From 3eb200c31fb50a7a9f7f035aaa95c11392c000ec Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andr=C3=A9=20Meira?= <andre.meira@codacy.com>
Date: Wed, 11 Feb 2026 16:03:18 +0000
Subject: [PATCH 1/2] breaking: Bump codacy-engine-golang-seed to 8.0.0
 [TAROT-3634]

---
 cmd/tool/main.go                              |   2 +-
 go.mod                                        |   2 +-
 go.sum                                        |   4 +-
 internal/docgen/docgen.go                     |   2 +-
 internal/docgen/rule.go                       |   2 +-
 internal/tool/malicious_packages_scanner.go   |   2 +-
 .../tool/malicious_packages_scanner_test.go   |   2 +-
 internal/tool/tool.go                         |  15 +-
 internal/tool/tool_test.go                    | 190 +++++++++---------
 9 files changed, 118 insertions(+), 103 deletions(-)

diff --git a/cmd/tool/main.go b/cmd/tool/main.go
index 58d3b32..c564c52 100644
--- a/cmd/tool/main.go
+++ b/cmd/tool/main.go
@@ -3,7 +3,7 @@ package main
 import (
 	"os"
 
-	codacy "github.com/codacy/codacy-engine-golang-seed/v6"
+	codacy "github.com/codacy/codacy-engine-golang-seed/v8"
 	"github.com/codacy/codacy-trivy/internal/tool"
 	"github.com/sirupsen/logrus"
 )
diff --git a/go.mod b/go.mod
index 390a4ce..0cb4754 100644
--- a/go.mod
+++ b/go.mod
@@ -6,7 +6,7 @@ require (
 	github.com/CycloneDX/cyclonedx-go v0.10.0
 	github.com/aquasecurity/trivy v0.69.1 // Also update .config.yml
 	github.com/aquasecurity/trivy-db v0.0.0-20251222105351-a833f47f8f0d
-	github.com/codacy/codacy-engine-golang-seed/v6 v6.4.8
+	github.com/codacy/codacy-engine-golang-seed/v8 v8.0.0
 	github.com/google/go-cmp v0.7.0
 	github.com/package-url/packageurl-go v0.1.3
 	github.com/samber/lo v1.52.0
diff --git a/go.sum b/go.sum
index f5c9a57..c9288f7 100644
--- a/go.sum
+++ b/go.sum
@@ -240,8 +240,8 @@ github.com/cloudflare/circl v1.6.1/go.mod h1:uddAzsPgqdMAYatqJ0lsjX1oECcQLIlRpzZ
 github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
 github.com/cncf/xds/go v0.0.0-20251022180443-0feb69152e9f h1:Y8xYupdHxryycyPlc9Y+bSQAYZnetRJ70VMVKm5CKI0=
 github.com/cncf/xds/go v0.0.0-20251022180443-0feb69152e9f/go.mod h1:HlzOvOjVBOfTGSRXRyY0OiCS/3J1akRGQQpRO/7zyF4=
-github.com/codacy/codacy-engine-golang-seed/v6 v6.4.8 h1:ap4d7hyShG4zaOVtDWhqWmM93ln3EPF13mE/MLt07X4=
-github.com/codacy/codacy-engine-golang-seed/v6 v6.4.8/go.mod h1:TwTOzAyljLXLzl9exy6ey5XAepkAWrFgObHDn0OWGZ4=
+github.com/codacy/codacy-engine-golang-seed/v8 v8.0.0 h1:p4zzkRnRZXiSnocoUMEFi9eKw/uzTovvoT+BisMWr8c=
+github.com/codacy/codacy-engine-golang-seed/v8 v8.0.0/go.mod h1:9RoS2cnJWCHyzykgXeD5dF1L3Dyt9Fm9eIj/bcU7/dU=
 github.com/codahale/rfc6979 v0.0.0-20141003034818-6a90f24967eb h1:EDmT6Q9Zs+SbUoc7Ik9EfrFqcylYqgPZ9ANSbTAntnE=
 github.com/codahale/rfc6979 v0.0.0-20141003034818-6a90f24967eb/go.mod h1:ZjrT6AXHbDs86ZSdt/osfBi5qfexBrKUdONk989Wnk4=
 github.com/containerd/cgroups/v3 v3.1.0 h1:azxYVj+91ZgSnIBp2eI3k9y2iYQSR/ZQIgh9vKO+HSY=
diff --git a/internal/docgen/docgen.go b/internal/docgen/docgen.go
index a01741c..b50afce 100644
--- a/internal/docgen/docgen.go
+++ b/internal/docgen/docgen.go
@@ -6,7 +6,7 @@ import (
 	"os"
 	"path"
 
