test(detectors): fixture-based graph tests for gomod, gradle, maven, syft

[bomly-guy]

What

Adds committed-fixture tests for the four detectors whose graph builders had no testdata-fixture coverage — following the pattern established by the node and python lockfile_integration_test.go. No test invokes a build tool: each drives the parser entrypoint directly against a committed fixture.

Detector	Fixture	Drives	Asserts
gomod	testdata/demo/{go.mod, go-list-deps.json}	parseGoModFile + depGraphFromGoList	package set, transitive edges, runtime vs test-only development scope, stdlib excluded
maven	testdata/dependency-tree.tgf	depGraphFromMavenTGF	edges, compile→runtime / test→development scope
gradle	testdata/dependencies.txt	depGraphFromGradleOutput	edges, runtimeClasspath vs testRuntimeClasspath scope
syft	hand-built syft/sbom.SBOM struct	graphFromSyftSBOM	package→node, dependency-of→edge, license carry-through

gomod / gradle / maven ResolveGraph shells out to the toolchain, so the tests call the lower-level depGraphFrom* parsers with captured output. The syft builtin path consumes the Syft library's SBOM struct rather than a text manifest, so its fixture is the struct itself (behind the same !bomly_external_syft build tag); it invokes no syft binary.

Why only these four

While scoping this I found the rest of the detector suite already has testdata-fixture tests: nuget, cargo, pub, ruby, conan, cocoapods, and githubactions each drive ResolveGraph against a testdata/project/ directory via their committed-lock fast-paths (e.g. nuget's TestDetectorResolveGraphFromFixtureProject, cargo's Detector{WorkingDir:"testdata/project"}). Those are already build-tool-free, so adding more there would be redundant. The genuine gap was the four detectors above.

Notes

• internal/detectors/sbom tests already write SBOM docs to t.TempDir() and exercise internal/sbom; committed SBOM fixtures there are a possible future nicety but not a coverage gap.

🤖 Generated with Claude Code

Summary by CodeRabbit

Tests

• Added fixture-based tests for dependency detectors across Go modules, Gradle, Maven, and Syft SBOM formats. Tests validate dependency parsing, graph construction accuracy, scope classification (runtime vs. development), and license information handling.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 08bf9336-c1f0-4885-bc8a-27dfbd102146

📥 Commits

Reviewing files that changed from the base of the PR and between f9f7c70 and 9daadbb.

⛔ Files ignored due to path filters (4)

• internal/detectors/gomod/testdata/demo/go-list-deps.json is excluded by !**/testdata/**
• internal/detectors/gomod/testdata/demo/go.mod is excluded by !**/testdata/**
• internal/detectors/gradle/testdata/dependencies.txt is excluded by !**/testdata/**
• internal/detectors/maven/testdata/dependency-tree.tgf is excluded by !**/testdata/**

📒 Files selected for processing (4)

• internal/detectors/gomod/fixture_test.go
• internal/detectors/gradle/fixture_test.go
• internal/detectors/maven/fixture_test.go
• internal/detectors/syft/graph_mapping_test.go

---

📝 Walkthrough

Walkthrough

Adds four new fixture-driven test files for the gomod, gradle, maven, and syft detectors. Each test loads committed fixture data (or constructs an in-memory SBOM for syft), invokes the detector's parsing functions, and asserts graph structure including node presence, directed edges, scope classification, and license extraction.

Changes

Detector fixture test suites

Layer / File(s)	Summary
gomod fixture: parse go.mod and dependency graph internal/detectors/gomod/fixture_test.go	Adds readFixture helper and two tests: one parses a fixture go.mod to assert module identity and requirement counts, the other builds a dependency graph from a fixture go-list-deps.json to assert graph size, stdlib exclusion, and PrimaryScope() for specific modules.
gradle and maven fixture tests with edge/scope helpers internal/detectors/gradle/fixture_test.go, internal/detectors/maven/fixture_test.go	Gradle test loads testdata/dependencies.txt, builds a graph for demo-app, and asserts nodes, directed edges, and scopes via requireGradleEdge/requireGradleScope. Maven test loads a TGF fixture, parses via depGraphFromMavenTGF, and performs equivalent assertions via requireMavenEdge/requireMavenScope.
syft SBOM-to-graph mapping: packages, edges, licenses internal/detectors/syft/graph_mapping_test.go	Adds TestGraphFromSyftSBOMMapsPackagesEdgesLicenses (build-tag guarded), which constructs an in-memory Syft SBOM with requests and certifi plus a DependencyOfRelationship, converts it via graphFromSyftSBOM, and asserts graph size, dependency direction, and certifi's MPL-2.0 license. Includes nodeByName helper.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 20.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'test(detectors): fixture-based graph tests for gomod, gradle, maven, syft' accurately and specifically describes the main change—adding fixture-based tests for four detectors.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch test/detector-fixture-tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

Bomly Diff Summary

Compared 9cb5b19d630aceea7217f2acc131fe438602c9b3 to 9daadbbb76ec70f90f22307e39dad9cf5f0bb29e.

Overview

Status	Manifests	Dependencies	Findings	Duration
✅ Pass	+0 / ~0 / -0	+0 / ~0 / -0	0 introduced / 0 persisted / 0 resolved	69189ms

Dependency Changes

✅ No dependency changes.

Vulnerabilities

✅ No vulnerability changes.

License Changes

✅ No license changes.

Project Posture

✅ No project posture changes (or --matchers +scorecard was not selected).

Policy Findings

✅ No policy differences were identified.