Make scanners with wrapped tools flat dirs

components/scanners/bandit/component.yaml

@@ -12,7 +12,7 @@ steps:
       -  --output={{ scratchWorkspace }}/bandit.json
       - --exit-zero   
   - name: parser
-    image: components/scanners/bandit
+    image: components/scanners/bandit/parser
     executable: /bin/app
     env_vars:
       BANDIT_RAW_OUT_FILE_PATH: "{{ scratchWorkspace }}/bandit.json"

components/scanners/bandit/cmd/main.go → components/scanners/bandit/parser/cmd/main.go

@@ -9,7 +9,7 @@ import (
 
 	"github.com/smithy-security/smithy/sdk/component"
 
-	"github.com/smithy-security/smithy/components/scanners/bandit/internal/transformer"
+	"github.com/smithy-security/smithy/components/scanners/bandit/parser/internal/transformer"
 )
 
 func main() {

components/scanners/bandit/go.mod → components/scanners/bandit/parser/go.mod

@@ -1,11 +1,12 @@
-module github.com/smithy-security/smithy/components/scanners/bandit
+module github.com/smithy-security/smithy/components/scanners/bandit/parser
 
 go 1.23.4
 
 require (
 	github.com/go-errors/errors v1.5.1
 	github.com/jonboulle/clockwork v0.5.0
 	github.com/smithy-security/pkg/env v0.0.3
+	github.com/smithy-security/pkg/utils v0.0.2
 	github.com/smithy-security/smithy/sdk v0.0.19-alpha
 	github.com/stretchr/testify v1.10.0
 	google.golang.org/protobuf v1.36.5
@@ -43,7 +44,6 @@ require (
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
 	github.com/shopspring/decimal v1.4.0 // indirect
-	github.com/smithy-security/pkg/utils v0.0.2 // indirect
 	github.com/spf13/cast v1.7.1 // indirect
 	github.com/sqlc-dev/sqlc v1.28.0 // indirect
 	github.com/urfave/cli/v2 v2.27.6 // indirect

components/scanners/bandit/internal/transformer/transformer.go → components/scanners/bandit/parser/internal/transformer/transformer.go

@@ -12,13 +12,12 @@ import (
 	"github.com/go-errors/errors"
 	"github.com/jonboulle/clockwork"
 	"github.com/smithy-security/pkg/env"
+	"github.com/smithy-security/pkg/utils"
 	"github.com/smithy-security/smithy/sdk/component"
 	ocsffindinginfo "github.com/smithy-security/smithy/sdk/gen/ocsf_ext/finding_info/v1"
 	ocsf "github.com/smithy-security/smithy/sdk/gen/ocsf_schema/v1"
 	componentlogger "github.com/smithy-security/smithy/sdk/logger"
 	"google.golang.org/protobuf/encoding/protojson"
-
-	"github.com/smithy-security/smithy/components/scanners/bandit/internal/util/ptr"
 )
 
 type (
@@ -78,6 +77,8 @@ var (
 	ErrEmptyRawOutfileContents = errors.Errorf("empty raw out file contents")
 	// ErrBadTargetType is thrown when the option set target type is called with an unspecified or empty target type
 	ErrBadTargetType = errors.New("invalid empty target type")
+	// ErrFileNotFound is thrown when the raw output file is not found
+	ErrFileNotFound = errors.Errorf("raw output file not found")
 
 	// Bandit Parser Specific Errors
 
@@ -174,10 +175,16 @@ func (b *BanditTransformer) Transform(ctx context.Context) ([]*ocsf.Vulnerabilit
 		inFile, err := os.ReadFile(b.rawOutFilePath)
 		if err != nil {
 			if os.IsNotExist(err) {
-				return nil, errors.Errorf("raw output file '%s' not found", b.rawOutFilePath)
+				return nil, errors.Errorf("%w: %s Original Error: %w", ErrFileNotFound, b.rawOutFilePath, err)
 			}
 			return nil, errors.Errorf("failed to read raw output file '%s': %w", b.rawOutFilePath, err)
 		}
+
+		if len(inFile) == 0 {
+			logger.Info("Scanner SARIF file is empty, exiting")
+			return []*ocsf.VulnerabilityFinding{}, nil
+		}
+
 		b.fileContents = inFile
 	}
 	var results BanditOut
@@ -218,34 +225,34 @@ func (b *BanditTransformer) parseResult(ctx context.Context, r *BanditResult) (*
 	}
 
