breaking: Simplify SBOM result class [TAROT-3624] (#103)

afsmeira · web-flow · commit e05048b5738f · 2026-02-10T14:15:22.000Z
The aim of this simplification is to be independent of the SBOM format itself at this point. Downstream consumers decide if they want to unmarshal the SBOM (and how) based on it's format and spec version. No scala tools are producing SBOMs, so none need to actually change. No scala tool is even using a version of this library that includes SBOMs. However, golang tools can already produce SBOMs, so the [golang seed](https://github.com/codacy/codacy-engine-golang-seed/blob/master/result.go) needs to be updated. `codacy-trivy` will also need to be updated to match the new format. There will be a point when deploying new versions for worker and `codacy-trivy` when SBOM parsing will be broken but that is OK because: - SBOM parsing failures do not result in analysis failures - We only need SBOM parsing working during the night (SCA)
diff --git a/codacy-plugins-api/src/main/scala/com/codacy/plugins/api/results/Result.scala b/codacy-plugins-api/src/main/scala/com/codacy/plugins/api/results/Result.scala
@@ -2,8 +2,6 @@ package com.codacy.plugins.api.results
 
 import com.codacy.plugins.api.{ErrorMessage, Source}
 
-import java.time.Instant
-
 sealed trait Result
 
 object Result {
@@ -39,106 +37,23 @@ object Result {
     * A SBOM declares the inventory of components used to build a software artifact, including any open source and
     * proprietary software components.
     *
-    * This class models CycloneDX 1.6 BOM format.
-    *
-    * @param bomFormat The format of the SBOM.
+    * @param bomFormat The format of the SBOM. Currently only [[https://cyclonedx.org/ CycloneDX]] specification in JSON
+    *                  format is supported.
     * @param specVersion The version of the SBOM format used to build this SBOM.
-    * @param metadata SBOM metadata.
-    * @param components A list of software components.
-    * @param dependencies Document dependency relationships between components.
-    * @see https://github.com/CycloneDX/cyclonedx-core-java/blob/master/src/main/resources/bom-1.6.schema.json
+    * @param sbom The actual SBOM content. To be parsed by downstream consumers according to [[bomFormat]] and
+    *             [[specVersion]].
     */
-  case class SBOM(bomFormat: SBOM.BOMFormat.Value,
-                  specVersion: String,
-                  metadata: SBOM.Metadata,
-                  components: List[SBOM.Component],
-                  dependencies: List[SBOM.Dependency])
-      extends Result
+  case class SBOM(bomFormat: SBOM.BOMFormat.Value, specVersion: String, sbom: String) extends Result
 
   object SBOM {
+
+    /** An enum representing the supported BOM formats. */
     type BOMFormat = BOMFormat.Value
     object BOMFormat extends Enumeration {
-      val CycloneDX: Value = Value("CycloneDX")
-    }
 
-    /** SBOM metadata.
-      *
-      * @param timestamp When the SBOM file was generated.
-      * @param tools The tools used in the SBOM creation.
-      * @param component The artifact that the SBOM describes.
-      */
-    case class Metadata(timestamp: Instant, tools: Tools, component: Component)
-
-    case class Tools(components: List[Tool])
-
-    /** A tool used in SBOM generation. E.g. Trivy.
-      *
-      * @param `type` The tool type.
-      * @param name The tool name.
-      * @param group The tool group. E.g. com.codacy.
-      * @param version The tool version.
-      */
-    case class Tool(`type`: Component.Type, name: String, group: String, version: String)
-
-    /** A software or hardware component used to build a software artifact.
-      *
-      * @param `bom-ref` An identifier used to reference the component elsewhere in the SBOM. Unique within the SBOM.
-      * @param `type` The type of component.
-      * @param name The component name.
-      * @param group The component group.
-      * @param version The component version.
-      * @param purl The package URL. See https://github.com/package-url/purl-spec
-      * @param properties A list of component properties as name-value pairs.
-      * @param licenses Component licenses.
-      */
-    case class Component(`bom-ref`: String,
-                         `type`: Component.Type,
-                         name: String,
-                         group: Option[String],
-                         version: Option[String],
-                         purl: Option[String],
-                         properties: List[Property],
-                         licenses: Option[List[LicenseType]])
-
-    object Component {
-      type Type = Type.Value
-      object Type extends Enumeration {
-        val Application: Value = Value("application")
-        val Framework: Value = Value("framework")
-        val Library: Value = Value("library")
-        val Container: Value = Value("container")
-        val Platform: Value = Value("platform")
-        val OperatingSystem: Value = Value("operating-system")
-        val Device: Value = Value("device")
-        val DeviceDrive: Value = Value("device-driver")
-        val Firmware: Value = Value("firmware")
-        val File: Value = Value("file")
-        val MachineLearningModel: Value = Value("machine-learning-model")
-        val Data: Value = Value("data")
-        val CryptographicAsset: Value = Value("cryptographic-asset")
-      }
+      /** [[https://cyclonedx.org/ CycloneDX]] specification in JSON format. */
+      val CycloneDXJSON: Value = Value("CycloneDXJSON")
     }
-
-    /** A name-value pair representing a piece of information not officially supported by the SBOM schema. */
-    case class Property(name: String, value: String)
-
-    /** Licenses can be either an expresion ([[LicenseExpression]]) or an identified license ([[LicenseWrapper]]). */
-    sealed trait LicenseType
-    case class LicenseWrapper(license: License) extends LicenseType
-    case class LicenseExpression(expression: String, `bom-ref`: Option[String]) extends LicenseType
-
-    /** A software license.
-      *
-      * `id` and `name` cannot both be undefined.
-      */
-    case class License(id: Option[String], name: Option[String])
-
-    /** Documents a dependency relationship between components.
-      *
-      * @param ref The reference to a component. Same as [[Component.`bom-ref`]].
-      * @param dependsOn References to other components this component depends on.
-      */
-    case class Dependency(ref: String, dependsOn: List[String])
   }
 
   type Level = Level.Value
