You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Includes product update to be announced in the next stable release notes
What does this PR do?
snyk sbom --all-projects previously used a fail-fast mode: if any project in the workspace failed to resolve its dependencies (missing lockfile, unsupported manifest, malformed JSON, etc.) the entire SBOM generation was aborted and no output was produced.
This PR implements the TypeScript plugin-layer changes required to support a new --allow-incomplete-sbom flag on snyk sbom. When the flag is set:
Projects that resolve successfully are included in the generated SBOM as usual.
Projects that fail are collected as structured ScanError entries (subject path + human-readable message) and forwarded to the SBOM service alongside the successful dep-graphs, so the service can embed them in the final document.
The user-facing flag (--allow-incomplete-sbom) is surfaced by the Go CLI layer (cliv2). When present it passes --print-output-jsonl-with-errors to the TypeScript legacy CLI, which is the internal wire option implemented here.
Switching depGraphs from a Map<string, depGraphLib.DepGraphData> to an array removes the implicit deduplication by targetName. In the original code, depGraphs.set(targetName, ...) ensured that if multiple scanned projects produced the same target name, only the last one was kept. The new code appends to an array, which will cause duplicate entries in the JSONL output when multiple projects share a target name. This violates the likely expectation of unique project entries for SBOM generation.
The functions printEffectiveDepGraph and printEffectiveDepGraphError have been renamed to printDepGraphJsonl and printDepGraphError respectively. While the PR updates internal callers, these functions are exported and likely used by other parts of the CLI or external plugins not present in this diff (e.g., custom integrations using the lib). Renaming them without maintaining aliases is a breaking change for the library's internal API.
exportasyncfunctionprintDepGraphJsonl(depGraph: DepGraphData,normalisedTargetFile: string,targetFileFromPlugin: string|undefined,target: GitTarget|ContainerTarget|null|undefined,targetRuntime: string|undefined,pluginName: string|undefined,workspacePluginName: string|undefined,destination: Writable,): Promise<void>{returnnewPromise((res,rej)=>{constgraphOutput: any={
depGraph,
normalisedTargetFile,
targetFileFromPlugin,
target,
targetRuntime,workspace: getWorkspaceInfo(pluginName,workspacePluginName),};newConcatStream(newJsonStreamStringify(graphOutput),Readable.from('\n')).on('end',res).on('error',rej).pipe(destination);});}/** * printDepGraphError writes an error output for failed dependency graph resolution * to the destination stream in a format consistent with printDepGraphJsonl. */exportasyncfunctionprintDepGraphError(
In getDepsFromPlugin, when a single plugin scan fails and print-output-jsonl-with-errors is set, a hardcoded MultiProjectResultCustom is returned with plugin.name set to options.packageManager || 'unknown'. This bypasses the actual plugin's identifier. If downstream analytics or error reporting rely on the specific plugin instance name (e.g., 'snyk-python-plugin'), it will now receive 'pip' or 'unknown', causing inconsistencies in data tracking for failed scans.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Pull Request Submission Checklist
are release-note ready, emphasizing
what was changed, not how.
What does this PR do?
snyk sbom --all-projectspreviously used a fail-fast mode: if any project in the workspace failed to resolve its dependencies (missing lockfile, unsupported manifest, malformed JSON, etc.) the entire SBOM generation was aborted and no output was produced.This PR implements the TypeScript plugin-layer changes required to support a new
--allow-incomplete-sbomflag onsnyk sbom. When the flag is set:ScanErrorentries (subject path + human-readable message) and forwarded to the SBOM service alongside the successful dep-graphs, so the service can embed them in the final document.The user-facing flag (
--allow-incomplete-sbom) is surfaced by the Go CLI layer (cliv2). When present it passes--print-output-jsonl-with-errorsto the TypeScript legacy CLI, which is the internal wire option implemented here.What are the relevant tickets?
References
https://docs.google.com/document/d/1vhRKlienHz1kbrCI-2BJ3maO6ykmlAz-hSApgo8MGEw/edit
https://docs.google.com/document/d/1i4exfAq3Dvoy_mKwQAwL3LYE6_Qkt7jQVYVOSzijZdw/edit
https://docs.google.com/document/d/1j0gNbzCALFF3WfIxLd5PVBtglJb4kYGQdheoM27VMaY/edit