fix it:tests and codacy review warning fix

franciscoovazevedo · franciscoovazevedo · commit 817662bdfaff · 2026-04-08T10:34:18.000+01:00
diff --git a/cmd/upload_sbom.go b/cmd/upload_sbom.go
@@ -25,9 +25,17 @@ var (
 	sbomTag       string
 	sbomRepoName  string
 	sbomEnv       string
-	sbomFormat string
+	sbomFormat  string
+	sbomBaseURL string
+
+	sbomHTTPClient httpDoer = http.DefaultClient
 )
 
+// httpDoer abstracts the Do method of http.Client for testing.
+type httpDoer interface {
+	Do(req *http.Request) (*http.Response, error)
+}
+
 func init() {
 	uploadSBOMCmd.Flags().StringVarP(&sbomAPIToken, "api-token", "a", "", "API token for Codacy API (required)")
 	uploadSBOMCmd.Flags().StringVarP(&sbomProvider, "provider", "p", "", "Git provider (gh, gl, bb) (required)")
@@ -85,28 +93,55 @@ func executeUploadSBOM(imageRef string) int {
 	}
 	sbomImageName = imageName
 
+	effectiveImageRef := fmt.Sprintf("%s:%s", imageName, tag)
+
 	logger.Info("Starting SBOM upload", logrus.Fields{
-		"image":    imageRef,
+		"image":    effectiveImageRef,
 		"provider": sbomProvider,
 		"org":      sbomOrg,
 	})
 
-	// Generate SBOM with Trivy
+	sbomPath, err := generateSBOM(effectiveImageRef)
+	if err != nil {
+		return 2
+	}
+	defer os.Remove(sbomPath)
+
+	fmt.Printf("Uploading SBOM to Codacy (org: %s/%s)...\n", sbomProvider, sbomOrg)
+	params := sbomUploadParams{
+		provider: sbomProvider,
+		org:      sbomOrg,
+		apiToken: sbomAPIToken,
+		repoName: sbomRepoName,
+		env:      sbomEnv,
+		baseURL:  sbomBaseURL,
+	}
+	if err := uploadSBOMToCodacy(sbomPath, sbomImageName, tag, params); err != nil {
+		logger.Error("Failed to upload SBOM", logrus.Fields{"error": err.Error()})
+		color.Red("Error: Failed to upload SBOM: %v", err)
+		return 1
+	}
+
+	color.Green("Successfully uploaded SBOM for %s:%s", sbomImageName, tag)
+	return 0
+}
+
+// generateSBOM runs Trivy to generate an SBOM file and returns the path to it.
+func generateSBOM(imageRef string) (string, error) {
 	trivyPath, err := getTrivyPath()
 	if err != nil {
 		handleTrivyNotFound(err)
-		return 2
+		return "", err
 	}
 
 	tmpFile, err := os.CreateTemp("", "codacy-sbom-*")
 	if err != nil {
 		logger.Error("Failed to create temp file", logrus.Fields{"error": err.Error()})
 		color.Red("Error: Failed to create temporary file: %v", err)
-		return 2
+		return "", err
 	}
 	tmpFile.Close()
 	sbomPath := tmpFile.Name()
-	defer os.Remove(sbomPath)
 
 	fmt.Printf("Generating SBOM for image: %s\n", imageRef)
 	args := []string{"image", "--format", sbomFormat, "-o", sbomPath, imageRef}
@@ -120,20 +155,11 @@ func executeUploadSBOM(imageRef string) int {
 			color.Red("Error: Failed to generate SBOM: %v", err)
 		}
 		logger.Error("Trivy SBOM generation failed", logrus.Fields{"error": err.Error()})
-		return 2
+		os.Remove(sbomPath)
+		return "", err
 	}
 	fmt.Println("SBOM generated successfully")
-
-	// Upload SBOM to Codacy
-	fmt.Printf("Uploading SBOM to Codacy (org: %s/%s)...\n", sbomProvider, sbomOrg)
-	if err := uploadSBOMToCodacy(sbomPath, sbomImageName, tag); err != nil {
-		logger.Error("Failed to upload SBOM", logrus.Fields{"error": err.Error()})
-		color.Red("Error: Failed to upload SBOM: %v", err)
-		return 1
-	}
-
-	color.Green("Successfully uploaded SBOM for %s:%s", sbomImageName, tag)
-	return 0
+	return sbomPath, nil
 }
 
