feat: add new --allow-incomplete-sbom-flag [CSENG-175]

[snyk-abedonik]

Pull Request Submission Checklist

• Follows CONTRIBUTING guidelines
• Commit messages
  are release-note ready, emphasizing
  what was changed, not how.
• Includes detailed description of changes
• Contains risk assessment (Low | Medium | High)
• Highlights breaking API changes (if applicable)
• Links to automated tests covering new functionality
• Includes manual testing instructions (if necessary)
• Updates relevant GitBook documentation (PR link: ___)
• Includes product update to be announced in the next stable release notes

---

What does this PR do?

snyk sbom --all-projects previously used a fail-fast mode: if any project in the workspace failed to resolve its dependencies (missing lockfile, unsupported manifest, malformed JSON, etc.) the entire SBOM generation was aborted and no output was produced.

This PR implements the TypeScript plugin-layer changes required to support a new --allow-incomplete-sbom flag on snyk sbom. When the flag is set:

• Projects that resolve successfully are included in the generated SBOM as usual.
• Projects that fail are collected as structured ScanError entries (subject path + human-readable message) and forwarded to the SBOM service alongside the successful dep-graphs, so the service can embed them in the final document.

The user-facing flag (--allow-incomplete-sbom) is surfaced by the Go CLI layer (cliv2). When present it passes --print-output-jsonl-with-errors to the TypeScript legacy CLI, which is the internal wire option implemented here.

---

What are the relevant tickets?

• CSENG-175

References

https://docs.google.com/document/d/1vhRKlienHz1kbrCI-2BJ3maO6ykmlAz-hSApgo8MGEw/edit
https://docs.google.com/document/d/1i4exfAq3Dvoy_mKwQAwL3LYE6_Qkt7jQVYVOSzijZdw/edit
https://docs.google.com/document/d/1j0gNbzCALFF3WfIxLd5PVBtglJb4kYGQdheoM27VMaY/edit

[snyk-io]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues
✅	Licenses	0	0	0	0	0 issues
✅	Code Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[github-actions]

	Warnings
⚠️	There are multiple commits on your branch, please squash them locally before merging!
⚠️	"Merge branch 'main' into feat/CSENG-175-add-new-allow-incomplete-sbom-flag" is too long. Keep the first line of your commit message under 72 characters.

Generated by 🚫 dangerJS against 3a00de1

[snyk-pr-review-bot]

PR Reviewer Guide 🔍

🧪 PR contains tests

🔒 No security concerns identified

⚡ Recommended focus areas for review Regressed Deduplication 🟠 [major] Switching depGraphs from a Map<string, depGraphLib.DepGraphData> to an array removes the implicit deduplication by targetName. In the original code, depGraphs.set(targetName, ...) ensured that if multiple scanned projects produced the same target name, only the last one was kept. The new code appends to an array, which will cause duplicate entries in the JSONL output when multiple projects share a target name. This violates the likely expectation of unique project entries for SBOM generation. const depGraphs: { graph: depGraphLib.DepGraphData; targetName: string; targetFile: string; }[] = []; Breaking Change 🟠 [major] The functions printEffectiveDepGraph and printEffectiveDepGraphError have been renamed to printDepGraphJsonl and printDepGraphError respectively. While the PR updates internal callers, these functions are exported and likely used by other parts of the CLI or external plugins not present in this diff (e.g., custom integrations using the lib). Renaming them without maintaining aliases is a breaking change for the library's internal API. export async function printDepGraphJsonl( depGraph: DepGraphData, normalisedTargetFile: string, targetFileFromPlugin: string | undefined, target: GitTarget | ContainerTarget | null | undefined, targetRuntime: string | undefined, pluginName: string | undefined, workspacePluginName: string | undefined, destination: Writable, ): Promise<void> { return new Promise((res, rej) => { const graphOutput: any = { depGraph, normalisedTargetFile, targetFileFromPlugin, target, targetRuntime, workspace: getWorkspaceInfo(pluginName, workspacePluginName), }; new ConcatStream(new JsonStreamStringify(graphOutput), Readable.from('\n')) .on('end', res) .on('error', rej) .pipe(destination); }); } /** * printDepGraphError writes an error output for failed dependency graph resolution * to the destination stream in a format consistent with printDepGraphJsonl. */ export async function printDepGraphError( Analytics Degradation 🟡 [minor] In getDepsFromPlugin, when a single plugin scan fails and print-output-jsonl-with-errors is set, a hardcoded MultiProjectResultCustom is returned with plugin.name set to options.packageManager || 'unknown'. This bypasses the actual plugin's identifier. If downstream analytics or error reporting rely on the specific plugin instance name (e.g., 'snyk-python-plugin'), it will now receive 'pip' or 'unknown', causing inconsistencies in data tracking for failed scans. return { plugin: { name: options.packageManager || 'unknown', }, scannedProjects: [], failedResults: [ { targetFile: options.file, error, errMessage, }, ], } as MultiProjectResultCustom;

📚 Repository Context Analyzed This review considered 33 relevant code sections from 9 files (average relevance: 0.96) help/cli-commands/sbom.md (lines 161-334) help/cli-commands/test.md (3 segments, lines 34-195) package.json (lines 1-224) src/lib/snyk-test/run-test.ts (3 segments, lines 458-650) packages/snyk-fix/src/types.ts (lines 1-251) help/cli-commands/monitor.md (2 segments, lines 43-206) src/cli/commands/monitor/index.ts (lines 473-635) ... and 2 more file(s)