refactor(deps): move dependencies to package (#2189)

go.mod

@@ -7,7 +7,7 @@ require (
 	github.com/Masterminds/sprig/v3 v3.2.2
 	github.com/NYTimes/gziphandler v1.1.1
 	github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986
-	github.com/aquasecurity/fanal v0.0.0-20220531101952-e8bca3153e2b
+	github.com/aquasecurity/fanal v0.0.0-20220531120423-6434a96075a0
 	github.com/aquasecurity/go-dep-parser v0.0.0-20220503151658-d316f5cc2cff
 	github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce
 	github.com/aquasecurity/go-npm-version v0.0.0-20201110091526-0b796d180798

go.sum

@@ -179,8 +179,8 @@ github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986 h1:2a30
 github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986/go.mod h1:NT+jyeCzXk6vXR5MTkdn4z64TgGfE5HMLC8qfj5unl8=
 github.com/aquasecurity/defsec v0.58.2 h1:cT9c9Ybxmg2uiscBukfuUOi2llIsGm9sGhHZlF8OWSc=
 github.com/aquasecurity/defsec v0.58.2/go.mod h1:42FxKif2itz+MHFlJ3TJjdroL9Jzj3THoexlueBTU5w=
-github.com/aquasecurity/fanal v0.0.0-20220531101952-e8bca3153e2b h1:L5UyVUtnVRxqyRlS7iwNwW4FvLB4ER7yxnCl90so7q8=
-github.com/aquasecurity/fanal v0.0.0-20220531101952-e8bca3153e2b/go.mod h1:1N/p/orwp3237JpnorWj5A90YyUhzBZIZ7isICwctks=
+github.com/aquasecurity/fanal v0.0.0-20220531120423-6434a96075a0 h1:swTngelbdVVpoed07iPZhNI48JizULaI405KPvrh7Fk=
+github.com/aquasecurity/fanal v0.0.0-20220531120423-6434a96075a0/go.mod h1:1N/p/orwp3237JpnorWj5A90YyUhzBZIZ7isICwctks=
 github.com/aquasecurity/go-dep-parser v0.0.0-20220503151658-d316f5cc2cff h1:YNlzRYB0n4mZtfuWx6AWaGEjnLVNekchyoFDlYFZegs=
 github.com/aquasecurity/go-dep-parser v0.0.0-20220503151658-d316f5cc2cff/go.mod h1:7EOQWQmyavVPY3fScbbPdd3dB/b0Q4ZbJ/NZCvNKrLs=
 github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce h1:QgBRgJvtEOBtUXilDb1MLi1p1MWoyFDXAu5DEUl5nwM=

pkg/report/github/github.go

@@ -116,7 +116,7 @@ func (w Writer) Write(report types.Report) error {
 			githubPkg := Package{}
 			githubPkg.Scope = RuntimeScope
 			githubPkg.Relationship = getPkgRelationshipType(pkg)
-			githubPkg.Dependencies = getDependencies(result, pkg)
+			githubPkg.Dependencies = pkg.DependsOn
 			githubPkg.PackageUrl, err = buildPurl(result.Type, pkg)
 			if err != nil {
 				return xerrors.Errorf("unable to build purl for %s: %w", pkg.Name, err)
@@ -153,15 +153,6 @@ func getMetadata(report types.Report) Metadata {
 	return metadata
 }
 
-func getDependencies(result types.Result, pkg ftypes.Package) []string {
-	for _, dep := range result.Dependencies {
-		if dep.ID == pkg.ID {
-			return dep.DependsOn
-		}
-	}
-	return []string{}
-}
-
 func getPkgRelationshipType(pkg ftypes.Package) string {
 	if pkg.Indirect {
 		return IndirectRelationship

