SP-3575_result-conversion

* Added automatic conversion to CycloneDx, SPDXLite and CSV

Author: Alex-1089

CHANGELOG.md

@@ -0,0 +1,18 @@
+# Changelog
+
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [Unreleased]
+### Added
+- Changes...
+
+## [1.1.0] - 2025-10-22
+### Added
+- Added raw results conversion to CycloneDX, SPDXLite and CSV
+### Changed
+- Upgraded scanoss-py version to v1.37.1
+
+[1.1.0]: https://github.com/scanoss/ado-code-scan/compare/v1.0.3...v1.1.0

OVERVIEW.md

@@ -153,7 +153,7 @@ When the pipeline is manually triggered or runs on a schedule, the results are u
 | policiesHaltOnFailure    | Halt check on policy failure. If set to false checks will not fail.                                                                                      | Optional       | `true`                               |
 | apiUrl                   | SCANOSS API URL                                                                                                                                          | Optional       | `https://api.osskb.org/scan/direct`  |
 | apiKey                   | SCANOSS API Key                                                                                                                                          | Optional       | -                                    |
-| runtimeContainer         | Runtime URL                                                                                                                                              | Optional       | `ghcr.io/scanoss/scanoss-py:v1.32.0` |
+| runtimeContainer         | Runtime URL                                                                                                                                              | Optional       | `ghcr.io/scanoss/scanoss-py:v1.37.1` |
 | licensesCopyleftInclude  | List of Copyleft licenses to append to the default list. Provide licenses as a comma-separated list.                                                     | Optional       | -                                    |
 | licensesCopyleftExclude  | List of Copyleft licenses to remove from default list. Provide licenses as a comma-separated list.                                                       | Optional       | -                                    |
 | licensesCopyleftExplicit | Explicit list of Copyleft licenses to consider. Provide licenses as a comma-separated list.                                                              | Optional       | -                                    |

codescantask/app.input.ts

@@ -31,10 +31,10 @@ export const COPYLEFT_LICENSE_EXCLUDE = tl.getInput('licensesCopyleftExclude');
 export const COPYLEFT_LICENSE_EXPLICIT = tl.getInput('licensesCopyleftExplicit');
 export const API_KEY = tl.getInput('apiKey');
 export const API_URL = tl.getInput('apiUrl');
-export const OUTPUT_FILEPATH = tl.getInput('outputFilepath') || "results.json";
+export const OUTPUT_FILEPATH = tl.getInput('outputFilepath') || "scanoss-raw.json";
 export const REPO_DIR = tl.getVariable('Build.Repository.LocalPath') || ''; // Get repository path
 export const POLICIES_HALT_ON_FAILURE = tl.getInput('policiesHaltOnFailure') === 'true';
-export const RUNTIME_CONTAINER = tl.getInput('runtimeContainer') || "ghcr.io/scanoss/scanoss-py:v1.32.0";
+export const RUNTIME_CONTAINER = tl.getInput('runtimeContainer') || "ghcr.io/scanoss/scanoss-py:v1.37.1";
 export const SKIP_SNIPPETS = tl.getInput('skipSnippets') === 'true';
 export const SCAN_FILES = tl.getInput('scanFiles') === 'true';
 export const SCANOSS_SETTINGS = tl.getInput('scanossSettings') === 'true';

codescantask/app.output.ts

@@ -0,0 +1,28 @@
+// SPDX-License-Identifier: MIT
+/*
+   Copyright (c) 2025, SCANOSS
+
+   Permission is hereby granted, free of charge, to any person obtaining a copy
+   of this software and associated documentation files (the "Software"), to deal
+   in the Software without restriction, including without limitation the rights
+   to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+   copies of the Software, and to permit persons to whom the Software is
+   furnished to do so, subject to the following conditions:
+
+   The above copyright notice and this permission notice shall be included in
+   all copies or substantial portions of the Software.
+
+   THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+   IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+   FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+   AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+   LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+   OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+   THE SOFTWARE.
+ */
+
+export const CYCLONEDX_FILE_NAME = 'scanoss-cyclonedx.json';
+
+export const SPDXLITE_FILE_NAME = 'scanoss-spdxlite.json';
+
+export const CSV_FILE_NAME = 'scanoss-sbom.csv'

codescantask/index.ts

@@ -23,6 +23,7 @@
 
 import tl = require('azure-pipelines-task-lib/task');
 import { ScanService } from './services/scan.service';
+import { scanossService } from "./services/scanoss.service";
 import { policyManager } from './policies/policy.manager';
 async function run() {
     try {
@@ -31,6 +32,12 @@ async function run() {
             await scanService.scan();
             const policies = policyManager.getPolicies();
 
