[SP-2870] fix: cyclonedx format output not writing to file

[matiasdaloia]

Summary by CodeRabbit

• Bug Fixes
  • Resolved an issue where running folder or container scans with the --format cyclonedx option did not write output to a file as expected.
• Documentation
  • Updated the changelog to reflect the latest patch release and bug fixes.
• Style
  • Improved code clarity by reorganizing imports and updating comments for better readability.

[coderabbitai]

Walkthrough

This update addresses an issue where the folder-scan and container-scan commands failed to write CycloneDX-formatted output to a file. The CycloneDX output handling logic is refactored to return both a success flag and the output data, and the changelog and version number are updated to reflect these fixes.

Changes

File(s)	Change Summary
CHANGELOG.md, src/scanoss/init.py	Changelog updated for patch 1.27.1; version string incremented from 1.27.0 to 1.27.1.
src/scanoss/cyclonedx.py	produce_from_json now returns a tuple (success, output); docstring updated; import order improved.
src/scanoss/scanner.py	Import order reorganized; linter comments added; updated for new tuple return from CycloneDX; no logic change.
src/scanoss/scanners/container_scanner.py, src/scanoss/scanners/scanner_hfh.py	_format_cyclonedx_output updated to handle tuple return from CycloneDX; error handling now logs/prints instead of raising exceptions.

Sequence Diagram(s)

sequenceDiagram
    participant User
    participant CLI_Command
    participant Scanner
    participant CycloneDx

    User->>CLI_Command: Run folder-scan/container-scan with --format cyclonedx
    CLI_Command->>Scanner: Initiate scan
    Scanner->>CycloneDx: produce_from_json(results)
    CycloneDx-->>Scanner: (success, cdx_output)
    alt success
        Scanner->>CLI_Command: Write cdx_output to file
    else failure
        Scanner->>CLI_Command: Log/Print error
    end

Loading

Possibly related PRs

• feat: ES-213 Add container scanning #115: The main PR fixes output file writing for CycloneDX format in folder and container scans by adapting to the updated produce_from_json method that now returns a tuple, which is directly related to the container scanning feature and CycloneDX output handling introduced in the retrieved PR feat: ES-213 Add container scanning #115.

Suggested reviewers

• eeisegn

Poem

🐇
Patchwork fixes, quick and neat,
CycloneDX now writes complete!
No more files left in the lurch,
Output lands where you research.
Version bumps and changelogs grow—
Hopping forward, off we go!

---

📜 Recent review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 05e762f and be91ae6.

📒 Files selected for processing (2)

• src/scanoss/cyclonedx.py (5 hunks)
• src/scanoss/scanners/scanner_hfh.py (2 hunks)

🚧 Files skipped from review as they are similar to previous changes (2)

• src/scanoss/scanners/scanner_hfh.py
• src/scanoss/cyclonedx.py

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: build

✨ Finishing Touches

• 📝 Generate Docstrings

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 0

🔭 Outside diff range comments (2)

src/scanoss/cyclonedx.py (1)

273-289: Inconsistent return type in produce_from_str.

The method signature indicates it returns bool, but it calls produce_from_json which now returns a tuple. This will cause the tuple to be returned instead of just the boolean.

Fix the return type inconsistency:

-    def produce_from_str(self, json_str: str, output_file: str = None) -> bool:
+    def produce_from_str(self, json_str: str, output_file: str = None) -> bool:
         """
         Produce CycloneDX output from input JSON string
         :param json_str: input JSON string
         :param output_file: Output file (optional)
         :return: True if successful, False otherwise
         """
         if not json_str:
             self.print_stderr('ERROR: No JSON string provided to parse.')
             return False
         try:
             data = json.loads(json_str)
         except Exception as e:
             self.print_stderr(f'ERROR: Problem parsing input JSON: {e}')
             return False
-        return self.produce_from_json(data, output_file)
+        success, _ = self.produce_from_json(data, output_file)
+        return success

src/scanoss/scanner.py (1)

849-849: Assign produce_from_str return value to success in CycloneDX branches

The CycloneDX method produce_from_str is typed to return a single bool, so its result must be assigned to the success variable (unlike produce_from_json, which returns a (bool, json) tuple and is properly destructured). Otherwise, success can remain undefined or stale. Update these lines:

• src/scanoss/scanner.py:849

  • cdx.produce_from_str(raw_output)
  • success = cdx.produce_from_str(raw_output)

• src/scanoss/scanner.py:969

  • cdx.produce_from_str(raw_output)
  • success = cdx.produce_from_str(raw_output)

🧹 Nitpick comments (1)

src/scanoss/scanners/scanner_hfh.py (1)

203-208: Proper handling of the new tuple return from produce_from_json.

The unpacking of the tuple and error handling logic is correct. However, the function has too many return statements (7 > 6) as indicated by the linter.

Consider consolidating the return statements to improve code quality:

-            success, cdx_output = cdx.produce_from_json(scan_results)
-            if not success:
-                error_msg = 'ERROR: Failed to produce CycloneDX output'
-                self.base.print_stderr(error_msg)
-                return None
-            return json.dumps(cdx_output, indent=2)
+            success, cdx_output = cdx.produce_from_json(scan_results)
+            if success:
+                return json.dumps(cdx_output, indent=2)
+            else:
+                error_msg = 'ERROR: Failed to produce CycloneDX output'
+                self.base.print_stderr(error_msg)
+                return None

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between e65b58e and 05e762f.

