Update module.yaml

Signed-off-by: stlef14 <stlef14@users.noreply.github.com>

Author: stlef14

scanners/boostsecurityio/trivy-sbom/module.yaml

@@ -31,55 +31,53 @@ steps:
   - scan:
       command:
         run: |
-          set -eu  # fail on errors, but ignore unset vars in our loops
+          set -eu
           
-          # Ensure Directory.Packages.props exists
-          if [ ! -f "Directory.Packages.props" ]; then
-            cat > Directory.Packages.props <<'EOF'
-          <Project>
-            <ItemGroup></ItemGroup>
-          </Project>
-          EOF
-          fi
+          SCAN_TARGET=""
           
-          # Create temporary solution
-          dotnet new sln -n temp > /dev/null 2>&1
+          # Find all .csproj files once (search up to depth 5 for performance)
+          PROJECT_LIST=$(find . -maxdepth 5 -name "*.csproj" -type f)
           
-          # Find all .csproj files
-          PROJECTS=$(find . -name "*.csproj")
+          if [ -z "$PROJECT_LIST" ]; then
+              echo "No projects found."
+              exit 1
+          fi
           
-          # Temporary file for valid projects
-          VALID_PROJECTS=$(mktemp)
+          # Create temporary solution to merge all projects
+          dotnet new sln -n temp --force >/dev/null 2>&1 || true
           
-          # Check which projects can be restored
-          for proj in $PROJECTS; do
-            if dotnet restore "$proj" --ignore-failed-sources --no-cache > /dev/null 2>&1; then
-              echo "$proj" >> "$VALID_PROJECTS"
-            fi
+          # Add all found .csproj files to the solution
+          echo "$PROJECT_LIST" | while IFS= read -r proj; do
+              [ -n "$proj" ] && dotnet sln temp.sln add "$proj" >/dev/null 2>&1 || true
           done
           
-          # Add only valid projects to solution
-          while read -r proj; do
-            dotnet sln temp.sln add "$proj" > /dev/null 2>&1
-          done < "$VALID_PROJECTS"
+          SCAN_TARGET="./temp.sln"
+          
+          # Restore packages while ignoring errors.
+          if [ -n "$SCAN_TARGET" ]; then
+              dotnet restore "$SCAN_TARGET" --ignore-failed-sources --no-cache >/dev/null 2>&1 || true
+          fi
           
-          rm "$VALID_PROJECTS"
+          # Generate SBOM to temporary directory
+          OUTPUT_DIR="temp_sbom_output"
+          rm -rf "$OUTPUT_DIR" 2>/dev/null || true
           
-          # Restore valid projects (ignore errors)
-          dotnet restore temp.sln --ignore-failed-sources --no-cache > /dev/null 2>&1 || true
+          if [ -n "$SCAN_TARGET" ] && dotnet CycloneDX "$SCAN_TARGET" \
+              --disable-package-restore \
+              --output "$OUTPUT_DIR" \
+              --output-format json \
+              >/dev/null 2>&1; then
           
-          # Generate SBOM, only stdout is the BOM
-          if $SETUP_PATH/scan-tools/.dotnet-tools/dotnet-CycloneDX $(pwd)/temp.sln \
-                --disable-package-restore --output temp_sbom.json --output-format json > /dev/null 2>&1; then
-            if [ -f "temp_sbom.json/bom.json" ]; then
-              cat temp_sbom.json/bom.json
-            else
-              # SBOM file missing but no fatal error
-              echo "{}"
-            fi
+              if [ -f "$OUTPUT_DIR/bom.json" ]; then
+                  cat "$OUTPUT_DIR/bom.json"
+                  rm -rf "$OUTPUT_DIR"
+              else
+                  echo "SBOM result missing."
+                  exit 1
+              fi
           else
-            # CycloneDX failed but do not output logs, just empty JSON
-            echo "{}"
+              echo "CycloneDX failed to generate SBOM."
+              exit 1
           fi
 
       format: cyclonedx