Implemented CycloneDX reporter with metadata, packages & vulnerabilities

[OmkarPh]

Update script to get latest spdx license -

bash ./scripts/download_spdx_licenses.sh

Use flags -

--report-cdx path/to/cdxreport.json \
--report-cdx-app-name myapp # optional

Sample reports -

cdxgen report - rakshak-cdxgen-bom.json
vet cdx report - vet-rakshak-cdx.json

[Copilot]

Pull Request Overview

This PR implements a new CycloneDX reporter to generate SBOMs with metadata, packages, and vulnerabilities. The changes include:

• Adding new CLI flags for CycloneDX report generation in both scan and query commands.
• Creating a new CycloneDX reporter in pkg/reporter/cyclonedx.go to build and encode BOMs.
• Updating various package readers to provide an ApplicationName method and refactoring package URL generation in models.

Reviewed Changes

Copilot reviewed 15 out of 15 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
scan.go & query.go	Added new flags and logic to support CycloneDX report generation.
pkg/reporter/cyclonedx.go	New implementation for generating CycloneDX reports including metadata and BOM.
pkg/reporter/json_report.go	Minor cleanup by removing extraneous whitespace.
pkg/readers/*	Updated multiple readers to include an ApplicationName method.
pkg/models/models.go	Refactored package URL generation by renaming ShortName to GetPackageUrl.
pkg/common/utils/pointers.go	Added a generic pointer helper function.

[Copilot]

Pull Request Overview

This PR implements a CycloneDX reporter with new flags for generating reports that include metadata, package information, and vulnerabilities. Key changes include adding the ApplicationName() method to multiple package readers, updating test assertions for error handling, and refining naming conventions in models and constants.

Reviewed Changes

Copilot reviewed 29 out of 29 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
pkg/readers/reader.go	Added ApplicationName() method to the PackageManifestReader interface.
pkg/readers/purl_reader.go	Implemented ApplicationName() in the PURL reader using parsed package details.
pkg/readers/lockfile_reader*.go	Introduced ApplicationName() methods and updated test assertions for proper error handling.
pkg/readers/json_dump_reader*.go	Added ApplicationName() and updated parameter formatting in EnumManifests methods.
pkg/readers/github_reader*.go	Added ApplicationName(), reformatted signatures for EnumManifests and supporting functions.
pkg/readers/github_org_reader.go	Added ApplicationName() and streamlined function signatures in EnumManifests.
pkg/readers/dir_reader*.go	Added ApplicationName() based on directory basename and updated test function formatting.
pkg/readers/common.go	Introduced a defaultApplicationName constant.
pkg/parser/pywheel.go	Updated regex literals to backticks for consistency.
pkg/models/models.go	Updated the MalwareAnalysisResult Id prefix and reworked ShortName to call GetPackageUrl.
pkg/exceptions/*.go	Updated error handling in tests by asserting nil errors after loading exceptions.
pkg/common/utils/*	Removed a string pointer utility and replaced it with a generic pointers implementation.
pkg/analyzer/*	Removed unnecessary break statements and improved formatting of header rows and signatures.
main.go	Updated vendor constants and introduced a new vetPurl variable.

Comments suppressed due to low confidence (2)

pkg/models/models.go:429

• [nitpick] The 'ShortName' method currently returns the full package URL by calling GetPackageUrl(), which may be misleading. Consider renaming it or updating its documentation for greater clarity.

func (p *Package) ShortName() string {

pkg/readers/github_reader.go:46

• [nitpick] ApplicationName implementations across readers return different default strings. Consider unifying the pattern or documenting the differences to ensure consistent usage across the codebase.

func (p *githubReader) ApplicationName() (string, error) {

[Copilot]

Pull Request Overview

This PR implements a CycloneDX reporter with added metadata, packages, and vulnerabilities reporting while also updating various readers to include an ApplicationName method. Key changes include refactoring callback signatures in readers, introducing a new pointers utility function, and updating package model methods and error handling in tests.

