clean: Address codacy comments

Author: afsmeira

internal/tool/malicious_packages_scanner.go

@@ -8,12 +8,14 @@ import (
 	"slices"
 	"strings"
 
+	ftypes "github.com/aquasecurity/trivy/pkg/fanal/types"
 	ptypes "github.com/aquasecurity/trivy/pkg/types"
 	codacy "github.com/codacy/codacy-engine-golang-seed/v6"
 	"github.com/samber/lo"
 	"golang.org/x/mod/semver"
 )
 
+// MaliciousPackagesIndexPath is the default path to the malicious package index.
 const MaliciousPackagesIndexPath = "/dist/cache/codacy-trivy/openssf-malicious-packages-index.json.gz"
 
 // maliciousPackage represents a shallow representation of an Open Source Vulnerability (OSV).
@@ -120,7 +122,7 @@ func NewMaliciousPackagesScanner(indexPath string) (*MaliciousPackagesScanner, e
 	return &MaliciousPackagesScanner{index: index}, nil
 }
 
-// Scans the given Trivy report for malicious packages.
+// Scan scans the given Trivy report for malicious packages.
 func (s MaliciousPackagesScanner) Scan(report ptypes.Report, toolExecution codacy.ToolExecution) []codacy.Result {
 	maliciousPackagesEnabled := lo.SomeBy(*toolExecution.Patterns, func(p codacy.Pattern) bool {
 		return p.ID == ruleIDMaliciousPackages
@@ -148,23 +150,8 @@ func (s MaliciousPackagesScanner) Scan(report ptypes.Report, toolExecution codac
 			}
 
 			for _, candidate := range maliciousPkg {
-				if pkg.Version != "" && candidate.matchesVersion(pkg.Version) {
-
-					var lineNumber int
-					if len(pkg.Locations) > 0 {
-						lineNumber = pkg.Locations[0].StartLine
-					} else {
-						lineNumber = fallbackSearchForLineNumber(toolExecution.SourceDir, result.Target, pkg.Name)
-					}
-
-					issue := codacy.Issue{
-						File:      result.Target,
-						Line:      lineNumber,
-						Message:   fmt.Sprintf("%s - %s@%s", candidate.Summary, pkg.Name, pkg.Version),
-						PatternID: ruleIDMaliciousPackages,
-						SourceID:  candidate.ID,
-					}
-					issues = append(issues, issue)
+				if issue := issueForMaliciousPackage(pkg, candidate, result.Target, toolExecution.SourceDir); issue != nil {
+					issues = append(issues, *issue)
 				}
 			}
 
@@ -174,6 +161,26 @@ func (s MaliciousPackagesScanner) Scan(report ptypes.Report, toolExecution codac
 	return mapIssuesWithoutLineNumber(filterIssuesFromKnownFiles(issues, *toolExecution.Files))
 }
 
+func issueForMaliciousPackage(pkg ftypes.Package, maliciousPkg maliciousPackage, srcFile, srcDir string) *codacy.Issue {
+	if pkg.Version != "" && maliciousPkg.matchesVersion(pkg.Version) {
+		var lineNumber int
+		if len(pkg.Locations) > 0 {
+			lineNumber = pkg.Locations[0].StartLine
+		} else {
+			lineNumber = fallbackSearchForLineNumber(srcDir, srcFile, pkg.Name)
+		}
+
+		return &codacy.Issue{
+			File:      srcFile,
+			Line:      lineNumber,
+			Message:   fmt.Sprintf("%s - %s@%s", maliciousPkg.Summary, pkg.Name, pkg.Version),
+			PatternID: ruleIDMaliciousPackages,
+			SourceID:  maliciousPkg.ID,
+		}
+	}
+	return nil
+}
+
 // loadIndex attempts to load into memory the gzipped prebuilt index.
 func loadIndex(indexPath string) (maliciousPackagesByEcosystemAndName, error) {
 	f, err := os.Open(indexPath)