Merge pull request #18 from snyk/UNIFY-757-sbom-test-with-reachability-invokes-test-shim-api

feat: wire up sbom reachability flow

Author: paulrosca-snyk

.gitattributes

@@ -0,0 +1,8 @@
+# Ignore Go checksum file
+go.sum linguist-generated
+
+# Ignore NPM versioning file
+package-lock.json linguist-generated
+
+# Ignore snapshots
+**/testdata/snapshots/** linguist-generated

go.mod

@@ -14,7 +14,7 @@ require (
 	github.com/rs/zerolog v1.34.0
 	github.com/snyk/code-client-go v1.21.3
 	github.com/snyk/error-catalog-golang-public v0.0.0-20250429130542-564b0605020e
-	github.com/snyk/go-application-framework v0.0.0-20250624132329-67306d427077
+	github.com/snyk/go-application-framework v0.0.0-20250716102454-7496bd64ed98
 	github.com/spf13/pflag v1.0.6
 	github.com/stretchr/testify v1.10.0
 	golang.org/x/net v0.38.0

go.sum

@@ -7,7 +7,6 @@ import (
 	"io"
 	"net/http"
 	"os"
-	"path/filepath"
 	"runtime"
 
 	"github.com/google/uuid"
@@ -52,6 +51,9 @@ type (
 	}
 )
 
+// SBOMMonitorFilename is the hardcoded SBOM file name the server is looking for.
+const SBOMMonitorFilename = "sbom_monitor_820F1A6A-3CFD-4B81-AD30-7F255A9D93ED.sbom"
+
 // NewClient creates a new client for interacting with the Snyk bundle store.
 func NewClient(httpClient *http.Client, csConfig CodeClientConfig, cScanner codeclient.CodeScanner, logger *zerolog.Logger) *HTTPClient {
 	return &HTTPClient{
@@ -175,10 +177,8 @@ func (c *HTTPClient) UploadSBOM(ctx context.Context, sbomPath string) (string, e
 		return "", fmt.Errorf("could not read sbom file %s: %w", sbomPath, err)
 	}
 
-	relativeFilePath, err := toRelativeUnixPath(filepath.Dir(sbomPath), sbomPath)
-	if err != nil {
-		return "", err
-	}
+	// We use the hardcoded SBOM file name expected on the server side.
+	relativeFilePath := SBOMMonitorFilename
 
 	bf := bundleFileFrom(fileContent)
 	fileHashes := make(map[string]string)

internal/bundlestore/client.go

@@ -4,9 +4,7 @@ import (
 	"bytes"
 	"crypto/sha256"
 	"encoding/hex"
-	"fmt"
 	"io"
-	"path/filepath"
 
 	"golang.org/x/net/html/charset"
 )
@@ -40,17 +38,3 @@ func encodeRequestBody(requestBody []byte) (*bytes.Buffer, error) {
 	}
 	return b, nil
 }
-
-func toRelativeUnixPath(baseDir, absoluteFilePath string) (string, error) {
-	relativePath, err := filepath.Rel(baseDir, absoluteFilePath)
-	if err != nil {
-		relativePath = absoluteFilePath
-		if baseDir != "" {
-			errMsg := fmt.Sprint("could not get relative path for file: ", absoluteFilePath, " and root path: ", baseDir)
-			return "", fmt.Errorf("%s: %w", errMsg, err)
-		}
-	}
-
-	relativePath = filepath.ToSlash(relativePath) // treat all paths as unix paths
-	return relativePath, nil
-}

