.New("cannot create builder without a package manager") //nolint:wrapcheck // Code is copied from `dep-graph-go`
 	}
 
 	if rootPkg == nil {
@@ -118,12 +118,12 @@ func (b *Builder) addNode(nodeID string, pkgInfo *PkgInfo) *Node {
 func (b *Builder) ConnectNodes(parentNodeID, childNodeID string) error {
 	parentNode, ok := b.nodes[parentNodeID]
 	if !ok {
-		return fmt.Errorf("cound not find parent node %s", parentNodeID)
+		return fmt.Errorf("could not find parent node %s", parentNodeID)
 	}
 
 	childNode, ok := b.nodes[childNodeID]
 	if !ok {
-		return fmt.Errorf("cound not find child node %s", childNodeID)
+		return fmt.Errorf("could not find child node %s", childNodeID)
 	}
 
 	parentNode.Deps = append(parentNode.Deps, Dependency{
diff --git a/internal/mocks/uvclient.go b/internal/mocks/uvclient.go
@@ -18,7 +18,12 @@ func (m *MockUVClient) ExportSBOM(inputDir string) (*scaplugin.Finding, error) {
 		return m.ExportSBOMFunc(inputDir)
 	}
 	return &scaplugin.Finding{
-		Sbom:                 []byte(`{"mock":"sbom"}`),
+		Sbom: []byte(`{"mock":"sbom"}`),
+		Metadata: scaplugin.Metadata{
+			PackageManager: "pip",
+			Name:           "mock-project",
+			Version:        "0.0.0",
+		},
 		FileExclusions:       []string{},
 		NormalisedTargetFile: uv.UvLockFileName,
 	}, nil
diff --git a/internal/uv/uvclient.go b/internal/uv/uvclient.go
@@ -50,12 +50,14 @@ func (c client) ExportSBOM(inputDir string) (*scaplugin.Finding, error) {
 		return nil, fmt.Errorf("failed to execute uv export: %w", err)
 	}
 
-	if err := validateSBOM(output); err != nil {
+	metadata, err := validateSBOM(output)
+	if err != nil {
 		return nil, err
 	}
 
 	return &scaplugin.Finding{
 		Sbom:           output,
+		Metadata:       *metadata,
 		FileExclusions: []string{
 			// TODO(uv): uncomment when we are able to pass these to the CLI correctly. Currently the
 			// `--exclude` flag does not accept paths, it only accepts file or dir names, which does not
@@ -68,27 +70,34 @@ func (c client) ExportSBOM(inputDir string) (*scaplugin.Finding, error) {
 }
 
 // Verifies that the SBOM is valid JSON and has a root component.
-func validateSBOM(sbomData []byte) error {
+func validateSBOM(sbomData []byte) (*scaplugin.Metadata, error) {
 	var sbom struct {
 		Metadata struct {
-			Component json.RawMessage `json:"component"`
+			Component *struct {
+				Name    string `json:"name"`
+				Version string `json:"version"`
+			} `json:"component"`
 		} `json:"metadata"`
 	}
 
 	if err := json.Unmarshal(sbomData, &sbom); err != nil {
-		return ecosystems.NewUnprocessableFileError(
+		return nil, ecosystems.NewUnprocessableFileError(
 			fmt.Sprintf("Failed to parse SBOM JSON: %v", err),
 			snyk_errors.WithCause(err),
 		)
 	}
 
-	if len(sbom.Metadata.Component) == 0 {
-		return ecosystems.NewUnprocessableFileError(
+	if sbom.Metadata.Component == nil {
+		return nil, ecosystems.NewUnprocessableFileError(
 			"SBOM missing root component at metadata.component - uv project may be missing a root package",
 		)
 	}
 
-	return nil
+	return &scaplugin.Metadata{
+		PackageManager: "pip",
+		Name:           sbom.Metadata.Component.Name,
+		Version:        sbom.Metadata.Component.Version,
+	}, nil
 }
 
 func (c *client) ShouldExportSBOM(inputDir string, logger *zerolog.Logger) bool {
diff --git a/internal/uv/uvclient_test.go b/internal/uv/uvclient_test.go
@@ -28,7 +28,8 @@ func TestUVClient_ExportSBOM_Success(t *testing.T) {
 			"component": {
 				"type": "library",
 				"bom-ref": "test-project-1",
-				"name": "test-project"
+				"name": "test-project",
+				"version": "1.2.3"
 			}
 		}
 	}`
@@ -46,7 +47,11 @@ func TestUVClient_ExportSBOM_Success(t *testing.T) {
 	result, err := client.ExportSBOM("/test/dir")
 
 	assert.NoError(t, err)
+	require.NotNil(t, result)
 	assert.JSONEq(t, validSBOM, string(result.Sbom))
+	assert.Equal(t, "pip", result.Metadata.PackageManager)
+	assert.Equal(t, "test-project", result.Metadata.Name)
+	assert.Equal(t, "1.2.3", result.Metadata.Version)
 }
 
