breaking: Simplify SBOM result class [TAROT-3624]

afsmeira · afsmeira · commit 23a068840bed · 2026-02-10T12:00:18.000Z
diff --git a/codacy-plugins-api/src/main/scala/com/codacy/plugins/api/results/Result.scala b/codacy-plugins-api/src/main/scala/com/codacy/plugins/api/results/Result.scala
@@ -2,8 +2,6 @@ package com.codacy.plugins.api.results
 
 import com.codacy.plugins.api.{ErrorMessage, Source}
 
-import java.time.Instant
-
 sealed trait Result
 
 object Result {
@@ -39,106 +37,23 @@ object Result {
     * A SBOM declares the inventory of components used to build a software artifact, including any open source and
     * proprietary software components.
     *
-    * This class models CycloneDX 1.6 BOM format.
-    *
-    * @param bomFormat The format of the SBOM.
+    * @param bomFormat The format of the SBOM. Currently only [[https://cyclonedx.org/ CycloneDX]] specification in JSON
+    *                  format is supported.
     * @param specVersion The version of the SBOM format used to build this SBOM.
-    * @param metadata SBOM metadata.
-    * @param components A list of software components.
-    * @param dependencies Document dependency relationships between components.
-    * @see https://github.com/CycloneDX/cyclonedx-core-java/blob/master/src/main/resources/bom-1.6.schema.json
+    * @param sbom The actual SBOM content. To be parsed by downstream consumers according to [[bomFormat]] and
+    *             [[specVersion]].
     */
-  case class SBOM(bomFormat: SBOM.BOMFormat.Value,
-                  specVersion: String,
-                  metadata: SBOM.Metadata,
-                  components: List[SBOM.Component],
-                  dependencies: List[SBOM.Dependency])
-      extends Result
+  case class SBOM(bomFormat: SBOM.BOMFormat.Value, specVersion: String, sbom: String) extends Result
 
   object SBOM {
+
+    /** An enum representing the supported BOM formats. */
     type BOMFormat = BOMFormat.Value
     object BOMFormat extends Enumeration {
-      val CycloneDX: Value = Value("CycloneDX")
-    }
 
-    /** SBOM metadata.
-      *
-      * @param timestamp When the SBOM file was generated.
-      * @param tools The tools used in the SBOM creation.
-      * @param component The artifact that the SBOM describes.
-      */
-    case class Metadata(timestamp: Instant, tools: Tools, component: Component)
-
-    case class Tools(components: List[Tool])
-
-    /** A tool used in SBOM generation. E.g. Trivy.
-      *
-      * @param `type` The tool type.
-      * @param name The tool name.
-      * @param group The tool group. E.g. com.codacy.
-      * @param version The tool version.
-      */
-    case class Tool(`type`: Component.Type, name: String, group: String, version: String)
-
-    /** A software or hardware component used to build a software artifact.
-      *
-      * @param `bom-ref` An identifier used to reference the component elsewhere in the SBOM. Unique within the SBOM.
-      * @param `type` The type of component.
-      * @param name The component name.
-      * @param group The component group.
-      * @param version The component version.
-      * @param purl The package URL. See https://github.com/package-url/purl-spec
-      * @param properties A list of component properties as name-value pairs.
-      * @param licenses Component licenses.
-      */
-    case class Component(`bom-ref`: String,
-                         `type`: Component.Type,
-                         name: String,
-                         group: Option[String],
-                         version: Option[String],
-                         purl: Option[String],
-                         properties: List[Property],
-                         licenses: Option[List[LicenseType]])
-
-    object Component {
-      type Type = Type.Value
-      object Type extends Enumeration {
-        val Application: Value = Value("application")
-        val Framework: Value = Value("framework")
-        val Library: Value = Value("library")
-        val Container: Value = Value("container")
-        val Platform: Value = Value("platform")
-        val OperatingSystem: Value = Value("operating-system")
-        val Device: Value = Value("device")
-        val DeviceDrive: Value = Value("device-driver")
-        val Firmware: Value = Value("firmware")
-        val File: Value = Value("file")
-        val MachineLearningModel: Value = Value("machine-learning-model")
-        val Data: Value = Value("data")
-        val CryptographicAsset: Value = Value("cryptographic-asset")
-      }
+      /** [[https://cyclonedx.org/ CycloneDX]] specification in JSON format. */
+      val CycloneDXJSON: Value = Value("CycloneDXJSON")
     }
-
-    /** A name-value pair representing a piece of information not officially supported by the SBOM schema. */
-    case class Property(name: String, value: String)
-
-    /** Licenses can be either an expresion ([[LicenseExpression]]) or an identified license ([[LicenseWrapper]]). */
-    sealed trait LicenseType
-    case class LicenseWrapper(license: License) extends LicenseType
-    case class LicenseExpression(expression: String, `bom-ref`: Option[String]) extends LicenseType
-
-    /** A software license.
-      *
-      * `id` and `name` cannot both be undefined.
-      */
-    case class License(id: Option[String], name: Option[String])
-
-    /** Documents a dependency relationship between components.
-      *
-      * @param ref The reference to a component. Same as [[Component.`bom-ref`]].
-      * @param dependsOn References to other components this component depends on.
-      */
-    case class Dependency(ref: String, dependsOn: List[String])
   }
 
   type Level = Level.Value
