fix: add empty dep-graph when there are no dependencies

Author: thomasschafer

internal/depgraph/builder.go

@@ -22,7 +22,7 @@ const (
 
 func NewBuilder(pkgManager *PkgManager, rootPkg *PkgInfo) (*Builder, error) {
 	if pkgManager == nil {
-		return nil, errors.New("cannot create builder without a package manager")
+		return nil, errors.New("cannot create builder without a package manager") //nolint:wrapcheck // Code is copied from `dep-graph-go`
 	}
 
 	if rootPkg == nil {
@@ -118,12 +118,12 @@ func (b *Builder) addNode(nodeID string, pkgInfo *PkgInfo) *Node {
 func (b *Builder) ConnectNodes(parentNodeID, childNodeID string) error {
 	parentNode, ok := b.nodes[parentNodeID]
 	if !ok {
-		return fmt.Errorf("cound not find parent node %s", parentNodeID)
+		return fmt.Errorf("could not find parent node %s", parentNodeID)
 	}
 
 	childNode, ok := b.nodes[childNodeID]
 	if !ok {
-		return fmt.Errorf("cound not find child node %s", childNodeID)
+		return fmt.Errorf("could not find child node %s", childNodeID)
 	}
 
 	parentNode.Deps = append(parentNode.Deps, Dependency{

internal/mocks/uvclient.go

@@ -18,7 +18,12 @@ func (m *MockUVClient) ExportSBOM(inputDir string) (*scaplugin.Finding, error) {
 		return m.ExportSBOMFunc(inputDir)
 	}
 	return &scaplugin.Finding{
-		Sbom:                 []byte(`{"mock":"sbom"}`),
+		Sbom: []byte(`{"mock":"sbom"}`),
+		Metadata: scaplugin.Metadata{
+			PackageManager: "pip",
+			Name:           "mock-project",
+			Version:        "0.0.0",
+		},
 		FileExclusions:       []string{},
 		NormalisedTargetFile: uv.UvLockFileName,
 	}, nil

internal/uv/uvclient.go

@@ -50,12 +50,14 @@ func (c client) ExportSBOM(inputDir string) (*scaplugin.Finding, error) {
 		return nil, fmt.Errorf("failed to execute uv export: %w", err)
 	}
 
-	if err := validateSBOM(output); err != nil {
+	metadata, err := validateSBOM(output)
+	if err != nil {
 		return nil, err
 	}
 
 	return &scaplugin.Finding{
 		Sbom:           output,
+		Metadata:       *metadata,
 		FileExclusions: []string{
 			// TODO(uv): uncomment when we are able to pass these to the CLI correctly. Currently the
 			// `--exclude` flag does not accept paths, it only accepts file or dir names, which does not
@@ -68,27 +70,40 @@ func (c client) ExportSBOM(inputDir string) (*scaplugin.Finding, error) {
 }
 
 // Verifies that the SBOM is valid JSON and has a root component.
-func validateSBOM(sbomData []byte) error {
+func validateSBOM(sbomData []byte) (*scaplugin.Metadata, error) {
 	var sbom struct {
 		Metadata struct {
-			Component json.RawMessage `json:"component"`
+			Component *struct {
+				Name    string `json:"name"`
+				Version string `json:"version"`
+			} `json:"component"`
 		} `json:"metadata"`
 	}
 
 	if err := json.Unmarshal(sbomData, &sbom); err != nil {
-		return ecosystems.NewUnprocessableFileError(
+		return nil, ecosystems.NewUnprocessableFileError(
 			fmt.Sprintf("Failed to parse SBOM JSON: %v", err),
 			snyk_errors.WithCause(err),
 		)
 	}
 
-	if len(sbom.Metadata.Component) == 0 {
-		return ecosystems.NewUnprocessableFileError(
+	if sbom.Metadata.Component == nil {
+		return nil, ecosystems.NewUnprocessableFileError(
 			"SBOM missing root component at metadata.component - uv project may be missing a root package",
 		)
 	}
 
-	return nil
+	if sbom.Metadata.Component.Name == "" {
+		return nil, ecosystems.NewUnprocessableFileError(
+			"SBOM root component missing name - invalid SBOM structure",
+		)
+	}
+
+	return &scaplugin.Metadata{
+		PackageManager: "pip",
+		Name:           sbom.Metadata.Component.Name,
+		Version:        sbom.Metadata.Component.Version,
+	}, nil
 }
 
 func (c *client) ShouldExportSBOM(inputDir string, logger *zerolog.Logger) bool {

internal/uv/uvclient_test.go

@@ -28,7 +28,8 @@ func TestUVClient_ExportSBOM_Success(t *testing.T) {
 			"component": {
 				"type": "library",
 				"bom-ref": "test-project-1",
-				"name": "test-project"
+				"name": "test-project",
+				"version": "1.2.3"
 			}
 		}
 	}`
@@ -46,7 +47,11 @@ func TestUVClient_ExportSBOM_Success(t *testing.T) {
 	result, err := client.ExportSBOM("/test/dir")
 
