feat: add new --allow-incomplete-sbom-flag [CSENG-175]

[snyk-abedonik]

Pull Request Submission Checklist

• Follows CONTRIBUTING guidelines
• Commit messages
  are release-note ready, emphasizing
  what was changed, not how.
• Includes detailed description of changes
• Contains risk assessment (Low | Medium | High)
• Highlights breaking API changes (if applicable)
• Links to automated tests covering new functionality
• Includes manual testing instructions (if necessary)
• Updates relevant GitBook documentation (PR link: ___)
• Includes product update to be announced in the next stable release notes

---

What does this PR do?

snyk sbom --all-projects previously used a fail-fast mode: if any project in the workspace failed to resolve its dependencies (missing lockfile, unsupported manifest, malformed JSON, etc.) the entire SBOM generation was aborted and no output was produced.

This PR implements the TypeScript plugin-layer changes required to support a new --allow-incomplete-sbom flag on snyk sbom. When the flag is set:

• Projects that resolve successfully are included in the generated SBOM as usual.
• Projects that fail are collected as structured ScanError entries (subject path + human-readable message) and forwarded to the SBOM service alongside the successful dep-graphs, so the service can embed them in the final document.

The user-facing flag (--allow-incomplete-sbom) is surfaced by the Go CLI layer (cliv2). When present it passes --print-output-jsonl-with-errors to the TypeScript legacy CLI, which is the internal wire option implemented here.

---

What are the relevant tickets?

• CSENG-175

References

https://docs.google.com/document/d/1vhRKlienHz1kbrCI-2BJ3maO6ykmlAz-hSApgo8MGEw/edit
https://docs.google.com/document/d/1i4exfAq3Dvoy_mKwQAwL3LYE6_Qkt7jQVYVOSzijZdw/edit
https://docs.google.com/document/d/1j0gNbzCALFF3WfIxLd5PVBtglJb4kYGQdheoM27VMaY/edit

[snyk-io]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues
✅	Licenses	0	0	0	0	0 issues
✅	Code Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[github-actions]

	Warnings
⚠️	There are multiple commits on your branch, please squash them locally before merging!
⚠️	"Merge branch 'main' into feat/CSENG-175-add-new-allow-incomplete-sbom-flag" is too long. Keep the first line of your commit message under 72 characters.

Generated by 🚫 dangerJS against 534d56c

[snyk-abedonik]

Testing Summary

Today, we conducted testing of the following commands. The results indicate that their output is consistent between the released CLI build and the local build with the applied changes.

SBOM Generation

• snyk sbom --format cyclonedx1.6+json --all-projects
• snyk sbom --format cyclonedx1.6+json

Test Execution (JSON Output)

• snyk test --json --all-projects
• snyk test --json

Dependency Graph and Verbose Output

• snyk test --prune-repeated-subdependencies --print-effective-graph -- -Dverbose
• snyk test --prune-repeated-subdependencies --print-effective-graph-with-errors -- -Dverbose

Conclusion

Across all tested commands, the output matches between the released CLI build and the local build incorporating the latest changes.

pom.xml

snyk sbom --format cyclonedx1.6+json --all-projects.json
snyk_darwin_arm64 sbom --format cyclonedx1.6+json --all-projects.json

snyk sbom --format cyclonedx1.6+json.json
snyk_darwin_arm64 sbom --format cyclonedx1.6+json.json

snyk test --json --all-projects.json
snyk_darwin_arm64 test --json --all-projects.json

snyk test --json.json
snyk_darwin_arm64 test --json.json

snyk test --prune-repeated-subdependencies --print-effective-graph -- -Dverbose.json
snyk_darwin_arm64 test --prune-repeated-subdependencies --print-effective-graph -- -Dverbose.json

snyk test --prune-repeated-subdependencies --print-effective-graph-with-errors -- -Dverbose.json
snyk_darwin_arm64 test --prune-repeated-subdependencies --print-effective-graph-with-errors -- -Dverbose.json

Note:

Dep Graph computed by these commands doesn't have any nodes with pruned=true label; however, snyk test --prune-repeated-subdependencies --print-effective-graph -- -Dverbose produces nodes with pruned=true label for the same pom.xml. As a result, it confirms that --allow-incomplete-sbom operates with the complete graph.

• snyk sbom --format cyclonedx1.6+json --all-projects --allow-incomplete-sbom
• snyk sbom --format cyclonedx1.6+json --allow-incomplete-sbom

[snyk-pr-review-bot]

PR Reviewer Guide 🔍

🧪 PR contains tests

🔒 No security concerns identified

⚡ Recommended focus areas for review Systemic OOM Risk 🟠 [major] The logic in assembleLocalPayloads now explicitly skips the pruneGraph step when the print-output-jsonl-with-errors flag is set. For projects with deep or highly redundant dependency trees, unpruned graphs can grow significantly, leading to 'Invalid string length' errors in Node.js or memory exhaustion (OOM) during JSON serialization. While complete graphs are desirable for SBOMs, removing the safety guard of pruning without a size check poses a systemic risk of crashing the CLI on large projects. if (packageManager && !options['print-output-jsonl-with-errors']) { depGraph = await pruneGraph(depGraph, packageManager, pruneIsRequired); } Missing Metadata (2 occurrences) 🟠 [major] src/lib/snyk-test/run-test.ts In sendAndParseResults, when printing dependency graphs for ecosystem scans (e.g., C++) in JSONL format, critical metadata such as target (repo URL/branch) and pluginName are passed as undefined. This results in the generated SBOM output lacking the necessary context to identify the source of the dependencies, which may cause identification failures in downstream consumers or the SBOM service. src/lib/ecosystems/test.ts Similar to the issue in run-test.ts, the printUnmanagedDepGraph function passes undefined for several metadata fields (target metadata, plugin name, etc.) when calling printDepGraphJsonl. This will cause unmanaged (C/C++) project graphs to be output without repository or container image context in the JSONL stream.

📚 Repository Context Analyzed This review considered 39 relevant code sections from 10 files (average relevance: 0.97) help/cli-commands/sbom.md (2 segments, lines 161-334) help/cli-commands/test.md (3 segments, lines 34-195) package.json (lines 1-224) src/lib/snyk-test/run-test.ts (2 segments, lines 457-649) packages/snyk-fix/src/types.ts (lines 1-251) help/cli-commands/monitor.md (lines 43-206) packages/snyk-fix/package.json (lines 1-60) ... and 3 more file(s)