clean: Ensure proper dependency injection for testable code

Author: afsmeira

cmd/tool/main.go

@@ -5,11 +5,17 @@ import (
 
 	codacy "github.com/codacy/codacy-engine-golang-seed/v6"
 	"github.com/codacy/codacy-trivy/internal/tool"
+	"github.com/sirupsen/logrus"
 )
 
 func main() {
-	codacyTrivy := tool.New()
-	retCode := codacy.StartTool(&codacyTrivy)
+	codacyTrivy, err := tool.New(tool.MaliciousPackagesIndexPath)
+	if err != nil {
+		logrus.Errorf("Failed to create tool execution: %s", err.Error())
+		os.Exit(-1)
+	}
+
+	retCode := codacy.StartTool(codacyTrivy)
 
 	os.Exit(retCode)
 }

go.mod

@@ -10,6 +10,7 @@ require (
 	github.com/google/go-cmp v0.7.0
 	github.com/package-url/packageurl-go v0.1.3
 	github.com/samber/lo v1.52.0
+	github.com/sirupsen/logrus v1.9.3 // Logrus is the logging library used in codacy-engine-golang-seed
 	github.com/stretchr/testify v1.11.1
 	go.uber.org/mock v0.6.0
 	golang.org/x/mod v0.30.0
@@ -316,7 +317,6 @@ require (
 	github.com/sigstore/rekor v1.4.2 // indirect
 	github.com/sigstore/sigstore v1.9.5 // indirect
 	github.com/sigstore/timestamp-authority v1.2.2 // indirect
-	github.com/sirupsen/logrus v1.9.3 // indirect
 	github.com/skeema/knownhosts v1.3.1 // indirect
 	github.com/sourcegraph/conc v0.3.1-0.20240121214520-5f936abd7ae8 // indirect
 	github.com/spdx/tools-golang v0.5.5 // indirect

internal/tool/malicious_packages_scanner.go

@@ -14,7 +14,7 @@ import (
 	"golang.org/x/mod/semver"
 )
 
-const maliciousPackagesIndexPath = "/dist/cache/codacy-trivy/openssf-malicious-packages-index.json.gz"
+const MaliciousPackagesIndexPath = "/dist/cache/codacy-trivy/openssf-malicious-packages-index.json.gz"
 
 // maliciousPackage represents a shallow representation of an Open Source Vulnerability (OSV).
 // Although it's schema is generic, it is guaranteed that it is only instantiated for Malicious Package vulnerabilities.
@@ -111,8 +111,8 @@ type MaliciousPackagesScanner struct {
 
 // NewMaliciousPackagesScanner creates a new OpenSSF malicious packages scanner and loads
 // malicious data from disk, as defined by the build process of this tool.
-func NewMaliciousPackagesScanner() (*MaliciousPackagesScanner, error) {
-	index, err := loadIndex(maliciousPackagesIndexPath)
+func NewMaliciousPackagesScanner(indexPath string) (*MaliciousPackagesScanner, error) {
+	index, err := loadIndex(indexPath)
 	if err != nil {
 		return nil, err
 	}

internal/tool/tool.go

@@ -48,14 +48,21 @@ const (
 var ruleIDsVulnerability = []string{ruleIDVulnerabilityCritical, ruleIDVulnerabilityHigh, ruleIDVulnerabilityMedium, ruleIDVulnerabilityMinor}
 
 // New creates a new instance of Codacy Trivy.
-func New() codacyTrivy {
-	return codacyTrivy{
-		runnerFactory: &defaultRunnerFactory{},
+func New(maliciousPackagesIndexPath string) (*codacyTrivy, error) {
+	maliciousPackagesScanner, err := NewMaliciousPackagesScanner(maliciousPackagesIndexPath)
+	if err != nil {
+		return nil, err
 	}
+
+	return &codacyTrivy{
+		runnerFactory:            &defaultRunnerFactory{},
+		maliciousPackagesScanner: *maliciousPackagesScanner,
+	}, nil
 }
 
 type codacyTrivy struct {
-	runnerFactory RunnerFactory
+	runnerFactory            RunnerFactory
+	maliciousPackagesScanner MaliciousPackagesScanner
 }
 
 // https://github.com/uber-go/guide/blob/master/style.md#verify-interface-compliance
@@ -87,11 +94,7 @@ func (t codacyTrivy) Run(ctx context.Context, toolExecution codacy.ToolExecution
 
 	secretScanningIssues := t.runSecretScanning(toolExecution)
 
-	maliciousPackagesScanner, err := NewMaliciousPackagesScanner()
-	if err != nil {
-		return nil, err
-	}
-	maliciousPackagesIssues := maliciousPackagesScanner.Scan(report, toolExecution)
+	maliciousPackagesIssues := t.maliciousPackagesScanner.Scan(report, toolExecution)
 
 	allIssues := append(vulnerabilityScanningIssues, secretScanningIssues...)
 	allIssues = append(allIssues, maliciousPackagesIssues...)

internal/tool/tool_test.go

@@ -3,6 +3,7 @@
 package tool
 
 import (
+	"compress/gzip"
 	"context"
 	"fmt"
 	"os"
@@ -27,13 +28,44 @@ import (
 )
 
 func TestNew(t *testing.T) {
+	// Arrange
+	// Create an empty temporary file for the malicious packages index
+	maliciousPackageIndexFileName := "malicious-package.json.gz"
+
+	f, err := os.Create(maliciousPackageIndexFileName)
+	if err != nil {
+		assert.FailNow(t, "Failed to create malicious package index", err.Error())
+	}
+	defer os.Remove(f.Name())
+	defer f.Close()
+
+	gz := gzip.NewWriter(f)
+	_, err = gz.Write([]byte("{}"))
+	if err != nil {
+		assert.FailNow(t, "Failed to write to malicious package index", err.Error())
+	}
+	err = gz.Close()
+	if err != nil {
+		assert.FailNow(t, "Failed to write to malicious package index", err.Error())
+	}
+
 	// Act
-	underTest := New()
+	underTest, err := New(f.Name())
 
 	// Assert
+	assert.NoError(t, err)
 	assert.Equal(t, &defaultRunnerFactory{}, underTest.runnerFactory)
 }
 
+func TestNew_MaliciousPackageIndexFileNotFound(t *testing.T) {
+	// Act
+	underTest, err := New("non-existent-file.json.gz")
+
+	// Assert
+	assert.Error(t, err)
+	assert.Nil(t, underTest)
+}
+
 func TestRun(t *testing.T) {
 	// Arrange
 	ctx := context.Background()