📒 Files selected for processing (6)

• CHANGELOG.md (2 hunks)
• src/scanoss/__init__.py (1 hunks)
• src/scanoss/cyclonedx.py (3 hunks)
• src/scanoss/scanner.py (11 hunks)
• src/scanoss/scanners/container_scanner.py (1 hunks)
• src/scanoss/scanners/scanner_hfh.py (1 hunks)

🧰 Additional context used

🧬 Code Graph Analysis (2)

src/scanoss/cyclonedx.py (2)

src/scanoss/spdxlite.py (3)

• produce_from_json (272-287)
• parse (68-79)
• print_stderr (55-59)

src/scanoss/scanossbase.py (1)

• print_stderr (45-49)

src/scanoss/scanner.py (12)

src/scanoss/file_filters.py (1)

• FileFilters (433-743)

src/scanoss/csvoutput.py (2)

• CsvOutput (33-233)
• produce_from_json (178-216)

src/scanoss/cyclonedx.py (2)

• CycloneDx (36-306)
• produce_from_json (173-271)

src/scanoss/scancodedeps.py (2)

• ScancodeDeps (32-284)
• produce_from_json (85-151)

src/scanoss/scanossapi.py (1)

• ScanossApi (49-285)

src/scanoss/scanossbase.py (1)

• ScanossBase (28-107)

src/scanoss/scanossgrpc.py (1)

• ScanossGrpc (94-677)

src/scanoss/scanpostprocessor.py (1)

• ScanPostProcessor (76-289)

src/scanoss/scantype.py (1)

• ScanType (28-35)

src/scanoss/spdxlite.py (2)

• SpdxLite (39-697)
• produce_from_json (272-287)

src/scanoss/threadeddependencies.py (1)

• ThreadedDependencies (60-240)

src/scanoss/threadedscanning.py (1)

• ThreadedScanning (45-234)

🪛 LanguageTool

CHANGELOG.md

[grammar] ~14-~14: There might be a mistake here.
Context: ...yclonedxthe output was not writing to file - Fixed when runningcontainer-scan` w...

(QB_NEW_EN_OTHER)

---

[grammar] ~15-~15: There might be a mistake here.
Context: ...yclonedx` the output was not writing to file ## [1.27.0] - 2025-06-30 ### Added - Add di...

(QB_NEW_EN_OTHER)

🪛 GitHub Actions: Lint

src/scanoss/scanners/scanner_hfh.py

[error] 165-165: PLR0911 Too many return statements (7 > 6) in function '_format_cyclonedx_output'.

src/scanoss/cyclonedx.py

[error] 51-51: PLR0912 Too many branches (29 > 12) in function 'parse'.

---

[error] 51-51: PLR0915 Too many statements (77 > 50) in function 'parse'.

---

[error] 60-60: F541 f-string without any placeholders. Remove extraneous f prefix.

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: build

🔇 Additional comments (15)

src/scanoss/__init__.py (1)

25-25: Version bump looks good.

The patch version increment is appropriate for a bug fix release.

CHANGELOG.md (1)

12-16: Changelog entry accurately documents the fixes.

The entry clearly describes the CycloneDX output file writing issue that was fixed for both folder-scan and container-scan commands.

src/scanoss/scanners/scanner_hfh.py (1)

199-199: Correct adaptation to new CycloneDx interface.

The removal of the output_file parameter is consistent with the new usage pattern.

src/scanoss/scanners/container_scanner.py (1)

439-444: Correct implementation of the new CycloneDx interface.

The changes properly handle the new tuple return from produce_from_json with appropriate error handling and JSON formatting.

src/scanoss/cyclonedx.py (4)

25-25: Import reorganization improves code style.

Moving the datetime import to the top follows Python conventions.

---

173-184: Method signature change addresses the core issue.

The new tuple return (bool, json) allows callers to access both the success status and the generated CycloneDX output data, which is essential for the file writing fix.

---

188-188: Consistent tuple return for failure case.

The (False, None) return is consistent with the new interface.

---

271-271: Consistent tuple return for success case.

The (True, data) return provides both success status and the generated CycloneDX data.

src/scanoss/scanner.py (7)

25-25: New datetime import added but potentially unused.

The datetime import was added but I don't see it used directly in the scanner.py file. Based on the relevant code context, it appears to be used in the version_details() method starting at line 235.

---

29-51: Import organization improved for better readability.

The import statements have been reorganized to group related imports together, improving code organization and readability.

---

58-58: Exception handling syntax updated to modern Python style.

The exception handling has been updated from except ImportError: to except (ModuleNotFoundError, ImportError): which is more specific and catches both potential import-related exceptions.

---

72-72: Linter warning suppressions added for code complexity.

The # noqa comments suppress legitimate linter warnings for methods with high complexity (PLR0912, PLR0915) and too many parameters (PLR0913). These suppressions are appropriate for this codebase where refactoring these methods might introduce more complexity.

Also applies to: 287-287, 335-335, 535-535, 606-606, 758-758

---

403-403: Long line suppressions added for readability.

The # noqa: E501 comments suppress line length warnings for comment lines that provide important context and would be less readable if wrapped.

Also applies to: 660-660, 669-669

---

487-487: Critical fix: Adapt to new CycloneDx.produce_from_json return signature.

This change correctly adapts to the updated CycloneDx.produce_from_json method which now returns a tuple (bool, json) instead of just a boolean. The unpacking success, _ = cdx.produce_from_json(results) properly extracts the success flag while discarding the JSON data.

This fix addresses the core issue mentioned in the PR objectives where CycloneDX format output was not writing to files properly.

---

512-512: Linter warning suppression for intentional variable reassignment.

The # noqa: PLW2901 comment suppresses the pylint warning about redefining the loop variable response. This is intentional behavior where the response is being transformed (deobfuscated) in place.