-	codacy "github.com/codacy/codacy-engine-golang-seed/v6"
+	codacy "github.com/codacy/codacy-engine-golang-seed/v8"
 	"github.com/codacy/codacy-trivy/internal"
 )
 
diff --git a/internal/docgen/rule.go b/internal/docgen/rule.go
index a36f7d7..3c0f363 100644
--- a/internal/docgen/rule.go
+++ b/internal/docgen/rule.go
@@ -1,6 +1,6 @@
 package docgen
 
-import codacy "github.com/codacy/codacy-engine-golang-seed/v6"
+import codacy "github.com/codacy/codacy-engine-golang-seed/v8"
 
 // Rule represents a static code analysis rule that an execution of `codacy-trivy` can trigger.
 type Rule struct {
diff --git a/internal/tool/malicious_packages_scanner.go b/internal/tool/malicious_packages_scanner.go
index 5ba02e3..ab06cdf 100644
--- a/internal/tool/malicious_packages_scanner.go
+++ b/internal/tool/malicious_packages_scanner.go
@@ -9,7 +9,7 @@ import (
 	"strings"
 
 	ptypes "github.com/aquasecurity/trivy/pkg/types"
-	codacy "github.com/codacy/codacy-engine-golang-seed/v6"
+	codacy "github.com/codacy/codacy-engine-golang-seed/v8"
 	"github.com/samber/lo"
 	"golang.org/x/mod/semver"
 )
diff --git a/internal/tool/malicious_packages_scanner_test.go b/internal/tool/malicious_packages_scanner_test.go
index d82cb66..3e84aab 100644
--- a/internal/tool/malicious_packages_scanner_test.go
+++ b/internal/tool/malicious_packages_scanner_test.go
@@ -7,7 +7,7 @@ import (
 
 	ftypes "github.com/aquasecurity/trivy/pkg/fanal/types"
 	ptypes "github.com/aquasecurity/trivy/pkg/types"
-	codacy "github.com/codacy/codacy-engine-golang-seed/v6"
+	codacy "github.com/codacy/codacy-engine-golang-seed/v8"
 	"github.com/package-url/packageurl-go"
 	"github.com/stretchr/testify/assert"
 )
diff --git a/internal/tool/tool.go b/internal/tool/tool.go
index d049529..abd6c5b 100644
--- a/internal/tool/tool.go
+++ b/internal/tool/tool.go
@@ -3,6 +3,7 @@ package tool
 import (
 	"bufio"
 	"context"
+	"encoding/json"
 	"fmt"
 	"net/url"
 	"os"
@@ -20,7 +21,7 @@ import (
 	tresult "github.com/aquasecurity/trivy/pkg/result"
 	tcdx "github.com/aquasecurity/trivy/pkg/sbom/cyclonedx"
 	ptypes "github.com/aquasecurity/trivy/pkg/types"
-	codacy "github.com/codacy/codacy-engine-golang-seed/v6"
+	codacy "github.com/codacy/codacy-engine-golang-seed/v8"
 	"github.com/codacy/codacy-trivy/internal"
 	"github.com/package-url/packageurl-go"
 	"github.com/samber/lo"
@@ -255,7 +256,17 @@ func (t codacyTrivy) getSBOM(ctx context.Context, report ptypes.Report) (codacy.
 	}
 
 	unencodeComponents(bom)
-	return codacy.SBOM{BOM: *bom}, nil
+
+	bomStr, err := json.Marshal(bom)
+	if err != nil {
+		return codacy.SBOM{}, &ToolError{msg: "Failed to run Codacy Trivy", w: err}
+	}
+
+	return codacy.SBOM{
+		BomFormat:   codacy.CycloneDXJSON,
+		SpecVersion: bom.SpecVersion.String(),
+		Sbom:        string(bomStr),
+	}, nil
 }
 
