fix(ci/cve-scanning): ignore malformed packages (#1699)

cwrau · web-flow · commit 7b90d2913123 · 2025-09-25T08:57:11.000Z
Otherwise trivy fails the whole job


&lt;!-- This is an auto-generated comment: release notes by coderabbit.ai
--&gt;

## Summary by CodeRabbit

- Bug Fixes
- Improved license compliance reports by filtering out malformed
packages from the software bill of materials before scanning, reducing
noise and false positives.
- Maintains existing scan flow and results formatting without changing
behavior for successful runs.

- Chores
- Updated CI processing to enhance accuracy of license scanning with no
impact on application functionality or user workflows.

&lt;!-- end of auto-generated comment: release notes by coderabbit.ai --&gt;
diff --git a/.github/scripts/scan-for-licenses.sh b/.github/scripts/scan-for-licenses.sh
@@ -72,6 +72,8 @@ function generateTrivyJson() {
   trap 'rm -f "$tmpFile"' RETURN
 
   syft "$image" -o spdx-json >"$tmpFile"
+  # ignore packages that are not fully defined, otherwise trivy fails
+  jq -r '.packages |= map(select(.name | endswith("/") | not))' "$tmpFile" | sponge "$tmpFile"
   trivy sbom "$tmpFile" --skip-{java-,}db-update --severity HIGH,CRITICAL,MEDIUM -f json --scanners license --quiet | jq -r --arg image "$image" '.Metadata.image = $image'
 }
 export -f generateTrivyJson

Original file line number	Diff line number	Diff line change
`@@ -72,6 +72,8 @@ function generateTrivyJson() {`
`72`	`72`	`trap 'rm -f "$tmpFile"' RETURN`
`73`	`73`
`74`	`74`	`syft "$image" -o spdx-json >"$tmpFile"`
	`75`	`+ # ignore packages that are not fully defined, otherwise trivy fails`
	`76`	`+ jq -r '.packages \|= map(select(.name \| endswith("/") \| not))' "$tmpFile" \| sponge "$tmpFile"`
`75`	`77`	`trivy sbom "$tmpFile" --skip-{java-,}db-update --severity HIGH,CRITICAL,MEDIUM -f json --scanners license --quiet \| jq -r --arg image "$image" '.Metadata.image = $image'`
`76`	`78`	`}`
`77`	`79`	`export -f generateTrivyJson`