Skip to content

fix: skip packages without SBOM during vulnerability scanning #313

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
leodido merged 1 commit into from
Dec 12, 2025
+14 −0
Merged

fix: skip packages without SBOM during vulnerability scanning #313

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 14 additions & 0 deletions pkg/leeway/sbom-scan.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -129,6 +129,20 @@ func scanAllPackagesForVulnerabilities(buildctx *buildContext, packages []*Packa

if err != nil {
if err == ErrNoSBOMFile {
// For downloaded packages, missing SBOM is expected for older cache artifacts
// that were built before SBOM support was added (v0.16.0+).
// Skip gracefully instead of failing the build.
//
// NOTE: To ensure full vulnerability scanning coverage, rebuild packages
// with a leeway version that supports SBOM generation, or clear the remote
// cache to force rebuilds.
if status == PackageDownloaded {
buildctx.Reporter.PackageBuildLog(p, false, []byte(fmt.Sprintf(
"Skipping vulnerability scan for package %s: SBOM not found in cached artifact (built before SBOM support)\n",
p.FullName())))
continue
}
// For locally built packages, missing SBOM is an error
errMsg := fmt.Sprintf("SBOM file not found in package archive for package %s", p.FullName())
buildctx.Reporter.PackageBuildLog(p, true, []byte(errMsg+"\n"))
return xerrors.Errorf(errMsg)
Expand Down
Loading