 // Running Trivy for secret scanning is not as efficient as running for vulnerability scanning.
diff --git a/internal/tool/tool_test.go b/internal/tool/tool_test.go
index 731d8da..e38dd09 100644
--- a/internal/tool/tool_test.go
+++ b/internal/tool/tool_test.go
@@ -5,6 +5,7 @@ package tool
 import (
 	"compress/gzip"
 	"context"
+	"encoding/json"
 	"fmt"
 	"os"
 	"path/filepath"
@@ -18,7 +19,7 @@ import (
 	ftypes "github.com/aquasecurity/trivy/pkg/fanal/types"
 	"github.com/aquasecurity/trivy/pkg/flag"
 	ptypes "github.com/aquasecurity/trivy/pkg/types"
-	codacy "github.com/codacy/codacy-engine-golang-seed/v6"
+	codacy "github.com/codacy/codacy-engine-golang-seed/v8"
 	"github.com/google/go-cmp/cmp"
 	"github.com/google/go-cmp/cmp/cmpopts"
 	"github.com/package-url/packageurl-go"
@@ -333,105 +334,102 @@ func TestRun(t *testing.T) {
 		expectedMetadataComponentBOMRef := "b804b498-f626-41c5-a47f-45e1471acf33"
 		expectedRootComponentBOMRef := "d16d6083-4370-442f-a6ab-c5146a215dbe"
 		expectedRooComponentName := "file-802713450"
-		expectedSBOM := codacy.SBOM{
-			BOM: cyclonedx.BOM{
-				XMLNS:        "http://cyclonedx.org/schema/bom/1.6",
-				JSONSchema:   "http://cyclonedx.org/schema/bom-1.6.schema.json",
-				BOMFormat:    "CycloneDX",
-				SpecVersion:  cyclonedx.SpecVersion(7),
-				SerialNumber: "urn:uuid:181e846e-fede-46b6-8be7-206a0f393caa", // different every run
-				Version:      1,
-				Metadata: &cyclonedx.Metadata{
-					Timestamp: "2024-09-19T09:41:02.021Z", // different every run
-					Tools: &cyclonedx.ToolsChoice{
-						Components: &[]cyclonedx.Component{
-							{
-								Type: "application",
-								Manufacturer: &cyclonedx.OrganizationalEntity{
-									Name: "Aqua Security Software Ltd.",
-								},
-								Group:   "aquasecurity",
-								Name:    "trivy",
-								Version: "dev",
-							},
-						},
-					},
-					Component: &cyclonedx.Component{
-						BOMRef: expectedMetadataComponentBOMRef,
-						Type:   "application",
-						Properties: &[]cyclonedx.Property{
-							{
-								Name:  "aquasecurity:trivy:SchemaVersion",
-								Value: "0",
+		expectedBOM := cyclonedx.BOM{
+			JSONSchema:   "http://cyclonedx.org/schema/bom-1.6.schema.json",
+			BOMFormat:    "CycloneDX",
+			SpecVersion:  cyclonedx.SpecVersion1_6,
+			SerialNumber: "urn:uuid:181e846e-fede-46b6-8be7-206a0f393caa", // different every run
+			Version:      1,
+			Metadata: &cyclonedx.Metadata{
+				Timestamp: "2024-09-19T09:41:02.021Z", // different every run
+				Tools: &cyclonedx.ToolsChoice{
+					Components: &[]cyclonedx.Component{
+						{
+							Type: "application",
+							Manufacturer: &cyclonedx.OrganizationalEntity{
+								Name: "Aqua Security Software Ltd.",
 							},
+							Group:   "aquasecurity",
+							Name:    "trivy",
+							Version: "dev",
 						},
 					},
 				},
-				Components: &[]cyclonedx.Component{
-					{
-						BOMRef: expectedRootComponentBOMRef,
-						Type:   "application",
-						Name:   "file-802713450",
-						Properties: &[]cyclonedx.Property{
-							{
-								Name:  "aquasecurity:trivy:Class",
-								Value: "lang-pkgs",
-							},
-							{
-								Name: "aquasecurity:trivy:Type",
-							},
+				Component: &cyclonedx.Component{
+					BOMRef: expectedMetadataComponentBOMRef,
+					Type:   "application",
+					Properties: &[]cyclonedx.Property{
+						{
+							Name:  "aquasecurity:trivy:SchemaVersion",
+							Value: "0",
 						},
 					},
-					{
-						BOMRef:     "no-purl",
-						Type:       "library",
-						Properties: &[]cyclonedx.Property{},
-					},
-					{
-						BOMRef:     "pkg:type/@namespace/package-1@version+incompatible",
-						Type:       "library",
-						Properties: &[]cyclonedx.Property{},
-						PackageURL: "pkg:type/@namespace/package-1@version+incompatible",
-						Version:    "version+incompatible",
-					},
-					{
-						BOMRef:     "pkg:type/@namespace/package-2@version+RC",
-						Type:       "library",
-						Properties: &[]cyclonedx.Property{},
-						PackageURL: "pkg:type/@namespace/package-2@version+RC",
-						Version:    "version+RC",
-					},
 				},
-				Dependencies: &[]cyclonedx.Dependency{
-					{
-						Ref: expectedMetadataComponentBOMRef,
-						Dependencies: &[]string{
-							expectedRootComponentBOMRef,
+			},
+			Components: &[]cyclonedx.Component{
+				{
+					BOMRef: expectedRootComponentBOMRef,
+					Type:   "application",
+					Name:   "file-802713450",
+					Properties: &[]cyclonedx.Property{
+						{
+							Name:  "aquasecurity:trivy:Class",
+							Value: "lang-pkgs",
 						},
-					},
-					{
-						Ref: expectedRootComponentBOMRef,
-						Dependencies: &[]string{
-							"no-purl",
-							"pkg:type/@namespace/package-1@version+incompatible",
-							"pkg:type/@namespace/package-2@version+RC",
+						{
+							Name: "aquasecurity:trivy:Type",
 						},
 					},
-					{
-						Ref:          "no-purl",
-						Dependencies: &[]string{},
-					},
-					{
-						Ref:          "pkg:type/@namespace/package-1@version+incompatible",
-						Dependencies: &[]string{},
+				},
+				{
+					BOMRef:     "no-purl",
+					Type:       "library",
+					Properties: &[]cyclonedx.Property{},
+				},
+				{
+					BOMRef:     "pkg:type/@namespace/package-1@version+incompatible",
+					Type:       "library",
+					Properties: &[]cyclonedx.Property{},
+					PackageURL: "pkg:type/@namespace/package-1@version+incompatible",
+					Version:    "version+incompatible",
+				},
+				{
+					BOMRef:     "pkg:type/@namespace/package-2@version+RC",
+					Type:       "library",
+					Properties: &[]cyclonedx.Property{},
+					PackageURL: "pkg:type/@namespace/package-2@version+RC",
+					Version:    "version+RC",
+				},
+			},
+			Dependencies: &[]cyclonedx.Dependency{
+				{
+					Ref: expectedMetadataComponentBOMRef,
+					Dependencies: &[]string{
+						expectedRootComponentBOMRef,
 					},
-					{
-						Ref:          "pkg:type/@namespace/package-2@version+RC",
-						Dependencies: &[]string{},
+				},
+				{
+					Ref: expectedRootComponentBOMRef,
+					Dependencies: &[]string{
+						"no-purl",
+						"pkg:type/@namespace/package-1@version+incompatible",
+						"pkg:type/@namespace/package-2@version+RC",
 					},
 				},
-				Vulnerabilities: &[]cyclonedx.Vulnerability{},
+				{
+					Ref:          "no-purl",
+					Dependencies: &[]string{},
+				},
+				{
+					Ref:          "pkg:type/@namespace/package-1@version+incompatible",
+					Dependencies: &[]string{},
+				},
+				{
+					Ref:          "pkg:type/@namespace/package-2@version+RC",
+					Dependencies: &[]string{},
+				},
 			},
+			Vulnerabilities: &[]cyclonedx.Vulnerability{},
 		}
 		sboms := lo.Filter(results, func(result codacy.Result, _ int) bool {
 			switch result.(type) {
@@ -442,17 +440,21 @@ func TestRun(t *testing.T) {
 			}
 		})
 
