fix: skip SBOM scan for all cached packages without SBOM

When a package is downloaded from remote cache and later reused from
local cache in a subsequent build, its status changes from
PackageDownloaded to PackageBuilt. The previous fix only handled
PackageDownloaded, causing failures for PackageBuilt packages that
were originally downloaded from older cache artifacts.

Now skip SBOM scan with a warning for any cached package without SBOM,
regardless of whether it was downloaded in this build or from local cache.

Co-authored-by: Ona <[email protected]>

Author: leodido

pkg/leeway/sbom-scan.go

@@ -129,23 +129,22 @@ func scanAllPackagesForVulnerabilities(buildctx *buildContext, packages []*Packa
 
 		if err != nil {
 			if err == ErrNoSBOMFile {
-				// For downloaded packages, missing SBOM is expected for older cache artifacts
-				// that were built before SBOM support was added (v0.16.0+).
+				// For downloaded packages or packages from local cache, missing SBOM is expected
+				// for older cache artifacts that were built before SBOM support was added (v0.16.0+).
 				// Skip gracefully instead of failing the build.
 				//
-				// NOTE: To ensure full vulnerability scanning coverage, rebuild packages
-				// with a leeway version that supports SBOM generation, or clear the remote
-				// cache to force rebuilds.
-				if status == PackageDownloaded {
-					buildctx.Reporter.PackageBuildLog(p, false, []byte(fmt.Sprintf(
-						"Skipping vulnerability scan for package %s: SBOM not found in cached artifact (built before SBOM support)\n",
-						p.FullName())))
-					continue
-				}
-				// For locally built packages, missing SBOM is an error
-				errMsg := fmt.Sprintf("SBOM file not found in package archive for package %s", p.FullName())
-				buildctx.Reporter.PackageBuildLog(p, true, []byte(errMsg+"\n"))
-				return xerrors.Errorf(errMsg)
+				// NOTE: PackageBuilt can also be a package that was downloaded in a previous build
+				// and is now being reused from local cache. We can't distinguish between:
+				// 1. A package built locally in this session (should have SBOM)
+				// 2. A package downloaded earlier and now in local cache (may not have SBOM)
+				//
+				// To avoid false failures, we skip with a warning for both cases.
+				// To ensure full vulnerability scanning coverage, rebuild packages
+				// with a leeway version that supports SBOM generation, or clear the caches.
+				buildctx.Reporter.PackageBuildLog(p, false, []byte(fmt.Sprintf(
+					"Skipping vulnerability scan for package %s: SBOM not found in cached artifact (built before SBOM support or from older cache)\n",
+					p.FullName())))
+				continue
 			}
 			errMsg := fmt.Sprintf("Failed to extract SBOM from package archive for package %s: %s\n", p.FullName(), err.Error())
 			buildctx.Reporter.PackageBuildLog(p, true, []byte(errMsg+"\n"))