Skip to content

Commit 6a9ba77

Browse files
leodidoleodido
committed
Revert "fix: skip SBOM scan for all cached packages without SBOM"
This reverts commit 9b15620.
1 parent 9b15620 commit 6a9ba77

File tree

1 file changed

+15
-14
lines changed

1 file changed

+15
-14
lines changed

pkg/leeway/sbom-scan.go

Lines changed: 15 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -129,22 +129,23 @@ func scanAllPackagesForVulnerabilities(buildctx *buildContext, packages []*Packa
129129

130130
if err != nil {
131131
if err == ErrNoSBOMFile {
132-
// For downloaded packages or packages from local cache, missing SBOM is expected
133-
// for older cache artifacts that were built before SBOM support was added (v0.16.0+).
132+
// For downloaded packages, missing SBOM is expected for older cache artifacts
133+
// that were built before SBOM support was added (v0.16.0+).
134134
// Skip gracefully instead of failing the build.
135135
//
136-
// NOTE: PackageBuilt can also be a package that was downloaded in a previous build
137-
// and is now being reused from local cache. We can't distinguish between:
138-
// 1. A package built locally in this session (should have SBOM)
139-
// 2. A package downloaded earlier and now in local cache (may not have SBOM)
140-
//
141-
// To avoid false failures, we skip with a warning for both cases.
142-
// To ensure full vulnerability scanning coverage, rebuild packages
143-
// with a leeway version that supports SBOM generation, or clear the caches.
144-
buildctx.Reporter.PackageBuildLog(p, false, []byte(fmt.Sprintf(
145-
"Skipping vulnerability scan for package %s: SBOM not found in cached artifact (built before SBOM support or from older cache)\n",
146-
p.FullName())))
147-
continue
136+
// NOTE: To ensure full vulnerability scanning coverage, rebuild packages
137+
// with a leeway version that supports SBOM generation, or clear the remote
138+
// cache to force rebuilds.
139+
if status == PackageDownloaded {
140+
buildctx.Reporter.PackageBuildLog(p, false, []byte(fmt.Sprintf(
141+
"Skipping vulnerability scan for package %s: SBOM not found in cached artifact (built before SBOM support)\n",
142+
p.FullName())))
143+
continue
144+
}
145+
// For locally built packages, missing SBOM is an error
146+
errMsg := fmt.Sprintf("SBOM file not found in package archive for package %s", p.FullName())
147+
buildctx.Reporter.PackageBuildLog(p, true, []byte(errMsg+"\n"))
148+
return xerrors.Errorf(errMsg)
148149
}
149150
errMsg := fmt.Sprintf("Failed to extract SBOM from package archive for package %s: %s\n", p.FullName(), err.Error())
150151
buildctx.Reporter.PackageBuildLog(p, true, []byte(errMsg+"\n"))

0 commit comments

Comments
 (0)