+		var obtainedBOM *cyclonedx.BOM
+		err := json.Unmarshal([]byte(sboms[0].(codacy.SBOM).Sbom), &obtainedBOM)
+		assert.NoError(t, err)
+
 		// Set values that change on every run to known values.
 		// This allows us to test the relationship between components.
-		oldMetadataComponentBOMRef := sboms[0].(codacy.SBOM).Metadata.Component.BOMRef
-		sboms[0].(codacy.SBOM).Metadata.Component.BOMRef = expectedMetadataComponentBOMRef
+		oldMetadataComponentBOMRef := obtainedBOM.Metadata.Component.BOMRef
+		obtainedBOM.Metadata.Component.BOMRef = expectedMetadataComponentBOMRef
 		// Components are always in declaration order, with the root component (created automatically) coming first
-		cs := *sboms[0].(codacy.SBOM).Components
+		cs := *obtainedBOM.Components
 		oldRootComponentBOMRef := cs[0].BOMRef
 		cs[0].BOMRef = expectedRootComponentBOMRef
 		cs[0].Name = expectedRooComponentName
 		// Dependencies are not always in order we must take care to change the correct value
-		ds := *sboms[0].(codacy.SBOM).Dependencies
+		ds := *obtainedBOM.Dependencies
 		for i, d := range ds {
 			if d.Ref == oldMetadataComponentBOMRef {
 				ds[i].Ref = expectedMetadataComponentBOMRef
@@ -469,14 +471,16 @@ func TestRun(t *testing.T) {
 
