fix: skip vulnerability scanning for packages that failed to build

leodido · ona-agent · leodido · commit 6d481e817c2b · 2025-12-02T15:07:46.000Z
When SLSA verification fails for a package and it needs to be built locally,
but the local build also fails, vulnerability scanning was attempting to scan
the package anyway and failing with 'Package not found in local cache'.

This fix:
- Passes the package build status map to vulnerability scanning
- Only scans packages with status PackageBuilt or PackageDownloaded
- Skips packages that failed verification, download, or build
- Logs which packages are skipped and why

This prevents fatal errors when a package fails to build but vulnerability
scanning is enabled. The build will still fail due to the package build
failure, but vulnerability scanning won't cause an additional error.

Fixes the issue in gitpod-next PR #11869 where api/go:lib SLSA verification
failed, local build was attempted, and vulnerability scanning crashed trying
to scan a package that wasn't in cache.

Co-authored-by: Ona &lt;no-reply@ona.com&gt;
diff --git a/pkg/leeway/build.go b/pkg/leeway/build.go
@@ -748,8 +748,9 @@ func Build(pkg *Package, opts ...BuildOption) (err error) {
 
 	// Scan all packages for vulnerabilities after the build completes
 	// This ensures we scan even cached packages that weren't rebuilt
+	// Only scan packages that were successfully built or downloaded
 	if pkg.C.W.SBOM.Enabled && pkg.C.W.SBOM.ScanVulnerabilities {
-		if err := scanAllPackagesForVulnerabilities(ctx, allpkg); err != nil {
+		if err := scanAllPackagesForVulnerabilities(ctx, allpkg, pkgstatus); err != nil {
 			return err
 		}
 	}
diff --git a/pkg/leeway/sbom-scan.go b/pkg/leeway/sbom-scan.go
@@ -49,7 +49,8 @@ type PackageVulnerabilityStats struct {
 // This function is called after the build process completes to identify security issues
 // in all built packages, including those loaded from cache. It generates comprehensive
 // vulnerability reports in multiple formats and collects statistics across all packages.
-func scanAllPackagesForVulnerabilities(buildctx *buildContext, packages []*Package, customOutputDir ...string) error {
+// Only packages with successful build status (PackageBuilt or PackageDownloaded) are scanned.
+func scanAllPackagesForVulnerabilities(buildctx *buildContext, packages []*Package, pkgstatus map[*Package]PackageBuildStatus, customOutputDir ...string) error {
 	if len(packages) == 0 {
 		return nil
 	}
@@ -74,6 +75,12 @@ func scanAllPackagesForVulnerabilities(buildctx *buildContext, packages []*Packa
 
 	// Process each package
 	for _, p := range packages {
+		// Skip packages that were not successfully built or downloaded
+		status := pkgstatus[p]
+		if status != PackageBuilt && status != PackageDownloaded {
+			buildctx.Reporter.PackageBuildLog(p, false, []byte(fmt.Sprintf("Skipping vulnerability scan for package %s (status: %s)\n", p.FullName(), status)))
+			continue
+		}
 		if !p.C.W.SBOM.Enabled {
 			errMsg := fmt.Append(nil, "SBOM feature is disabled, cannot scan for vulnerabilities")
 			buildctx.Reporter.PackageBuildLog(p, false, errMsg)
@@ -88,9 +95,10 @@ func scanAllPackagesForVulnerabilities(buildctx *buildContext, packages []*Packa
 
 		location, exists := buildctx.LocalCache.Location(p)
 		if !exists {
-			errMsg := fmt.Appendf(nil, "Package %s not found in local cache, cannot scan for vulnerabilities\n", p.FullName())
-			buildctx.Reporter.PackageBuildLog(p, false, errMsg)
-			return xerrors.Errorf(string(errMsg))
+			// This should not happen since we already filtered by build status
+			// but handle it gracefully just in case
+			buildctx.Reporter.PackageBuildLog(p, false, []byte(fmt.Sprintf("Package %s not found in local cache, skipping vulnerability scan\n", p.FullName())))
+			continue
 		}
 
 		// Create temporary file for SBOM content
@@ -194,6 +202,7 @@ func scanAllPackagesForVulnerabilities(buildctx *buildContext, packages []*Packa
 // ScanAllPackagesForVulnerabilities provides a public API for scanning packages for vulnerabilities.
 // It creates a build context with the provided local cache and reporter, then calls the internal
 // scanAllPackagesForVulnerabilities function to perform the actual scanning.
+// This function assumes all provided packages are already built and available in the local cache.
 func ScanAllPackagesForVulnerabilities(localCache cache.LocalCache, packages []*Package, customOutputDir ...string) error {
 	buildctx := &buildContext{
 		buildOptions: buildOptions{
@@ -202,7 +211,14 @@ func ScanAllPackagesForVulnerabilities(localCache cache.LocalCache, packages []*
 		},
 	}
 
-	return scanAllPackagesForVulnerabilities(buildctx, packages, customOutputDir...)
+	// Create a status map marking all packages as built (since this is a public API
+	// that expects packages to already be in cache)
+	pkgstatus := make(map[*Package]PackageBuildStatus)
+	for _, p := range packages {
+		pkgstatus[p] = PackageBuilt
+	}
+
+	return scanAllPackagesForVulnerabilities(buildctx, packages, pkgstatus, customOutputDir...)
 }
 
 // scanSBOMForVulnerabilities scans an SBOM file for vulnerabilities and generates reports.

Original file line number	Diff line number	Diff line change
`@@ -748,8 +748,9 @@ func Build(pkg *Package, opts ...BuildOption) (err error) {`
`748`	`748`
`749`	`749`	`// Scan all packages for vulnerabilities after the build completes`
`750`	`750`	`// This ensures we scan even cached packages that weren't rebuilt`
	`751`	`+ // Only scan packages that were successfully built or downloaded`
`751`	`752`	`if pkg.C.W.SBOM.Enabled && pkg.C.W.SBOM.ScanVulnerabilities {`
`752`		`- if err := scanAllPackagesForVulnerabilities(ctx, allpkg); err != nil {`
	`753`	`+ if err := scanAllPackagesForVulnerabilities(ctx, allpkg, pkgstatus); err != nil {`
`753`	`754`	`return err`
`754`	`755`	`}`
`755`	`756`	`}`