+        // Convert raw result to CycloneDX, SPDXLite and CSV
+        const formats = ['cyclonedx', 'spdxlite', 'csv'];
+        for (const format of formats) {
+            await scanossService.reformatScanResults(format);
+        }
+
         // run policies
         for (const policy of policies) {
             await policy.run();

codescantask/package-lock.json

@@ -1,6 +1,6 @@
 {
   "name": "azure-devops-integration",
-  "version": "1.0.3",
+  "version": "1.1.0",
   "description": "",
   "main": "index.js",
   "scripts": {

codescantask/package.json

@@ -0,0 +1,101 @@
+// SPDX-License-Identifier: MIT
+/*
+   Copyright (c) 2025, SCANOSS
+
+   Permission is hereby granted, free of charge, to any person obtaining a copy
+   of this software and associated documentation files (the "Software"), to deal
+   in the Software without restriction, including without limitation the rights
+   to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+   copies of the Software, and to permit persons to whom the Software is
+   furnished to do so, subject to the following conditions:
+
+   The above copyright notice and this permission notice shall be included in
+   all copies or substantial portions of the Software.
+
+   THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+   IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+   FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+   AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+   LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+   OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+   THE SOFTWARE.
+ */
+
+import * as tl from 'azure-pipelines-task-lib';
+import {EXECUTABLE, OUTPUT_FILEPATH, REPO_DIR, RUNTIME_CONTAINER} from "../app.input";
+import {CYCLONEDX_FILE_NAME, SPDXLITE_FILE_NAME, CSV_FILE_NAME} from "../app.output";
+import fs from 'fs';
+import path from "path";
+
+export class ScanOssService {
+    /**
+     * Build scanoss-py conversion parameters */
+    private buildReformatParameters(format: string, filename: string): string[] {
+        return [
+            'run',
+            '-v',
+            `${REPO_DIR}:/scanoss`,
+            RUNTIME_CONTAINER,
+            'convert',
+            '--input',
+            `./${OUTPUT_FILEPATH}`,
+            '--format',
+            `${format}`,
+            '--output',
+            `./${filename}`
+        ];
+    }
+
+    /**
+     * Reformats SCANOSS results using scanoss-py.
+     * Currently always generates CycloneDX, SPDXLite and CSV files to be
+     * uploaded as an artifact for other integrations.
+     */
+    async reformatScanResults(format: string): Promise<Error | undefined> {
+        try {
+            console.log(`Converting SCANOSS results to ${format} format...`);
+            const options = {
+                failOnStdErr: false,
+                ignoreReturnCode: false
+            };
+            const filename =
+                format === 'cyclonedx'
+                    ? CYCLONEDX_FILE_NAME
+                    : format === 'spdxlite'
+                        ? SPDXLITE_FILE_NAME
+                        : format === 'csv'
+                            ? CSV_FILE_NAME
+                            : undefined;
+            if (!filename) {
+                return new Error(`Unknown format: ${format}`);
+            }
+            const exitCode = await tl.execAsync(
+                EXECUTABLE,
+                this.buildReformatParameters(format, filename),
+                options
+            );
+            if (exitCode !== 0) {
+                return new Error(`Error converting scan results into ${format} format`);
+            }
+            // Check if reformatted file was actually created before trying to upload it
+            try {
+                const formatAbsolutePath = path.join(process.cwd(), filename)
+                await fs.promises.access(formatAbsolutePath, fs.constants.F_OK);
+                this.uploadToArtifacts(formatAbsolutePath);
+                console.log(`Successfully converted results into ${format} format`);
+            } catch (fileError) {
+                // File doesn't exist - this can happen with empty repos
+                console.log(`${format} conversion completed but no file generated (likely empty repository)`);
+            }
+        } catch (e: any) {
+            tl.error(e.message);
+        }
+    }
+
+    private uploadToArtifacts(pathToFile: string) {
+        const artifactName = 'scanoss';
+        tl.command('artifact.upload', { artifactname: artifactName }, pathToFile);
+    }
+}
+
+export const scanossService = new ScanOssService();

codescantask/services/scanoss.service.ts

@@ -9,8 +9,8 @@
   "author": "SCANOSS",
   "version": {
     "Major": 1,
-    "Minor": 0,
-    "Patch": 3
+    "Minor": 1,
+    "Patch": 0
   },
   "inputs": [
     {
@@ -81,15 +81,15 @@
       "name": "runtimeContainer",
       "type": "string",
       "label": "Runtime container",
-      "defaultValue": "ghcr.io/scanoss/scanoss-py:v1.32.0",
+      "defaultValue": "ghcr.io/scanoss/scanoss-py:v1.37.1",
       "required": false,
       "helpMarkDown": "Specify runtime container to perform the scan."
     },
     {
       "name": "outputFilepath",
       "type": "string",
       "label": "Output File Path",
-      "defaultValue": "results.json",
+      "defaultValue": "scanoss-raw.json",
       "required": false,
       "helpMarkDown": "Scan output file name."
     },
@@ -159,7 +159,7 @@
     }
   ],
   "execution": {
-    "Node16": {
+    "Node20_1": {
       "target": "index.js"
     }
   }

codescantask/task.json

@@ -2,7 +2,7 @@
   "manifestVersion": 1,
   "id": "scanoss-code-scan-dev",
   "name": "SCANOSS Code Scan DEV",
-  "version": "1.0.3",
+  "version": "0.21.51",
   "publisher": "SCANOSS",
   "public": false,
   "targets": [