 		// Only one SBOM result is produced
 		assert.Len(t, sboms, 1)
+		assert.Equal(t, sboms[0].(codacy.SBOM).BomFormat, codacy.CycloneDXJSON)
+		assert.Equal(t, sboms[0].(codacy.SBOM).SpecVersion, "1.6")
 		assert.True(
 			t,
 			cmp.Equal(
-				expectedSBOM,
-				sboms[0],
+				expectedBOM,
+				*obtainedBOM,
 				cmp.Options{
 					// Ignore fields that change each run
-					cmpopts.IgnoreFields(codacy.SBOM{}, "SerialNumber"),
+					cmpopts.IgnoreFields(cyclonedx.BOM{}, "SerialNumber"),
 					cmpopts.IgnoreFields(cyclonedx.Metadata{}, "Timestamp"),
 				},
 			),

From 877f5454485d5c781df216044e6fdc94039b0da8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andr=C3=A9=20Meira?= <andre.meira@codacy.com>
Date: Wed, 11 Feb 2026 16:26:37 +0000
Subject: [PATCH 2/2] fix: Update expected vulnerabilities for tests

---
 .../pattern-vulnerability-critical/results.xml         |  6 ++++++
 .../pattern-vulnerability-high/results.xml             | 10 ++--------
 2 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/docs/multiple-tests/pattern-vulnerability-critical/results.xml b/docs/multiple-tests/pattern-vulnerability-critical/results.xml
index f66be6e..fb9adff 100644
--- a/docs/multiple-tests/pattern-vulnerability-critical/results.xml
+++ b/docs/multiple-tests/pattern-vulnerability-critical/results.xml
@@ -7,6 +7,12 @@
             message="Insecure dependency golang/stdlib@v1.21.4 (CVE-2024-24790: golang: net/netip: Unexpected behavior from Is methods for IPv4-mapped IPv6 addresses) (update to 1.21.11)"
             severity="error"
         />
+        <error
+            source="vulnerability_critical"
+            line="5"
+            message="Insecure dependency golang/stdlib@v1.21.4 (CVE-2025-68121: During session resumption in crypto/tls, if the underlying Config has  ...) (update to 1.24.13)"
+            severity="error"
+        />
         <error
             source="vulnerability_critical"
             line="8"
diff --git a/docs/multiple-tests/pattern-vulnerability-high/results.xml b/docs/multiple-tests/pattern-vulnerability-high/results.xml
index edcd9d0..0041cb6 100644
--- a/docs/multiple-tests/pattern-vulnerability-high/results.xml
+++ b/docs/multiple-tests/pattern-vulnerability-high/results.xml
@@ -112,12 +112,6 @@
             message="Insecure dependency golang/stdlib@v1.21.4 (CVE-2025-61730: During the TLS 1.3 handshake if multiple messages are sent in records  ...) (update to 1.24.12)"
             severity="high"
         />
-        <error
-            source="vulnerability_high"
-            line="5"
-            message="Insecure dependency golang/stdlib@v1.21.4 (CVE-2025-68121: During session resumption in crypto/tls, if the underlying Config has  ...) (update to 1.24.13)"
-            severity="high"
-        />
     </file>
 
     <file name="javascript/package-lock.json">
@@ -136,7 +130,7 @@
         <error
             source="vulnerability_high"
             line="14"
-            message="Insecure dependency npm/axios@0.21.0 (CVE-2026-25639: Axios is Vulnerable to Denial of Service via __proto__ Key in mergeConfig) (update to 1.13.5)"
+            message="Insecure dependency npm/axios@0.21.0 (CVE-2026-25639: Axios is a promise based HTTP client for the browser and Node.js. Prio ...) (update to 1.13.5)"
             severity="high"
         />
     </file>
@@ -157,7 +151,7 @@
         <error
             source="vulnerability_high"
             line="5"
-            message="Insecure dependency npm/axios@0.21.0 (CVE-2026-25639: Axios is Vulnerable to Denial of Service via __proto__ Key in mergeConfig) (update to 1.13.5)"
+            message="Insecure dependency npm/axios@0.21.0 (CVE-2026-25639: Axios is a promise based HTTP client for the browser and Node.js. Prio ...) (update to 1.13.5)"
             severity="high"
         />
     </file>