 	return &ocsf.VulnerabilityFinding{
-		ActivityName: ptr.Ptr(ocsf.VulnerabilityFinding_ACTIVITY_ID_CREATE.String()),
+		ActivityName: utils.Ptr(ocsf.VulnerabilityFinding_ACTIVITY_ID_CREATE.String()),
 		ActivityId:   ocsf.VulnerabilityFinding_ACTIVITY_ID_CREATE,
 		CategoryUid:  ocsf.VulnerabilityFinding_CATEGORY_UID_FINDINGS,
 		ClassUid:     ocsf.VulnerabilityFinding_CLASS_UID_VULNERABILITY_FINDING,
-		ClassName:    ptr.Ptr(ocsf.VulnerabilityFinding_CLASS_UID_VULNERABILITY_FINDING.String()),
+		ClassName:    utils.Ptr(ocsf.VulnerabilityFinding_CLASS_UID_VULNERABILITY_FINDING.String()),
 
 		Confidence:   &confidence,
-		ConfidenceId: ptr.Ptr(ocsf.VulnerabilityFinding_ConfidenceId(confidenceID)),
-		Count:        ptr.Ptr(int32(1)),
+		ConfidenceId: utils.Ptr(ocsf.VulnerabilityFinding_ConfidenceId(confidenceID)),
+		Count:        utils.Ptr(int32(1)),
 		FindingInfo: &ocsf.FindingInfo{
 			CreatedTime: &now,
 			DataSources: []string{
 				dataSource,
 			},
-			Desc:          ptr.Ptr(fmt.Sprintf("%s:%s", r.TestName, r.IssueText)),
+			Desc:          utils.Ptr(fmt.Sprintf("%s:%s", r.TestName, r.IssueText)),
 			FirstSeenTime: &now,
 			LastSeenTime:  &now,
 			ModifiedTime:  &now,
-			ProductUid:    ptr.Ptr("bandit"),
+			ProductUid:    utils.Ptr("bandit"),
 			Title:         r.IssueText,
 			Uid:           r.TestID,
 		},
 		Message:    &r.IssueText,
 		Severity:   &severity,
 		SeverityId: ocsf.VulnerabilityFinding_SeverityId(severityID),
 		StartTime:  &now,
-		Status:     ptr.Ptr(ocsf.VulnerabilityFinding_STATUS_ID_NEW.String()),
-		StatusId:   ptr.Ptr(ocsf.VulnerabilityFinding_STATUS_ID_NEW),
+		Status:     utils.Ptr(ocsf.VulnerabilityFinding_STATUS_ID_NEW.String()),
+		StatusId:   utils.Ptr(ocsf.VulnerabilityFinding_STATUS_ID_NEW),
 		Time:       now,
 		TypeUid: int64(
 			ocsf.VulnerabilityFinding_CLASS_UID_VULNERABILITY_FINDING.Number()*
@@ -261,7 +268,7 @@ func (b *BanditTransformer) parseResult(ctx context.Context, r *BanditResult) (*
 				LastSeenTime:  &now,
 				Severity:      &severity,
 				Title:         &r.IssueText,
-				VendorName:    ptr.Ptr("bandit"),
+				VendorName:    utils.Ptr("bandit"),
 			},
 		},
 	}, nil
@@ -274,11 +281,11 @@ func (*BanditTransformer) mapCode(r *BanditResult) ([]*ocsf.AffectedCode, error)
 	}
 	ac = append(ac,
 		&ocsf.AffectedCode{
-			EndLine:   ptr.Ptr(int32(r.LineRange[0])),
-			StartLine: ptr.Ptr(int32(r.LineRange[len(r.LineRange)-1])),
+			EndLine:   utils.Ptr(int32(r.LineRange[0])),
+			StartLine: utils.Ptr(int32(r.LineRange[len(r.LineRange)-1])),
 			File: &ocsf.File{
 				Name: filepath.Base(r.Filename),
-				Path: ptr.Ptr(fmt.Sprintf("file://%s", r.Filename)),
+				Path: utils.Ptr(fmt.Sprintf("file://%s", r.Filename)),
 			},
 		},
 	)

components/scanners/bandit/internal/transformer/transformer_test.go → components/scanners/bandit/parser/internal/transformer/transformer_test.go

