handle missing SBOM and package data in legal artifacts

lelia · lelia · commit ee8e36a0f49d · 2026-05-11T14:55:17.000-04:00
Signed-off-by: lelia &lt;2418071+lelia@users.noreply.github.com&gt;
diff --git a/socketsecurity/output.py b/socketsecurity/output.py
@@ -214,10 +214,14 @@ def report_pass(self, diff_report: Diff) -> bool:
 
     def save_sbom_file(self, diff_report: Diff, sbom_file_name: Optional[str] = None) -> None:
         """Saves SBOM file if filename is provided"""
-        if not sbom_file_name or not diff_report.sbom:
+        if not sbom_file_name:
             return
 
-        self.write_json_file(sbom_file_name, diff_report.sbom)
+        sbom_data = getattr(diff_report, "sbom", None)
+        if sbom_data is None:
+            sbom_data = []
+
+        self.write_json_file(sbom_file_name, sbom_data)
 
     def build_summary_text(self, diff_report: Diff) -> str:
         """Render the console summary text for stdout and file output."""
diff --git a/socketsecurity/socketcli.py b/socketsecurity/socketcli.py
@@ -26,6 +26,28 @@
 
 load_dotenv()
 
+
+def build_license_artifact_payload(diff: Diff) -> dict:
+    """Build the license artifact payload from a diff, tolerating sparse scan paths."""
+    all_packages = {}
+    packages = getattr(diff, "packages", {}) or {}
+    for purl in packages:
+        package = packages[purl]
+        output = {
+            "id": package.id,
+            "name": package.name,
+            "version": package.version,
+            "ecosystem": package.type,
+            "direct": package.direct,
+            "url": package.url,
+            "license": package.license,
+            "licenseDetails": package.licenseDetails,
+            "licenseAttrib": package.licenseAttrib,
+            "purl": package.purl,
+        }
+        all_packages[package.id] = output
+    return all_packages
+
 def cli():
     try:
         main_code()
@@ -743,22 +765,7 @@ def _is_unprocessed(c):
 
     # Handle license generation
     if not should_skip_scan and diff.id != "NO_DIFF_RAN" and diff.id != "NO_SCAN_RAN" and config.generate_license:
-        all_packages = {}
-        for purl in diff.packages:
-            package = diff.packages[purl]
-            output = {
-                "id": package.id,
-                "name": package.name,
-                "version": package.version,
-                "ecosystem": package.type,
-                "direct": package.direct,
-                "url": package.url,
-                "license": package.license,
-                "licenseDetails": package.licenseDetails,
-                "licenseAttrib": package.licenseAttrib,
-                "purl": package.purl,
-            }
-            all_packages[package.id] = output
+        all_packages = build_license_artifact_payload(diff)
         core.save_file(config.license_file_name, json.dumps(all_packages))
 
     # If we forced API mode due to no supported files, behave as if --disable-blocking was set
