refactor(sbom): add intermediate representation for BOM (#6240)

Signed-off-by: knqyf263 <knqyf263@gmail.com>
Co-authored-by: DmitriyLewen <91113035+DmitriyLewen@users.noreply.github.com>

pkg/dependency/parser/python/packaging/parse.go

@@ -9,7 +9,7 @@ import (
 
 	"golang.org/x/xerrors"
 
-	"github.com/aquasecurity/trivy/pkg/dependency/parser/types"
+	"github.com/aquasecurity/trivy/pkg/dependency/types"
 	"github.com/aquasecurity/trivy/pkg/log"
 	xio "github.com/aquasecurity/trivy/pkg/x/io"
 )

pkg/dependency/parser/python/packaging/parse_test.go

@@ -8,7 +8,7 @@ import (
 	"github.com/stretchr/testify/require"
 
 	"github.com/aquasecurity/trivy/pkg/dependency/parser/python/packaging"
-	"github.com/aquasecurity/trivy/pkg/dependency/parser/types"
+	"github.com/aquasecurity/trivy/pkg/dependency/types"
 )
 
 func TestParse(t *testing.T) {

pkg/dependency/parser/python/pip/parse.go

@@ -10,7 +10,7 @@ import (
 	"golang.org/x/text/transform"
 	"golang.org/x/xerrors"
 
-	"github.com/aquasecurity/trivy/pkg/dependency/parser/types"
+	"github.com/aquasecurity/trivy/pkg/dependency/types"
 	xio "github.com/aquasecurity/trivy/pkg/x/io"
 )
 

pkg/dependency/parser/python/pip/parse_test.go

@@ -8,7 +8,7 @@ import (
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 
-	"github.com/aquasecurity/trivy/pkg/dependency/parser/types"
+	"github.com/aquasecurity/trivy/pkg/dependency/types"
 )
 
 func TestParse(t *testing.T) {

pkg/dependency/parser/python/pip/parse_testcase.go

@@ -1,6 +1,6 @@
 package pip
 
-import "github.com/aquasecurity/trivy/pkg/dependency/parser/types"
+import "github.com/aquasecurity/trivy/pkg/dependency/types"
 
 var (
 	requirementsFlask = []types.Library{

pkg/dependency/parser/python/pipenv/parse.go

@@ -7,7 +7,7 @@ import (
 	"github.com/liamg/jfather"
 	"golang.org/x/xerrors"
 
-	"github.com/aquasecurity/trivy/pkg/dependency/parser/types"
+	"github.com/aquasecurity/trivy/pkg/dependency/types"
 	xio "github.com/aquasecurity/trivy/pkg/x/io"
 )
 
@@ -39,9 +39,14 @@ func (p *Parser) Parse(r xio.ReadSeekerAt) ([]types.Library, []types.Dependency,
 	var libs []types.Library
 	for pkgName, dependency := range lockFile.Default {
 		libs = append(libs, types.Library{
-			Name:      pkgName,
-			Version:   strings.TrimLeft(dependency.Version, "="),
-			Locations: []types.Location{{StartLine: dependency.StartLine, EndLine: dependency.EndLine}},
+			Name:    pkgName,
+			Version: strings.TrimLeft(dependency.Version, "="),
+			Locations: []types.Location{
+				{
+					StartLine: dependency.StartLine,
+					EndLine:   dependency.EndLine,
+				},
+			},
 		})
 	}
 	return libs, nil, nil

pkg/dependency/parser/python/pipenv/parse_test.go

@@ -10,7 +10,7 @@ import (
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 
-	"github.com/aquasecurity/trivy/pkg/dependency/parser/types"
+	"github.com/aquasecurity/trivy/pkg/dependency/types"
 )
 
 func TestParse(t *testing.T) {

pkg/dependency/parser/python/pipenv/parse_testcase.go

@@ -1,6 +1,6 @@
 package pipenv
 
-import "github.com/aquasecurity/trivy/pkg/dependency/parser/types"
+import "github.com/aquasecurity/trivy/pkg/dependency/types"
 
 var (
 	// docker run --name pipenv --rm -it python:3.9-alpine sh

pkg/dependency/parser/python/poetry/parse.go

@@ -8,8 +8,9 @@ import (
 	"golang.org/x/xerrors"
 
 	version "github.com/aquasecurity/go-pep440-version"
-	"github.com/aquasecurity/trivy/pkg/dependency/parser/types"
-	"github.com/aquasecurity/trivy/pkg/dependency/parser/utils"
+	"github.com/aquasecurity/trivy/pkg/dependency"
+	"github.com/aquasecurity/trivy/pkg/dependency/types"
+	ftypes "github.com/aquasecurity/trivy/pkg/fanal/types"
 	"github.com/aquasecurity/trivy/pkg/log"
 	xio "github.com/aquasecurity/trivy/pkg/x/io"
 )
@@ -50,7 +51,7 @@ func (p *Parser) Parse(r xio.ReadSeekerAt) ([]types.Library, []types.Dependency,
 			continue
 		}
 
-		pkgID := utils.PackageID(pkg.Name, pkg.Version)
+		pkgID := packageID(pkg.Name, pkg.Version)
 		libs = append(libs, types.Library{
 			ID:      pkgID,
 			Name:    pkg.Name,
@@ -124,7 +125,7 @@ func parseDependency(name string, versRange any, libVersions map[string][]string
 		if matched, err := matchVersion(ver, vRange); err != nil {
 			return "", xerrors.Errorf("failed to match version for %s: %w", name, err)
 		} else if matched {
-			return utils.PackageID(name, ver), nil
+			return packageID(name, ver), nil
 		}
 	}
 	return "", xerrors.Errorf("no matched version found for %q", name)
@@ -153,3 +154,7 @@ func normalizePkgName(name string) string {
 	name = strings.ReplaceAll(name, ".", "-") // e.g. https://github.com/python-poetry/poetry/blob/c8945eb110aeda611cc6721565d7ad0c657d453a/poetry.lock#L816
 	return name
 }
+
+func packageID(name, ver string) string {
+	return dependency.ID(ftypes.Poetry, name, ver)
+}

pkg/dependency/parser/python/poetry/parse_test.go

@@ -8,7 +8,7 @@ import (
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 
-	"github.com/aquasecurity/trivy/pkg/dependency/parser/types"
+	"github.com/aquasecurity/trivy/pkg/dependency/types"
 )
 
 func TestParser_Parse(t *testing.T) {

pkg/dependency/parser/python/poetry/parse_testcase.go

@@ -1,6 +1,6 @@
 package poetry
 
-import "github.com/aquasecurity/trivy/pkg/dependency/parser/types"
+import "github.com/aquasecurity/trivy/pkg/dependency/types"
 
 var (
 	// docker run --name pipenv --rm -it python@sha256:e1141f10176d74d1a0e87a7c0a0a5a98dd98ec5ac12ce867768f40c6feae2fd9 sh