fix it:tests and codacy review warning fix

Author: franciscoovazevedo

cmd/upload_sbom.go

@@ -91,22 +91,46 @@ func executeUploadSBOM(imageRef string) int {
 		"org":      sbomOrg,
 	})
 
-	// Generate SBOM with Trivy
+	sbomPath, err := generateSBOM(imageRef)
+	if err != nil {
+		return 2
+	}
+	defer os.Remove(sbomPath)
+
+	fmt.Printf("Uploading SBOM to Codacy (org: %s/%s)...\n", sbomProvider, sbomOrg)
+	params := sbomUploadParams{
+		provider: sbomProvider,
+		org:      sbomOrg,
+		apiToken: sbomAPIToken,
+		repoName: sbomRepoName,
+		env:      sbomEnv,
+	}
+	if err := uploadSBOMToCodacy(sbomPath, sbomImageName, tag, params); err != nil {
+		logger.Error("Failed to upload SBOM", logrus.Fields{"error": err.Error()})
+		color.Red("Error: Failed to upload SBOM: %v", err)
+		return 1
+	}
+
+	color.Green("Successfully uploaded SBOM for %s:%s", sbomImageName, tag)
+	return 0
+}
+
+// generateSBOM runs Trivy to generate an SBOM file and returns the path to it.
+func generateSBOM(imageRef string) (string, error) {
 	trivyPath, err := getTrivyPath()
 	if err != nil {
 		handleTrivyNotFound(err)
-		return 2
+		return "", err
 	}
 
 	tmpFile, err := os.CreateTemp("", "codacy-sbom-*")
 	if err != nil {
 		logger.Error("Failed to create temp file", logrus.Fields{"error": err.Error()})
 		color.Red("Error: Failed to create temporary file: %v", err)
-		return 2
+		return "", err
 	}
 	tmpFile.Close()
 	sbomPath := tmpFile.Name()
-	defer os.Remove(sbomPath)
 
 	fmt.Printf("Generating SBOM for image: %s\n", imageRef)
 	args := []string{"image", "--format", sbomFormat, "-o", sbomPath, imageRef}
@@ -120,20 +144,11 @@ func executeUploadSBOM(imageRef string) int {
 			color.Red("Error: Failed to generate SBOM: %v", err)
 		}
 		logger.Error("Trivy SBOM generation failed", logrus.Fields{"error": err.Error()})
-		return 2
+		os.Remove(sbomPath)
+		return "", err
 	}
 	fmt.Println("SBOM generated successfully")
-
-	// Upload SBOM to Codacy
-	fmt.Printf("Uploading SBOM to Codacy (org: %s/%s)...\n", sbomProvider, sbomOrg)
-	if err := uploadSBOMToCodacy(sbomPath, sbomImageName, tag); err != nil {
-		logger.Error("Failed to upload SBOM", logrus.Fields{"error": err.Error()})
-		color.Red("Error: Failed to upload SBOM: %v", err)
-		return 1
-	}
-
-	color.Green("Successfully uploaded SBOM for %s:%s", sbomImageName, tag)
-	return 0
+	return sbomPath, nil
 }
 
 // parseImageRef splits an image reference into name and tag.
@@ -162,38 +177,23 @@ func parseImageRef(imageRef string) (string, string) {
 	return imageRef, "latest"
 }
 
-func uploadSBOMToCodacy(sbomPath, imageName, tag string) error {
+type sbomUploadParams struct {
+	provider string
+	org      string
+	apiToken string
+	repoName string
+	env      string
+}
+
+func uploadSBOMToCodacy(sbomPath, imageName, tag string, params sbomUploadParams) error {
 	url := fmt.Sprintf("https://app.codacy.com/api/v3/organizations/%s/%s/image-sboms",
-		sbomProvider, sbomOrg)
+		params.provider, params.org)
 
 	body := &bytes.Buffer{}
 	writer := multipart.NewWriter(body)
 
