Update module.yaml

stlef14 · web-flow · commit efeef3bb7912 · 2025-10-22T19:33:27.000-04:00
Signed-off-by: stlef14 &lt;stlef14@users.noreply.github.com&gt;
diff --git a/scanners/boostsecurityio/trivy-sbom/module.yaml b/scanners/boostsecurityio/trivy-sbom/module.yaml
@@ -31,9 +31,9 @@ steps:
   - scan:
       command:
         run: |
-          set -euo
+          set -eu  # fail on errors, but ignore unset vars in our loops
           
-          # Ensure Packages.props exists
+          # Ensure Directory.Packages.props exists
           if [ ! -f "Directory.Packages.props" ]; then
             cat > Directory.Packages.props <<'EOF'
           <Project>
@@ -53,11 +53,8 @@ steps:
           
           # Check which projects can be restored
           for proj in $PROJECTS; do
-            echo "Checking project: $proj"
             if dotnet restore "$proj" --ignore-failed-sources --no-cache > /dev/null 2>&1; then
               echo "$proj" >> "$VALID_PROJECTS"
-            else
-              echo "⚠️ Skipping unbuildable project: $proj"
             fi
           done
           
@@ -68,21 +65,22 @@ steps:
           
           rm "$VALID_PROJECTS"
           
-          # Restore all valid projects for CycloneDX
+          # Restore valid projects (ignore errors)
           dotnet restore temp.sln --ignore-failed-sources --no-cache > /dev/null 2>&1 || true
           
-          # Generate SBOM
-          $SETUP_PATH/scan-tools/.dotnet-tools/dotnet-CycloneDX $(pwd)/temp.sln \
-            --disable-package-restore --output temp_sbom.json --output-format json > /dev/null 2>&1
-          
-          # Check for output
-          if [ -f "temp_sbom.json/bom.json" ]; then
-            cat temp_sbom.json/bom.json
+          # Generate SBOM, only stdout is the BOM
+          if $SETUP_PATH/scan-tools/.dotnet-tools/dotnet-CycloneDX $(pwd)/temp.sln \
+                --disable-package-restore --output temp_sbom.json --output-format json > /dev/null 2>&1; then
+            if [ -f "temp_sbom.json/bom.json" ]; then
+              cat temp_sbom.json/bom.json
+            else
+              # SBOM file missing but no fatal error
+              echo "{}"
+            fi
           else
-            echo "⚠️ CycloneDX failed or produced no output."
-            exit 1
+            # CycloneDX failed but do not output logs, just empty JSON
+            echo "{}"
           fi
 
-
       format: cyclonedx
 