 // parseImageRef splits an image reference into name and tag.
@@ -162,38 +188,31 @@ func parseImageRef(imageRef string) (string, string) {
 	return imageRef, "latest"
 }
 
-func uploadSBOMToCodacy(sbomPath, imageName, tag string) error {
-	url := fmt.Sprintf("https://app.codacy.com/api/v3/organizations/%s/%s/image-sboms",
-		sbomProvider, sbomOrg)
-
-	body := &bytes.Buffer{}
-	writer := multipart.NewWriter(body)
+type sbomUploadParams struct {
+	provider string
+	org      string
+	apiToken string
+	repoName string
+	env      string
+	baseURL  string
+}
 
-	// Add the SBOM file
-	sbomFile, err := os.Open(sbomPath)
-	if err != nil {
-		return fmt.Errorf("failed to open SBOM file: %w", err)
+func (p sbomUploadParams) uploadURL() string {
+	base := p.baseURL
+	if base == "" {
+		base = "https://app.codacy.com"
 	}
-	defer sbomFile.Close()
+	return fmt.Sprintf("%s/api/v3/organizations/%s/%s/image-sboms", base, p.provider, p.org)
+}
 
-	part, err := writer.CreateFormFile("sbom", filepath.Base(sbomPath))
-	if err != nil {
-		return fmt.Errorf("failed to create form file: %w", err)
-	}
-	if _, err := io.Copy(part, sbomFile); err != nil {
-		return fmt.Errorf("failed to write SBOM to form: %w", err)
-	}
+func uploadSBOMToCodacy(sbomPath, imageName, tag string, params sbomUploadParams) error {
+	url := params.uploadURL()
 
-	// Add required fields
-	writer.WriteField("imageName", imageName)
-	writer.WriteField("tag", tag)
+	body := &bytes.Buffer{}
+	writer := multipart.NewWriter(body)
 
-	// Add optional fields
-	if sbomRepoName != "" {
-		writer.WriteField("repositoryName", sbomRepoName)
-	}
-	if sbomEnv != "" {
-		writer.WriteField("environment", sbomEnv)
+	if err := buildSBOMMultipartForm(writer, sbomPath, imageName, tag, params); err != nil {
+		return err
 	}
 
 	if err := writer.Close(); err != nil {
@@ -206,9 +225,9 @@ func uploadSBOMToCodacy(sbomPath, imageName, tag string) error {
 	}
 	req.Header.Set("Content-Type", writer.FormDataContentType())
 	req.Header.Set("Accept", "application/json")
-	req.Header.Set("api-token", sbomAPIToken)
+	req.Header.Set("api-token", params.apiToken)
 
-	resp, err := http.DefaultClient.Do(req)
+	resp, err := sbomHTTPClient.Do(req)
 	if err != nil {
 		return fmt.Errorf("request failed: %w", err)
 	}
@@ -221,3 +240,40 @@ func uploadSBOMToCodacy(sbomPath, imageName, tag string) error {
 
 	return nil
 }
+
+// buildSBOMMultipartForm populates the multipart form with the SBOM file and metadata fields.
+func buildSBOMMultipartForm(writer *multipart.Writer, sbomPath, imageName, tag string, params sbomUploadParams) error {
+	sbomFile, err := os.Open(sbomPath)
+	if err != nil {
+		return fmt.Errorf("failed to open SBOM file: %w", err)
+	}
+	defer sbomFile.Close()
+
+	part, err := writer.CreateFormFile("sbom", filepath.Base(sbomPath))
+	if err != nil {
+		return fmt.Errorf("failed to create form file: %w", err)
+	}
+	if _, err := io.Copy(part, sbomFile); err != nil {
+		return fmt.Errorf("failed to write SBOM to form: %w", err)
+	}
+
+	if err := writer.WriteField("imageName", imageName); err != nil {
+		return fmt.Errorf("failed to write imageName field: %w", err)
+	}
+	if err := writer.WriteField("tag", tag); err != nil {
+		return fmt.Errorf("failed to write tag field: %w", err)
+	}
+
+	if params.repoName != "" {
+		if err := writer.WriteField("repositoryName", params.repoName); err != nil {
+			return fmt.Errorf("failed to write repositoryName field: %w", err)
+		}
+	}
+	if params.env != "" {
+		if err := writer.WriteField("environment", params.env); err != nil {
+			return fmt.Errorf("failed to write environment field: %w", err)
+		}
+	}
+
+	return nil
+}
diff --git a/cmd/upload_sbom_test.go b/cmd/upload_sbom_test.go
@@ -3,31 +3,37 @@ package cmd
 import (
 	"errors"
 	"io"
+	"net/http"
+	"net/http/httptest"
 	"os"
 	"testing"
 