-	// Add the SBOM file
-	sbomFile, err := os.Open(sbomPath)
-	if err != nil {
-		return fmt.Errorf("failed to open SBOM file: %w", err)
-	}
-	defer sbomFile.Close()
-
-	part, err := writer.CreateFormFile("sbom", filepath.Base(sbomPath))
-	if err != nil {
-		return fmt.Errorf("failed to create form file: %w", err)
-	}
-	if _, err := io.Copy(part, sbomFile); err != nil {
-		return fmt.Errorf("failed to write SBOM to form: %w", err)
-	}
-
-	// Add required fields
-	writer.WriteField("imageName", imageName)
-	writer.WriteField("tag", tag)
-
-	// Add optional fields
-	if sbomRepoName != "" {
-		writer.WriteField("repositoryName", sbomRepoName)
-	}
-	if sbomEnv != "" {
-		writer.WriteField("environment", sbomEnv)
+	if err := buildSBOMMultipartForm(writer, sbomPath, imageName, tag, params); err != nil {
+		return err
 	}
 
 	if err := writer.Close(); err != nil {
@@ -206,7 +206,7 @@ func uploadSBOMToCodacy(sbomPath, imageName, tag string) error {
 	}
 	req.Header.Set("Content-Type", writer.FormDataContentType())
 	req.Header.Set("Accept", "application/json")
-	req.Header.Set("api-token", sbomAPIToken)
+	req.Header.Set("api-token", params.apiToken)
 
 	resp, err := http.DefaultClient.Do(req)
 	if err != nil {
@@ -221,3 +221,40 @@ func uploadSBOMToCodacy(sbomPath, imageName, tag string) error {
 
 	return nil
 }
+
+// buildSBOMMultipartForm populates the multipart form with the SBOM file and metadata fields.
+func buildSBOMMultipartForm(writer *multipart.Writer, sbomPath, imageName, tag string, params sbomUploadParams) error {
+	sbomFile, err := os.Open(sbomPath)
+	if err != nil {
+		return fmt.Errorf("failed to open SBOM file: %w", err)
+	}
+	defer sbomFile.Close()
+
+	part, err := writer.CreateFormFile("sbom", filepath.Base(sbomPath))
+	if err != nil {
+		return fmt.Errorf("failed to create form file: %w", err)
+	}
+	if _, err := io.Copy(part, sbomFile); err != nil {
+		return fmt.Errorf("failed to write SBOM to form: %w", err)
+	}
+
+	if err := writer.WriteField("imageName", imageName); err != nil {
+		return fmt.Errorf("failed to write imageName field: %w", err)
+	}
+	if err := writer.WriteField("tag", tag); err != nil {
+		return fmt.Errorf("failed to write tag field: %w", err)
+	}
+
+	if params.repoName != "" {
+		if err := writer.WriteField("repositoryName", params.repoName); err != nil {
+			return fmt.Errorf("failed to write repositoryName field: %w", err)
+		}
+	}
+	if params.env != "" {
+		if err := writer.WriteField("environment", params.env); err != nil {
+			return fmt.Errorf("failed to write environment field: %w", err)
+		}
+	}
+
+	return nil
+}

cmd/upload_sbom_test.go

@@ -183,7 +183,12 @@ func TestExecuteUploadSBOM_TrivyCalledWithCorrectFormat(t *testing.T) {
 }
 
 func TestUploadSBOMToCodacy_FileNotFound(t *testing.T) {
-	err := uploadSBOMToCodacy("/nonexistent/file.json", "myapp", "latest")
+	params := sbomUploadParams{
+		provider: "gh",
+		org:      "test-org",
+		apiToken: "test-token",
+	}
+	err := uploadSBOMToCodacy("/nonexistent/file.json", "myapp", "latest", params)
 	assert.Error(t, err)
 	assert.Contains(t, err.Error(), "failed to open SBOM file")
 }

integration-tests/init-with-token/expected/codacy.yaml

@@ -5,7 +5,7 @@ runtimes:
 tools:
     - eslint@8.57.0
     - lizard@1.17.31
-    - opengrep@1.16.4
+    - opengrep@1.17.0
     - pmd@6.55.0
     - pylint@3.3.9
     - trivy@0.69.3