 func TestUVClient_ExportSBOM_Error(t *testing.T) {
@@ -159,39 +164,97 @@ func TestParseAndValidateVersion_UnparseableOutput(t *testing.T) {
 
 func TestValidateSBOM_Success(t *testing.T) {
 	tests := []struct {
-		name string
-		sbom string
+		name            string
+		sbom            string
+		expectedName    string
+		expectedVersion string
 	}{
 		{
-			name: "valid SBOM with component",
+			name: "valid SBOM with full component",
 			sbom: `{
 				"bomFormat": "CycloneDX",
 				"specVersion": "1.5",
 				"metadata": {
 					"component": {
 						"type": "library",
 						"name": "test-project",
+						"version": "1.0.0",
 						"bom-ref": "test-project-1"
 					}
 				}
 			}`,
+			expectedName:    "test-project",
+			expectedVersion: "1.0.0",
 		},
 		{
 			name: "valid SBOM with minimal component",
 			sbom: `{
 				"metadata": {
 					"component": {
-						"name": "my-project"
+						"name": "my-project",
+						"version": "0.1.0"
+					}
+				}
+			}`,
+			expectedName:    "my-project",
+			expectedVersion: "0.1.0",
+		},
+		{
+			name: "component without version",
+			sbom: `{
+				"bomFormat": "CycloneDX",
+				"specVersion": "1.5",
+				"metadata": {
+					"component": {
+						"name": "project-no-version"
+					}
+				}
+			}`,
+			expectedName:    "project-no-version",
+			expectedVersion: "",
+		},
+		{
+			name: "component with empty version string",
+			sbom: `{
+				"metadata": {
+					"component": {
+						"name": "project-empty-version",
+						"version": ""
+					}
+				}
+			}`,
+			expectedName:    "project-empty-version",
+			expectedVersion: "",
+		},
+		{
+			name: "component with additional fields",
+			sbom: `{
+				"bomFormat": "CycloneDX",
+				"specVersion": "1.5",
+				"metadata": {
+					"component": {
+						"type": "application",
+						"name": "complex-project",
+						"version": "3.0.0",
+						"bom-ref": "pkg:pypi/complex-project@3.0.0",
+						"description": "A complex project",
+						"licenses": []
 					}
 				}
 			}`,
+			expectedName:    "complex-project",
+			expectedVersion: "3.0.0",
 		},
 	}
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			err := validateSBOM([]byte(tt.sbom))
+			metadata, err := validateSBOM([]byte(tt.sbom))
 			assert.NoError(t, err)
+			require.NotNil(t, metadata)
+			assert.Equal(t, "pip", metadata.PackageManager)
+			assert.Equal(t, tt.expectedName, metadata.Name)
+			assert.Equal(t, tt.expectedVersion, metadata.Version)
 		})
 	}
 }
@@ -222,7 +285,8 @@ func TestValidateSBOM_MissingComponent(t *testing.T) {
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			err := validateSBOM([]byte(tt.sbom))
+			metadata, err := validateSBOM([]byte(tt.sbom))
+			assert.Nil(t, metadata)
 			require.Error(t, err)
 			var catalogErr snyk_errors.Error
 			assert.True(t, errors.As(err, &catalogErr), "error should be a catalog error")
@@ -232,7 +296,8 @@ func TestValidateSBOM_MissingComponent(t *testing.T) {
 }
 
 func TestValidateSBOM_InvalidJSON(t *testing.T) {
-	err := validateSBOM([]byte("invalid json"))
+	metadata, err := validateSBOM([]byte("invalid json"))
+	assert.Nil(t, metadata)
 	require.Error(t, err)
 	var catalogErr snyk_errors.Error
 	assert.True(t, errors.As(err, &catalogErr), "error should be a catalog error")
diff --git a/pkg/depgraph/sbom_resolution.go b/pkg/depgraph/sbom_resolution.go
@@ -8,6 +8,7 @@ import (
 	"strings"
 
 	"github.com/rs/zerolog"
+	"github.com/snyk/cli-extension-dep-graph/internal/depgraph"
 	"github.com/snyk/cli-extension-dep-graph/internal/snykclient"
 	"github.com/snyk/cli-extension-dep-graph/internal/uv"
 	scaplugin "github.com/snyk/cli-extension-dep-graph/pkg/sca_plugin"
@@ -81,7 +82,7 @@ func handleSBOMResolutionDI(
 	// Convert SBOMs to workflow.Data
 	workflowData := []workflow.Data{}
 	for _, f := range findings { // Could be parallelised in future
-		data, err := sbomToWorkflowData(f, snykClient, logger, remoteRepoURL)
+		data, err := sbomToWorkflowData(&f, snykClient, logger, remoteRepoURL)
 		if err != nil {
 			return nil, fmt.Errorf("error converting SBOM: %w", err)
 		}
@@ -150,7 +151,7 @@ func executeLegacyWorkflow(
 	return nil, fmt.Errorf("error handling legacy workflow: %w", err)
 }
 
