fix: skip packages without SBOM during vulnerability scanning

When vulnerability scanning is enabled, packages cached before SBOM was
enabled or before the external SBOM feature (v0.16.0-rc9) may not have
SBOM files. Previously, this caused the build to fail with:

  SBOM file not found in package archive for package <name>

Now, packages without SBOM files are skipped with a warning message,
allowing the vulnerability scan to continue for other packages.

Co-authored-by: Ona <[email protected]>

Author: leodido

pkg/leeway/sbom-scan.go

@@ -129,9 +129,13 @@ func scanAllPackagesForVulnerabilities(buildctx *buildContext, packages []*Packa
 
 		if err != nil {
 			if err == ErrNoSBOMFile {
-				errMsg := fmt.Sprintf("SBOM file not found in package archive for package %s", p.FullName())
-				buildctx.Reporter.PackageBuildLog(p, true, []byte(errMsg+"\n"))
-				return xerrors.Errorf(errMsg)
+				// Skip packages without SBOM files - this can happen for packages
+				// cached before SBOM was enabled or before the external SBOM feature.
+				// Log a warning but continue scanning other packages.
+				buildctx.Reporter.PackageBuildLog(p, false, []byte(fmt.Sprintf(
+					"Skipping vulnerability scan for package %s: no SBOM file found (package may have been cached before SBOM was enabled)\n",
+					p.FullName())))
+				continue
 			}
 			errMsg := fmt.Sprintf("Failed to extract SBOM from package archive for package %s: %s\n", p.FullName(), err.Error())
 			buildctx.Reporter.PackageBuildLog(p, true, []byte(errMsg+"\n"))