plugins/tools/trivy/test/expected.sarif

@@ -34,7 +34,7 @@
             "text": "Package: django\nInstalled Version: 1.11.29\nVulnerability CVE-2021-33203\nSeverity: MEDIUM\nFixed Version: 2.2.24, 3.1.12, 3.2.4\nLink: [CVE-2021-33203](https://avd.aquasec.com/nvd/cve-2021-33203)"
           },
           "ruleId": "CVE-2021-33203",
-          "ruleIndex": 12
+          "ruleIndex": 14
         },
         {
           "level": "error",
@@ -61,7 +61,7 @@
             "text": "Package: django\nInstalled Version: 1.11.29\nVulnerability CVE-2022-36359\nSeverity: HIGH\nFixed Version: 3.2.15, 4.0.7\nLink: [CVE-2022-36359](https://avd.aquasec.com/nvd/cve-2022-36359)"
           },
           "ruleId": "CVE-2022-36359",
-          "ruleIndex": 9
+          "ruleIndex": 11
         },
         {
           "level": "error",
@@ -88,7 +88,7 @@
             "text": "Package: cross-spawn\nInstalled Version: 7.0.3\nVulnerability CVE-2024-21538\nSeverity: HIGH\nFixed Version: 7.0.5, 6.0.6\nLink: [CVE-2024-21538](https://avd.aquasec.com/nvd/cve-2024-21538)"
           },
           "ruleId": "CVE-2024-21538",
-          "ruleIndex": 2
+          "ruleIndex": 3
         },
         {
           "level": "warning",
@@ -115,7 +115,7 @@
             "text": "Package: django\nInstalled Version: 1.11.29\nVulnerability CVE-2024-45231\nSeverity: MEDIUM\nFixed Version: 5.1.1, 5.0.9, 4.2.16\nLink: [CVE-2024-45231](https://avd.aquasec.com/nvd/cve-2024-45231)"
           },
           "ruleId": "CVE-2024-45231",
-          "ruleIndex": 13
+          "ruleIndex": 15
         },
         {
           "level": "warning",
@@ -142,7 +142,7 @@
             "text": "Package: django\nInstalled Version: 1.11.29\nVulnerability CVE-2025-48432\nSeverity: MEDIUM\nFixed Version: 5.2.2, 5.1.10, 4.2.22\nLink: [CVE-2025-48432](https://avd.aquasec.com/nvd/cve-2025-48432)"
           },
           "ruleId": "CVE-2025-48432",
-          "ruleIndex": 14
+          "ruleIndex": 16
         },
         {
           "level": "error",
@@ -169,7 +169,7 @@
             "text": "Package: django\nInstalled Version: 1.11.29\nVulnerability CVE-2025-57833\nSeverity: HIGH\nFixed Version: 4.2.24, 5.1.12, 5.2.6\nLink: [CVE-2025-57833](https://avd.aquasec.com/nvd/cve-2025-57833)"
           },
           "ruleId": "CVE-2025-57833",
-          "ruleIndex": 10
+          "ruleIndex": 12
         },
         {
           "level": "note",
@@ -196,7 +196,7 @@
             "text": "Package: brace-expansion\nInstalled Version: 1.1.11\nVulnerability CVE-2025-5889\nSeverity: LOW\nFixed Version: 2.0.2, 1.1.12, 3.0.1, 4.0.1\nLink: [CVE-2025-5889](https://avd.aquasec.com/nvd/cve-2025-5889)"
           },
           "ruleId": "CVE-2025-5889",
-          "ruleIndex": 1
+          "ruleIndex": 2
         },
         {
           "level": "error",
@@ -223,7 +223,7 @@
             "text": "Package: django\nInstalled Version: 1.11.29\nVulnerability CVE-2025-64458\nSeverity: HIGH\nFixed Version: 5.2.8, 5.1.14, 4.2.26\nLink: [CVE-2025-64458](https://avd.aquasec.com/nvd/cve-2025-64458)"
           },
           "ruleId": "CVE-2025-64458",
-          "ruleIndex": 11
+          "ruleIndex": 13
         },
         {
           "level": "error",
@@ -250,7 +250,7 @@
             "text": "Package: django\nInstalled Version: 1.11.29\nVulnerability CVE-2025-64459\nSeverity: CRITICAL\nFixed Version: 5.2.8, 5.1.14, 4.2.26\nLink: [CVE-2025-64459](https://avd.aquasec.com/nvd/cve-2025-64459)"
           },
           "ruleId": "CVE-2025-64459",
-          "ruleIndex": 8
+          "ruleIndex": 10
         },
         {
           "level": "warning",
@@ -277,7 +277,7 @@