@@ -3,6 +3,7 @@ package transformer
 import (
 	_ "embed"
 	"os"
+	"path/filepath"
 	"testing"
 
 	"github.com/stretchr/testify/require"
@@ -33,7 +34,7 @@ func TestBanditTransformer_Transform(t *testing.T) {
 			BanditTransformerWithClock(&clock),
 		)
 		require.NoError(t, err)
-		transformMethodTest(t, ocsfTransformer.Transform, nil)
+		transformMethodTest(t, ocsfTransformer.Transform, nil, 10)
 	})
 
 	t.Run("it should error for findings without a line range", func(t *testing.T) {
@@ -44,7 +45,7 @@ func TestBanditTransformer_Transform(t *testing.T) {
 			BanditRawOutFileContents([]byte(noLineRangeInput)),
 		)
 		require.NoError(t, err)
-		transformMethodTest(t, ocsfTransformer.Transform, ErrNoLineRange)
+		transformMethodTest(t, ocsfTransformer.Transform, ErrNoLineRange, 0)
 	})
 
 	t.Run("it should error for findings with an invalid data source", func(t *testing.T) {
@@ -55,7 +56,27 @@ func TestBanditTransformer_Transform(t *testing.T) {
 			BanditRawOutFileContents([]byte(noDataSourceInput)),
 		)
 		require.NoError(t, err)
-		transformMethodTest(t, ocsfTransformer.Transform, ErrBadDataSource)
+		transformMethodTest(t, ocsfTransformer.Transform, ErrBadDataSource, 0)
+	})
+	t.Run("it should not error when receiving an empty inFile", func(t *testing.T) {
+		emptyFilePath := filepath.Join(t.TempDir(), "empty.sarif")
+		os.Setenv("BANDIT_RAW_OUT_FILE_PATH", emptyFilePath)
+		require.NoError(t, os.WriteFile(os.Getenv("BANDIT_RAW_OUT_FILE_PATH"), []byte("{}"), 0644))
+		ocsfTransformer, err := New(
+			BanditTransformerWithTarget(ocsffindinginfo.DataSource_TARGET_TYPE_REPOSITORY),
+			BanditTransformerWithClock(&clock),
+		)
+		require.NoError(t, err)
+		transformMethodTest(t, ocsfTransformer.Transform, nil, 0)
+	})
+	t.Run("it should error when receiving a non existing inFile", func(t *testing.T) {
+		os.Setenv("BANDIT_RAW_OUT_FILE_PATH", "./testdata/foobar.json")
+		ocsfTransformer, err := New(
+			BanditTransformerWithTarget(ocsffindinginfo.DataSource_TARGET_TYPE_REPOSITORY),
+			BanditTransformerWithClock(&clock),
+		)
+		require.NoError(t, err)
+		transformMethodTest(t, ocsfTransformer.Transform, ErrFileNotFound, 0)
 	})
 }
 
@@ -224,7 +245,7 @@ func assertValid(t *testing.T, finding *ocsf.VulnerabilityFinding, idx int, nowU
 	assert.NotEmptyf(t, vulnerability.Cwe.Uid, "Unexpected empty value for uid in vulnerability for finding %d", idx)
 }
 
-func transformMethodTest(t *testing.T, transformCallback func(ctx context.Context) ([]*ocsf.VulnerabilityFinding, error), expectedError error) {
+func transformMethodTest(t *testing.T, transformCallback func(ctx context.Context) ([]*ocsf.VulnerabilityFinding, error), expectedError error, expectedFindingsLength int) {
 	var (
 		ctx, cancel = context.WithTimeout(context.Background(), time.Minute)
 		clock       = clockwork.NewFakeClockAt(time.Date(2024, 11, 1, 0, 0, 0, 0, time.UTC))
@@ -253,7 +274,7 @@ func transformMethodTest(t *testing.T, transformCallback func(ctx context.Contex
 		return
 	}
 	require.NoError(t, err)
-	require.NotEmpty(t, findings)
+	require.Equal(t, expectedFindingsLength, len(findings))
 
 	for idx, finding := range findings {
 		assertValid(t, finding, idx, nowUnix, typeUID)