pkg/report/spdx/spdx_test.go

@@ -109,24 +109,24 @@ func TestWriter_Write(t *testing.T) {
 					ExternalDocumentReferences: map[string]spdx.ExternalDocumentRef2_2{},
 				},
 				Packages: map[spdx.ElementID]*spdx.Package2_2{
-					spdx.ElementID("65e3655ffcc41ab9"): {
-						PackageSPDXIdentifier:     spdx.ElementID("65e3655ffcc41ab9"),
+					spdx.ElementID("3639080be74a6685"): {
+						PackageSPDXIdentifier:     spdx.ElementID("3639080be74a6685"),
 						PackageName:               "actioncontroller",
 						PackageVersion:            "7.0.0",
 						PackageLicenseConcluded:   "NONE",
 						PackageLicenseDeclared:    "NONE",
 						IsFilesAnalyzedTagPresent: true,
 					},
-					spdx.ElementID("97cf5c89611089c6"): {
-						PackageSPDXIdentifier:     spdx.ElementID("97cf5c89611089c6"),
+					spdx.ElementID("8ee950e6d31d8cf9"): {
+						PackageSPDXIdentifier:     spdx.ElementID("8ee950e6d31d8cf9"),
 						PackageName:               "actionpack",
 						PackageVersion:            "7.0.0",
 						PackageLicenseConcluded:   "NONE",
 						PackageLicenseDeclared:    "NONE",
 						IsFilesAnalyzedTagPresent: true,
 					},
-					spdx.ElementID("3ee76dba6a695d6d"): {
-						PackageSPDXIdentifier:     spdx.ElementID("3ee76dba6a695d6d"),
+					spdx.ElementID("d234c2159623e835"): {
+						PackageSPDXIdentifier:     spdx.ElementID("d234c2159623e835"),
 						PackageName:               "binutils",
 						PackageVersion:            "2.30",
 						PackageLicenseConcluded:   "GPLv3+",
@@ -220,24 +220,24 @@ func TestWriter_Write(t *testing.T) {
 					ExternalDocumentReferences: map[string]spdx.ExternalDocumentRef2_2{},
 				},
 				Packages: map[spdx.ElementID]*spdx.Package2_2{
-					spdx.ElementID("40d016db96700ecb"): {
-						PackageSPDXIdentifier:     spdx.ElementID("40d016db96700ecb"),
+					spdx.ElementID("bb78dad8374b2a15"): {
+						PackageSPDXIdentifier:     spdx.ElementID("bb78dad8374b2a15"),
 						PackageName:               "acl",
 						PackageVersion:            "2.2.53",
 						PackageLicenseConcluded:   "GPLv2+",
 						PackageLicenseDeclared:    "GPLv2+",
 						IsFilesAnalyzedTagPresent: true,
 					},
-					spdx.ElementID("ff543ca421929db5"): {
-						PackageSPDXIdentifier:     spdx.ElementID("ff543ca421929db5"),
+					spdx.ElementID("73217041edb86985"): {
+						PackageSPDXIdentifier:     spdx.ElementID("73217041edb86985"),
 						PackageName:               "actionpack",
 						PackageVersion:            "7.0.0",
 						PackageLicenseConcluded:   "NONE",
 						PackageLicenseDeclared:    "NONE",
 						IsFilesAnalyzedTagPresent: true,
 					},
-					spdx.ElementID("639cce3bbd87450f"): {
-						PackageSPDXIdentifier:     spdx.ElementID("639cce3bbd87450f"),
+					spdx.ElementID("81bcacb3a43392d2"): {
+						PackageSPDXIdentifier:     spdx.ElementID("81bcacb3a43392d2"),
 						PackageName:               "actionpack",
 						PackageVersion:            "7.0.1",
 						PackageLicenseConcluded:   "NONE",
@@ -285,8 +285,8 @@ func TestWriter_Write(t *testing.T) {
 					ExternalDocumentReferences: map[string]spdx.ExternalDocumentRef2_2{},
 				},
 				Packages: map[spdx.ElementID]*spdx.Package2_2{
-					spdx.ElementID("9572b967bcbc8ea2"): {
-						PackageSPDXIdentifier:     spdx.ElementID("9572b967bcbc8ea2"),
+					spdx.ElementID("2540a9d087ba8509"): {
+						PackageSPDXIdentifier:     spdx.ElementID("2540a9d087ba8509"),
 						PackageName:               "actioncable",
 						PackageVersion:            "6.1.4.1",
 						PackageLicenseConcluded:   "NONE",
@@ -334,8 +334,8 @@ func TestWriter_Write(t *testing.T) {
 					ExternalDocumentReferences: map[string]spdx.ExternalDocumentRef2_2{},
 				},
 				Packages: map[spdx.ElementID]*spdx.Package2_2{
-					spdx.ElementID("1275fe237f4887b3"): {
-						PackageSPDXIdentifier:     spdx.ElementID("1275fe237f4887b3"),
+					spdx.ElementID("932072222bf5ccd6"): {
+						PackageSPDXIdentifier:     spdx.ElementID("932072222bf5ccd6"),
 						PackageName:               "ruby-typeprof",
 						PackageVersion:            "0.20.1",
 						PackageLicenseConcluded:   "MIT",

pkg/scanner/local/scan.go

@@ -233,7 +233,6 @@ func (s Scanner) scanLibrary(apps []ftypes.Application, options types.ScanOption
 		}
 		if options.ListAllPackages {
 			libReport.Packages = app.Libraries
-			libReport.Dependencies = app.Dependencies
 		}
 		results = append(results, libReport)
 	}

pkg/types/report.go

@@ -6,7 +6,6 @@ import (
 	v1 "github.com/google/go-containerregistry/pkg/v1" // nolint: goimports
 
 	ftypes "github.com/aquasecurity/fanal/types"
-	gdpTypes "github.com/aquasecurity/go-dep-parser/pkg/types"
 )
 
 // Report represents a scan result
@@ -49,7 +48,6 @@ type Result struct {
 	Class             ResultClass                `json:"Class,omitempty"`
 	Type              string                     `json:"Type,omitempty"`
 	Packages          []ftypes.Package           `json:"Packages,omitempty"`
-	Dependencies      []gdpTypes.Dependency      `json:"Dependencies,omitempty"`
 	Vulnerabilities   []DetectedVulnerability    `json:"Vulnerabilities,omitempty"`
 	MisconfSummary    *MisconfSummary            `json:"MisconfSummary,omitempty"`
 	Misconfigurations []DetectedMisconfiguration `json:"Misconfigurations,omitempty"`