             "text": "Package: js-yaml\nInstalled Version: 4.1.0\nVulnerability CVE-2025-64718\nSeverity: MEDIUM\nFixed Version: 4.1.1, 3.14.2\nLink: [CVE-2025-64718](https://avd.aquasec.com/nvd/cve-2025-64718)"
           },
           "ruleId": "CVE-2025-64718",
-          "ruleIndex": 4
+          "ruleIndex": 6
         },
         {
           "level": "warning",
@@ -331,7 +331,7 @@
             "text": "Package: minimatch\nInstalled Version: 3.1.2\nVulnerability CVE-2026-26996\nSeverity: HIGH\nFixed Version: 10.2.1, 9.0.6, 8.0.5, 7.4.7, 6.2.1, 5.1.7, 4.2.4, 3.1.3\nLink: [CVE-2026-26996](https://avd.aquasec.com/nvd/cve-2026-26996)"
           },
           "ruleId": "CVE-2026-26996",
-          "ruleIndex": 5
+          "ruleIndex": 7
         },
         {
           "level": "error",
@@ -358,7 +358,7 @@
             "text": "Package: minimatch\nInstalled Version: 3.1.2\nVulnerability CVE-2026-27903\nSeverity: HIGH\nFixed Version: 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.3\nLink: [CVE-2026-27903](https://avd.aquasec.com/nvd/cve-2026-27903)"
           },
           "ruleId": "CVE-2026-27903",
-          "ruleIndex": 6
+          "ruleIndex": 8
         },
         {
           "level": "error",
@@ -385,7 +385,7 @@
             "text": "Package: minimatch\nInstalled Version: 3.1.2\nVulnerability CVE-2026-27904\nSeverity: HIGH\nFixed Version: 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.4\nLink: [CVE-2026-27904](https://avd.aquasec.com/nvd/cve-2026-27904)"
           },
           "ruleId": "CVE-2026-27904",
-          "ruleIndex": 7
+          "ruleIndex": 9
         },
         {
           "level": "error",
@@ -412,7 +412,61 @@
             "text": "Package: flatted\nInstalled Version: 3.3.1\nVulnerability CVE-2026-32141\nSeverity: HIGH\nFixed Version: 3.4.0\nLink: [CVE-2026-32141](https://avd.aquasec.com/nvd/cve-2026-32141)"
           },
           "ruleId": "CVE-2026-32141",
-          "ruleIndex": 3
+          "ruleIndex": 4
+        },
+        {
+          "level": "error",
+          "locations": [
+            {
+              "message": {
+                "text": "package-lock.json: flatted@3.3.1"
+              },
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "package-lock.json",
+                  "uriBaseId": "ROOTPATH"
+                },
+                "region": {
+                  "endColumn": 1,
+                  "endLine": 823,
+                  "startColumn": 1,
+                  "startLine": 819
+                }
+              }
+            }
+          ],
+          "message": {
+            "text": "Package: flatted\nInstalled Version: 3.3.1\nVulnerability CVE-2026-33228\nSeverity: HIGH\nFixed Version: 3.4.2\nLink: [CVE-2026-33228](https://avd.aquasec.com/nvd/cve-2026-33228)"
+          },
+          "ruleId": "CVE-2026-33228",
+          "ruleIndex": 5
+        },
+        {
+          "level": "warning",
+          "locations": [
+            {
+              "message": {
+                "text": "package-lock.json: brace-expansion@1.1.11"
+              },
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "package-lock.json",
+                  "uriBaseId": "ROOTPATH"
+                },
+                "region": {
+                  "endColumn": 1,
+                  "endLine": 357,
+                  "startColumn": 1,
+                  "startLine": 349
+                }
+              }
+            }
+          ],
+          "message": {
+            "text": "Package: brace-expansion\nInstalled Version: 1.1.11\nVulnerability CVE-2026-33750\nSeverity: MEDIUM\nFixed Version: 5.0.5, 3.0.2, 2.0.3, 1.1.13\nLink: [CVE-2026-33750](https://avd.aquasec.com/nvd/cve-2026-33750)"
+          },
+          "ruleId": "CVE-2026-33750",
+          "ruleIndex": 1
         }
       ],
       "tool": {