Skip to content

fix: skip packages without SBOM during vulnerability scanning #313

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
leodido merged 1 commit into from
Dec 12, 2025
Merged

fix: skip packages without SBOM during vulnerability scanning #313

leodido merged 1 commit into from
Dec 12, 2025
+14 −0

Conversation

@leodido
Copy link
Contributor

@leodido leodido commented Dec 12, 2025
edited
Loading

Summary

Skip SBOM vulnerability scan for downloaded packages that don't have SBOM files, instead of failing the build.

Part of https://linear.app/ona-team/issue/CLC-2133/rollout-on-main

Problem

When vulnerability scanning is enabled (sbom.scanVulnerabilities: true), packages downloaded from remote cache that were built with older Leeway versions (before SBOM support) cause the build to fail:

SBOM file not found in package archive for package ai-agents/agents/ona-swe-agent:app

Solution

Differentiate between downloaded and locally built packages:

Package Status Missing SBOM Behavior
PackageDownloaded Skip with warning (expected for older cache artifacts)
PackageBuilt Fail with error (SBOM should have been generated)

This ensures:

  • Older cache artifacts without SBOM don't break the build
  • SBOM generation bugs for locally built packages are still caught

Testing

  • All existing tests pass
  • The fix is backwards compatible

Related

@leodido leodido self-assigned this Dec 12, 2025
@leodido leodido force-pushed the ldd/skip-missing-sbom branch from 17fa045 to e1780b1 Compare December 12, 2025 15:25
@leodido @ona-agent
fix: skip SBOM scan for downloaded packages without SBOM
b5e3cbf 
When vulnerability scanning runs on packages downloaded from remote cache
that were built with older Leeway versions (before SBOM support), skip
gracefully with a warning instead of failing the build.

Only locally built packages (PackageBuilt) fail if SBOM is missing, since
we just generated it and missing SBOM indicates a bug.

Downloaded packages (PackageDownloaded) skip with a warning since older
cache artifacts may not have SBOM files.

Co-authored-by: Ona <[email protected]>
@leodido leodido force-pushed the ldd/skip-missing-sbom branch from e1780b1 to b5e3cbf Compare December 12, 2025 15:30
@leodido leodido requested a review from kylos101 December 12, 2025 15:37
@leodido leodido force-pushed the ldd/skip-missing-sbom branch from 362e536 to b5e3cbf Compare December 12, 2025 16:42
@leodido leodido merged commit d4094a2 into main Dec 12, 2025
15 checks passed
@leodido leodido mentioned this pull request Dec 13, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@corneliusludmann corneliusludmann corneliusludmann approved these changes

@kylos101 kylos101 Awaiting requested review from kylos101

Assignees

@leodido leodido

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@leodido @corneliusludmann