-func sbomToWorkflowData(finding scaplugin.Finding, snykClient *snykclient.SnykClient, logger *zerolog.Logger, remoteRepoURL string) ([]workflow.Data, error) {
+func sbomToWorkflowData(finding *scaplugin.Finding, snykClient *snykclient.SnykClient, logger *zerolog.Logger, remoteRepoURL string) ([]workflow.Data, error) {
 	sbomReader := bytes.NewReader(finding.Sbom)
 
 	scans, warnings, err := snykClient.SBOMConvert(context.Background(), logger, sbomReader, remoteRepoURL)
@@ -166,11 +167,32 @@ func sbomToWorkflowData(finding scaplugin.Finding, snykClient *snykclient.SnykCl
 	}
 
 	if len(depGraphsData) == 0 {
-		return nil, fmt.Errorf("no dependency graphs found in SBOM conversion response")
+		depGraph, err := emptyDepGraph(finding)
+		if err != nil {
+			return nil, fmt.Errorf("failed to create empty depgraph: %w", err)
+		}
+
+		data, err := workflowDataFromDepGraph(depGraph, finding.NormalisedTargetFile, "")
+		if err != nil {
+			return nil, fmt.Errorf("failed to create workflow data: %w", err)
+		}
+		depGraphsData = append(depGraphsData, data)
 	}
 	return depGraphsData, nil
 }
 
+func emptyDepGraph(finding *scaplugin.Finding) (*depgraph.DepGraph, error) {
+	builder, err := depgraph.NewBuilder(
+		&depgraph.PkgManager{Name: finding.Metadata.PackageManager},
+		&depgraph.PkgInfo{Name: finding.Metadata.Name, Version: finding.Metadata.Version},
+	)
+	if err != nil {
+		return nil, fmt.Errorf("failed to build depgraph: %w", err)
+	}
+	depGraph := builder.Build()
+	return depGraph, nil
+}
+
 func extractDepGraphsFromScans(scans []*snykclient.ScanResult, targetFile string) ([]workflow.Data, error) {
 	var depGraphList []workflow.Data
 
@@ -180,20 +202,11 @@ func extractDepGraphsFromScans(scans []*snykclient.ScanResult, targetFile string
 			if fact.Type != "depGraph" {
 				continue
 			}
-			// Marshal the depgraph data to JSON bytes
-			depGraphBytes, err := json.Marshal(fact.Data)
-			if err != nil {
-				return nil, fmt.Errorf("failed to marshal depgraph data: %w", err)
-			}
 
 			// Create workflow data with the depgraph
-			data := workflow.NewData(DataTypeID, contentTypeJSON, depGraphBytes)
-
-			data.SetMetaData(contentLocationKey, targetFile)
-			data.SetMetaData(MetaKeyNormalisedTargetFile, targetFile)
-
-			if scan.Identity.Type != "" {
-				data.SetMetaData(MetaKeyTargetFileFromPlugin, scan.Identity.Type)
+			data, err := workflowDataFromDepGraph(fact.Data, targetFile, scan.Identity.Type)
+			if err != nil {
+				return nil, fmt.Errorf("failed to create workflow data: %w", err)
 			}
 
 			depGraphList = append(depGraphList, data)
@@ -202,3 +215,21 @@ func extractDepGraphsFromScans(scans []*snykclient.ScanResult, targetFile string
 
 	return depGraphList, nil
 }
+
+func workflowDataFromDepGraph(depGraph any, normalisedTargetFile, targetFileFromPlugin string) (workflow.Data, error) {
+	depGraphBytes, err := json.Marshal(depGraph)
+	if err != nil {
+		return nil, fmt.Errorf("failed to marshal depgraph data: %w", err)
+	}
+
+	data := workflow.NewData(DataTypeID, contentTypeJSON, depGraphBytes)
+
+	data.SetMetaData(contentLocationKey, normalisedTargetFile)
+	data.SetMetaData(MetaKeyNormalisedTargetFile, normalisedTargetFile)
+
+	if targetFileFromPlugin != "" {
+		data.SetMetaData(MetaKeyTargetFileFromPlugin, targetFileFromPlugin)
+	}
+
+	return data, nil
+}
diff --git a/pkg/depgraph/sbom_resolution_test.go b/pkg/depgraph/sbom_resolution_test.go
diff --git a/pkg/sca_plugin/interface.go b/pkg/sca_plugin/interface.go