Reviewed Changes

Copilot reviewed 32 out of 32 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
pkg/readers/lockfile_reader(_test).go	Refactored callback signatures and added assertion on err
pkg/readers/json_dump_reader(_test).go	Refactored callback signatures and added assertion on err
pkg/readers/github_reader(_test).go	Introduced ApplicationName and updated callback signatures
pkg/readers/github_org_reader(_test).go	Added ApplicationName support and improved test coverage
pkg/readers/dir_reader(_test).go	Added ApplicationName support for directory-based reader
pkg/readers/common.go	Introduces defaultApplicationName constant
pkg/parser/pywheel.go	Updated regex literals with backticks for clarity
pkg/models/models.go	Updated malware analysis prefix and refactored ShortName method
pkg/exceptions/*.go	Updated error handling for Load function in exception tests
pkg/common/utils/(string.go, pointers.go)	Removed legacy string pointer helper; introduced generic utility
pkg/analyzer/(filter/eval.go, cel_filter.go)	Removed redundant break statements and improved function signatures
main.go	Updated vendor name and vendor info URI for consistency

Comments suppressed due to low confidence (2)

pkg/models/models.go:423

• [nitpick] The 'ShortName' method now wraps a call to GetPackageUrl(), which may be misleading since 'ShortName' typically implies a concise name rather than a full package URL. Consider renaming the method to something more indicative of its returned value or updating its documentation for clarity.

func (p *Package) GetPackageUrl() string {

pkg/readers/common.go:3

• [nitpick] The defaultApplicationName is defined as 'vet-scanned-project' whereas other readers’ ApplicationName methods return names ending in 'projects'. Consider aligning the naming convention for consistency across the codebase.

const defaultApplicationName = "vet-scanned-project"

[abhisek]

@OmkarPh Can you rebase with main please?

[Copilot]

Copilot reviewed 32 out of 32 changed files in this pull request and generated no comments.

Comments suppressed due to low confidence (2)

pkg/readers/github_reader.go:43

• [nitpick] Consider updating the returned string to 'GitHub Based Package Manifest Reader' for consistency with GitHub branding.

return "Github Based Package Manifest Reader"

pkg/models/models.go:429

• [nitpick] The function 'ShortName' returns the package URL, which may be misleading. Consider renaming it to better reflect its purpose (e.g., 'GetShortName' or a more descriptive name).

func (p *Package) ShortName() string {

[github-actions]

vet Summary Report

This report is generated by vet

Policy Checks

• ✅ Vulnerability
• ✅ Malware
• ✅ License
• ✅ Popularity
• ✅ Maintenance
• ✅ Security Posture
• ✅ Threats

Malicious Package Analysis

Malicious package analysis is performed using SafeDep Cloud API.

Malicious Package Analysis Report

Ecosystem	Package	Version	Status	Report
ECOSYSTEM_GO	github.com/pandatix/go-cvss	0.6.2	✅	🔗

• ℹ️ 1 packages have been actively analyzed for malicious behaviour.
• ✅ No malicious packages found.

Changed Packages

Changed Packages

• ✅ [Go] github.com/pandatix/go-cvss@0.6.2

[Copilot]

Copilot reviewed 36 out of 37 changed files in this pull request and generated no comments.

Files not reviewed (1)

• go.mod: Language not supported

Comments suppressed due to low confidence (4)

pkg/common/utils/string.go:1

• Ensure that the removal of StringPtr is safe by verifying that no other parts of the code reference it.

package utils

pkg/models/models.go:429

• [nitpick] The method name ShortName now returns the package URL via GetPackageUrl, which might be misleading; consider renaming it to better reflect its functionality.

func (p *Package) ShortName() string {

pkg/common/utils/sbom/sbom.go:39

• [nitpick] Consider adding documentation or refactoring the CVSS vector version detection logic in CalculateCvssScore to improve clarity and maintainability.

default:

pkg/readers/github_org_reader_test.go:48

• [nitpick] Consider using a more descriptive test case name than 'URL has org++' to clarify the intended scenario.

"URL has org++",

[abhisek]

FYI @KunalSin9h CycloneDX reporting support is merged. This will be included in next vet release

[KunalSin9h]

@OmkarPh @abhisek Nice