 	assert.NoError(t, err)
+	require.NotNil(t, result)
 	assert.JSONEq(t, validSBOM, string(result.Sbom))
+	assert.Equal(t, "pip", result.Metadata.PackageManager)
+	assert.Equal(t, "test-project", result.Metadata.Name)
+	assert.Equal(t, "1.2.3", result.Metadata.Version)
 }
 
 func TestUVClient_ExportSBOM_Error(t *testing.T) {
@@ -159,47 +164,106 @@ func TestParseAndValidateVersion_UnparseableOutput(t *testing.T) {
 
 func TestValidateSBOM_Success(t *testing.T) {
 	tests := []struct {
-		name string
-		sbom string
+		name            string
+		sbom            string
+		expectedName    string
+		expectedVersion string
 	}{
 		{
-			name: "valid SBOM with component",
+			name: "valid SBOM with full component",
 			sbom: `{
 				"bomFormat": "CycloneDX",
 				"specVersion": "1.5",
 				"metadata": {
 					"component": {
 						"type": "library",
 						"name": "test-project",
+						"version": "1.0.0",
 						"bom-ref": "test-project-1"
 					}
 				}
 			}`,
+			expectedName:    "test-project",
+			expectedVersion: "1.0.0",
 		},
 		{
 			name: "valid SBOM with minimal component",
 			sbom: `{
 				"metadata": {
 					"component": {
-						"name": "my-project"
+						"name": "my-project",
+						"version": "0.1.0"
 					}
 				}
 			}`,
+			expectedName:    "my-project",
+			expectedVersion: "0.1.0",
+		},
+		{
+			name: "component without version",
+			sbom: `{
+				"bomFormat": "CycloneDX",
+				"specVersion": "1.5",
+				"metadata": {
+					"component": {
+						"name": "project-no-version"
+					}
+				}
+			}`,
+			expectedName:    "project-no-version",
+			expectedVersion: "",
+		},
+		{
+			name: "component with empty version string",
+			sbom: `{
+				"metadata": {
+					"component": {
+						"name": "project-empty-version",
+						"version": ""
+					}
+				}
+			}`,
+			expectedName:    "project-empty-version",
+			expectedVersion: "",
+		},
+		{
+			name: "component with additional fields",
+			sbom: `{
+				"bomFormat": "CycloneDX",
+				"specVersion": "1.5",
+				"metadata": {
+					"component": {
+						"type": "application",
+						"name": "complex-project",
+						"version": "3.0.0",
+						"bom-ref": "pkg:pypi/[email protected]",
+						"description": "A complex project",
+						"licenses": []
+					}
+				}
+			}`,
+			expectedName:    "complex-project",
+			expectedVersion: "3.0.0",
 		},
 	}
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			err := validateSBOM([]byte(tt.sbom))
+			metadata, err := validateSBOM([]byte(tt.sbom))
 			assert.NoError(t, err)
+			require.NotNil(t, metadata)
+			assert.Equal(t, "pip", metadata.PackageManager)
+			assert.Equal(t, tt.expectedName, metadata.Name)
+			assert.Equal(t, tt.expectedVersion, metadata.Version)
 		})
 	}
 }
 
 func TestValidateSBOM_MissingComponent(t *testing.T) {
 	tests := []struct {
-		name string
-		sbom string
+		name               string
+		sbom               string
+		expectedErrMessage string
 	}{
 		{
 			name: "missing component field",
@@ -210,29 +274,47 @@ func TestValidateSBOM_MissingComponent(t *testing.T) {
 					"timestamp": "2025-11-17T16:20:47.525804000Z"
 				}
 			}`,
+			expectedErrMessage: "SBOM missing root component at metadata.component",
 		},
 		{
 			name: "missing metadata",
 			sbom: `{
 				"bomFormat": "CycloneDX",
 				"specVersion": "1.5"
 			}`,
+			expectedErrMessage: "SBOM missing root component at metadata.component",
+		},
+		{
+			name: "component with empty name",
+			sbom: `{
+				"bomFormat": "CycloneDX",
+				"specVersion": "1.5",
+				"metadata": {
+					"component": {
+						"name": "",
+						"version": "1.0.0"
+					}
+				}
+			}`,
+			expectedErrMessage: "SBOM root component missing name",
 		},
 	}
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			err := validateSBOM([]byte(tt.sbom))
+			metadata, err := validateSBOM([]byte(tt.sbom))
+			assert.Nil(t, metadata)
 			require.Error(t, err)
 			var catalogErr snyk_errors.Error
 			assert.True(t, errors.As(err, &catalogErr), "error should be a catalog error")
-			assert.Contains(t, catalogErr.Detail, "SBOM missing root component at metadata.component")
+			assert.Contains(t, catalogErr.Detail, tt.expectedErrMessage)
 		})
 	}
 }
 
 func TestValidateSBOM_InvalidJSON(t *testing.T) {
-	err := validateSBOM([]byte("invalid json"))
+	metadata, err := validateSBOM([]byte("invalid json"))
+	assert.Nil(t, metadata)
 	require.Error(t, err)
 	var catalogErr snyk_errors.Error
 	assert.True(t, errors.As(err, &catalogErr), "error should be a catalog error")