Original file line number	Diff line number	Diff line change
`@@ -22,7 +22,7 @@ const (`
`22`	`22`
`23`	`23`	`func NewBuilder(pkgManager PkgManager, rootPkg PkgInfo) (*Builder, error) {`
`24`	`24`	`if pkgManager == nil {`
`25`		`- return nil, errors.New("cannot create builder without a package manager")`
	`25`	+ return nil, errors.New("cannot create builder without a package manager") //nolint:wrapcheck // Code is copied from `dep-graph-go`
`26`	`26`	`}`
`27`	`27`
`28`	`28`	`if rootPkg == nil {`
`@@ -118,12 +118,12 @@ func (b Builder) addNode(nodeID string, pkgInfo PkgInfo) *Node {`
`118`	`118`	`func (b *Builder) ConnectNodes(parentNodeID, childNodeID string) error {`
`119`	`119`	`parentNode, ok := b.nodes[parentNodeID]`
`120`	`120`	`if !ok {`
`121`		`- return fmt.Errorf("cound not find parent node %s", parentNodeID)`
	`121`	`+ return fmt.Errorf("could not find parent node %s", parentNodeID)`
`122`	`122`	`}`
`123`	`123`
`124`	`124`	`childNode, ok := b.nodes[childNodeID]`
`125`	`125`	`if !ok {`
`126`		`- return fmt.Errorf("cound not find child node %s", childNodeID)`
	`126`	`+ return fmt.Errorf("could not find child node %s", childNodeID)`
`127`	`127`	`}`
`128`	`128`
`129`	`129`	`parentNode.Deps = append(parentNode.Deps, Dependency{`
Original file line number	Diff line number	Diff line change
`@@ -50,12 +50,14 @@ func (c client) ExportSBOM(inputDir string) (*scaplugin.Finding, error) {`
`50`	`50`	`return nil, fmt.Errorf("failed to execute uv export: %w", err)`
`51`	`51`	`}`
`52`	`52`
`53`		`- if err := validateSBOM(output); err != nil {`
	`53`	`+ metadata, err := validateSBOM(output)`
	`54`	`+ if err != nil {`
`54`	`55`	`return nil, err`
`55`	`56`	`}`
`56`	`57`
`57`	`58`	`return &scaplugin.Finding{`
`58`	`59`	`Sbom: output,`
	`60`	`+ Metadata: *metadata,`
`59`	`61`	`FileExclusions: []string{`
`60`	`62`	`// TODO(uv): uncomment when we are able to pass these to the CLI correctly. Currently the`
`61`	`63`	// `--exclude` flag does not accept paths, it only accepts file or dir names, which does not
`@@ -68,27 +70,34 @@ func (c client) ExportSBOM(inputDir string) (*scaplugin.Finding, error) {`
`68`	`70`	`}`
`69`	`71`
`70`	`72`	`// Verifies that the SBOM is valid JSON and has a root component.`
`71`		`-func validateSBOM(sbomData []byte) error {`
	`73`	`+func validateSBOM(sbomData []byte) (*scaplugin.Metadata, error) {`
`72`	`74`	`var sbom struct {`
`73`	`75`	`Metadata struct {`
`74`		- Component json.RawMessage `json:"component"`
	`76`	`+ Component *struct {`
	`77`	+ Name string `json:"name"`
	`78`	+ Version string `json:"version"`
	`79`	+ } `json:"component"`
`75`	`80`	} `json:"metadata"`
`76`	`81`	`}`
`77`	`82`
`78`	`83`	`if err := json.Unmarshal(sbomData, &sbom); err != nil {`
`79`		`- return ecosystems.NewUnprocessableFileError(`
	`84`	`+ return nil, ecosystems.NewUnprocessableFileError(`
`80`	`85`	`fmt.Sprintf("Failed to parse SBOM JSON: %v", err),`
`81`	`86`	`snyk_errors.WithCause(err),`
`82`	`87`	`)`
`83`	`88`	`}`
`84`	`89`
`85`		`- if len(sbom.Metadata.Component) == 0 {`
`86`		`- return ecosystems.NewUnprocessableFileError(`
	`90`	`+ if sbom.Metadata.Component == nil {`
	`91`	`+ return nil, ecosystems.NewUnprocessableFileError(`
`87`	`92`	`"SBOM missing root component at metadata.component - uv project may be missing a root package",`
`88`	`93`	`)`
`89`	`94`	`}`
`90`	`95`
`91`		`- return nil`
	`96`	`+ return &scaplugin.Metadata{`
	`97`	`+ PackageManager: "pip",`
	`98`	`+ Name: sbom.Metadata.Component.Name,`
	`99`	`+ Version: sbom.Metadata.Component.Version,`
	`100`	`+ }, nil`
`92`	`101`	`}`
`93`	`102`
`94`	`103`	`func (c client) ShouldExportSBOM(inputDir string, logger zerolog.Logger) bool {`