 	"github.com/stretchr/testify/assert"
 )
 
 type sbomTestState struct {
-	apiToken string
-	provider string
-	org      string
-	repoName string
-	env      string
-	tag    string
-	format string
+	apiToken   string
+	provider   string
+	org        string
+	repoName   string
+	env        string
+	tag        string
+	format     string
+	baseURL    string
+	httpClient httpDoer
 }
 
 func saveSBOMState() sbomTestState {
 	return sbomTestState{
-		apiToken: sbomAPIToken,
-		provider: sbomProvider,
-		org:      sbomOrg,
-		repoName: sbomRepoName,
-		env:      sbomEnv,
-		tag:    sbomTag,
-		format:   sbomFormat,
+		apiToken:   sbomAPIToken,
+		provider:   sbomProvider,
+		org:        sbomOrg,
+		repoName:   sbomRepoName,
+		env:        sbomEnv,
+		tag:        sbomTag,
+		format:     sbomFormat,
+		baseURL:    sbomBaseURL,
+		httpClient: sbomHTTPClient,
 	}
 }
 
@@ -39,6 +45,8 @@ func (s sbomTestState) restore() {
 	sbomEnv = s.env
 	sbomTag = s.tag
 	sbomFormat = s.format
+	sbomBaseURL = s.baseURL
+	sbomHTTPClient = s.httpClient
 }
 
 // setSBOMDefaults sets the minimum required SBOM globals for tests
@@ -50,6 +58,7 @@ func setSBOMDefaults() {
 	sbomEnv = ""
 	sbomTag = ""
 	sbomFormat = "cyclonedx"
+	sbomBaseURL = ""
 }
 
 func TestParseImageRef(t *testing.T) {
@@ -169,11 +178,19 @@ func TestExecuteUploadSBOM_TrivyCalledWithCorrectFormat(t *testing.T) {
 				},
 			}
 			commandRunner = mockRunner
+
+			server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+				w.WriteHeader(http.StatusNoContent)
+			}))
+			defer server.Close()
+
 			setSBOMDefaults()
 			sbomFormat = format
+			sbomBaseURL = server.URL
+			sbomHTTPClient = server.Client()
 
-			// Will fail at upload (no real API), but we can verify Trivy args
-			_ = executeUploadSBOM("alpine:latest")
+			exitCode := executeUploadSBOM("alpine:latest")
+			assert.Equal(t, 0, exitCode)
 
 			assert.Len(t, mockRunner.Calls, 1)
 			assert.Contains(t, mockRunner.Calls[0].Args, "--format")
@@ -183,7 +200,12 @@ func TestExecuteUploadSBOM_TrivyCalledWithCorrectFormat(t *testing.T) {
 }
 
 func TestUploadSBOMToCodacy_FileNotFound(t *testing.T) {
-	err := uploadSBOMToCodacy("/nonexistent/file.json", "myapp", "latest")
+	params := sbomUploadParams{
+		provider: "gh",
+		org:      "test-org",
+		apiToken: "test-token",
+	}
+	err := uploadSBOMToCodacy("/nonexistent/file.json", "myapp", "latest", params)
 	assert.Error(t, err)
 	assert.Contains(t, err.Error(), "failed to open SBOM file")
 }
diff --git a/integration-tests/init-with-token/expected/codacy.yaml b/integration-tests/init-with-token/expected/codacy.yaml
@@ -5,7 +5,7 @@ runtimes:
 tools:
     - eslint@8.57.0
     - lizard@1.17.31
-    - opengrep@1.16.4
+    - opengrep@1.17.0
     - pmd@6.55.0
     - pylint@3.3.9
     - trivy@0.69.3
diff --git a/plugins/tools/trivy/test/expected.sarif b/plugins/tools/trivy/test/expected.sarif