internal/bundlestore/utils.go

@@ -0,0 +1,79 @@
+
+[Test_RunSbomReachabilityFlow_Success - 1]
+{
+ "dependencyCount": 0,
+ "displayTargetFile": "",
+ "filesystemPolicy": false,
+ "filtered": {
+  "ignore": [],
+  "patch": []
+ },
+ "hasUnknownVersions": false,
+ "ignoreSettings": {
+  "adminOnly": false,
+  "autoApproveIgnores": false,
+  "disregardFilesystemIgnores": false,
+  "reasonRequired": false
+ },
+ "isPrivate": false,
+ "licensesPolicy": {
+  "orgLicenseRules": null,
+  "severities": null
+ },
+ "ok": false,
+ "org": "",
+ "packageManager": "",
+ "policy": "",
+ "projectName": "",
+ "summary": "",
+ "uniqueCount": 1,
+ "vulnerabilities": [
+  {
+   "creationTime": "2025-07-28T17:11:43.000000Z",
+   "cvssScore": 0,
+   "description": "Test vulnerability description",
+   "disclosureTime": "2025-07-28T17:11:43.000000Z",
+   "epssDetails": null,
+   "from": [],
+   "id": "snyk-vuln-123",
+   "isPatchable": false,
+   "isUpgradable": false,
+   "language": "js",
+   "malicious": true,
+   "modificationTime": "2025-07-28T17:11:43.000000Z",
+   "name": "foo",
+   "packageManager": "npm",
+   "packageName": "foo",
+   "publicationTime": "2025-07-28T17:11:43.000000Z",
+   "reachability": "REACHABLE",
+   "riskScore": 80,
+   "severity": "high",
+   "socialTrendAlert": false,
+   "title": "Test High Severity Finding",
+   "upgradePath": null,
+   "version": "0.0.0"
+  }
+ ]
+}
+---
+
+[Test_RunSbomReachabilityFlow_Success - 2]
+{
+ "artifacts": 0,
+ "results": [
+  {
+   "ignored": 0,
+   "open": 1,
+   "severity": "high",
+   "total": 1
+  }
+ ],
+ "severity_order_asc": [
+  "low",
+  "medium",
+  "high",
+  "critical"
+ ],
+ "type": "open-source"
+}
+---

internal/commands/ostest/__snapshots__/sbom_reachability_flow_test.snap

@@ -1,11 +1,14 @@
 package ostest
 
 import (
+	"bytes"
 	"context"
+	"encoding/json"
 	"fmt"
 	"os"
 
 	"github.com/rs/zerolog"
+	"github.com/snyk/go-application-framework/pkg/apiclients/testapi"
 	"github.com/snyk/go-application-framework/pkg/workflow"
 
 	"github.com/snyk/cli-extension-os-flows/internal/bundlestore"
@@ -15,11 +18,14 @@ import (
 // RunSbomReachabilityFlow runs the SBOM reachability flow.
 func RunSbomReachabilityFlow(
 	ctx context.Context,
+	ictx workflow.InvocationContext,
+	testClient testapi.TestClient,
 	errFactory *errors.ErrorFactory,
 	logger *zerolog.Logger,
 	sbomPath string,
 	sourceCodePath string,
 	bsClient bundlestore.Client,
+	orgID string,
 ) ([]workflow.Data, error) {
 	if sourceCodePath == "" {
 		sourceCodePath = "."
@@ -44,7 +50,45 @@ func RunSbomReachabilityFlow(
 	}
 	logger.Println("sourceCodeBundleHash", sourceCodeBundleHash)
 
-	return nil, nil // TODO: return something meaningful once this function is complete
+	var subject testapi.TestSubjectCreate
+	err = subject.FromSbomReachabilitySubject(testapi.SbomReachabilitySubject{
+		Type:         testapi.SbomReachability,
+		CodeBundleId: sourceCodeBundleHash,
+		SbomBundleId: sbomBundleHash,
+		Locator: testapi.LocalPathLocator{
+			Paths: []string{
+				sbomPath,
+				sourceCodePath,
+			},
+			Type: testapi.LocalPath,
+		},
+	})
+	if err != nil {
+		logger.Error().Err(err).Msg("Failed to create SBOM reachability test subject")
+		return nil, fmt.Errorf("failed to create sbom test reachability subject: %w", err)
+	}
+
+	findings, summary, err := RunTest(ctx, ictx, testClient, subject, "", "", int(0), "", orgID, errFactory, logger, nil)
+	if err != nil {
+		return nil, err
+	}
+
+	var finalOutput []workflow.Data
+	var buffer bytes.Buffer
+	encoder := json.NewEncoder(&buffer)
+	encoder.SetEscapeHTML(false)
+	encoder.SetIndent("", "  ")
+	err = encoder.Encode(findings)
+	if err != nil {
+		return nil, errFactory.NewLegacyJSONTransformerError(fmt.Errorf("marshaling to json: %w", err))
+	}
+	// encoder.Encode adds a newline, which we trim to match Marshal's behavior.
+	findingsBytes := bytes.TrimRight(buffer.Bytes(), "\n")
+
+	finalOutput = append(finalOutput, NewWorkflowData(ApplicationJSONContentType, findingsBytes))
+	finalOutput = append(finalOutput, summary...)
+
+	return finalOutput, nil
 }
 
 // validateDirectory checks if the given path exists and contains files.