feat: add new --allow-incomplete-sbom-flag [CSENG-175]

[snyk-abedonik]

Pull Request Submission Checklist

• Follows CONTRIBUTING guidelines
• Commit messages
  are release-note ready, emphasizing
  what was changed, not how.
• Includes detailed description of changes
• Contains risk assessment (Low | Medium | High)
• Highlights breaking API changes (if applicable)
• Links to automated tests covering new functionality
• Includes manual testing instructions (if necessary)
• Updates relevant GitBook documentation (PR link: ___)
• Includes product update to be announced in the next stable release notes

---

What does this PR do?

snyk sbom --all-projects previously used a fail-fast mode: if any project in the workspace failed to resolve its dependencies (missing lockfile, unsupported manifest, malformed JSON, etc.) the entire SBOM generation was aborted and no output was produced.

This PR implements the TypeScript plugin-layer changes required to support a new --allow-incomplete-sbom flag on snyk sbom. When the flag is set:

• Projects that resolve successfully are included in the generated SBOM as usual.
• Projects that fail are collected as structured ScanError entries (subject path + human-readable message) and forwarded to the SBOM service alongside the successful dep-graphs, so the service can embed them in the final document.

The user-facing flag (--allow-incomplete-sbom) is surfaced by the Go CLI layer (cliv2). When present it passes --print-output-jsonl-with-errors to the TypeScript legacy CLI, which is the internal wire option implemented here.

---

What are the relevant tickets?

• CSENG-175

References

https://docs.google.com/document/d/1vhRKlienHz1kbrCI-2BJ3maO6ykmlAz-hSApgo8MGEw/edit
https://docs.google.com/document/d/1i4exfAq3Dvoy_mKwQAwL3LYE6_Qkt7jQVYVOSzijZdw/edit
https://docs.google.com/document/d/1j0gNbzCALFF3WfIxLd5PVBtglJb4kYGQdheoM27VMaY/edit

[snyk-io]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues
✅	Licenses	0	0	0	0	0 issues
✅	Code Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[snyk-abedonik]

Testing Summary

Today, we conducted testing of the following commands. The results indicate that their output is consistent between the released CLI build and the local build with the applied changes.

SBOM Generation

• snyk sbom --format cyclonedx1.6+json --all-projects
• snyk sbom --format cyclonedx1.6+json

Test Execution (JSON Output)

• snyk test --json --all-projects
• snyk test --json

Dependency Graph and Verbose Output

• snyk test --prune-repeated-subdependencies --print-effective-graph -- -Dverbose
• snyk test --prune-repeated-subdependencies --print-effective-graph-with-errors -- -Dverbose

Conclusion

Across all tested commands, the output matches between the released CLI build and the local build incorporating the latest changes.

pom.xml

snyk sbom --format cyclonedx1.6+json --all-projects.json
snyk_darwin_arm64 sbom --format cyclonedx1.6+json --all-projects.json

snyk sbom --format cyclonedx1.6+json.json
snyk_darwin_arm64 sbom --format cyclonedx1.6+json.json

snyk test --json --all-projects.json
snyk_darwin_arm64 test --json --all-projects.json

snyk test --json.json
snyk_darwin_arm64 test --json.json

snyk test --prune-repeated-subdependencies --print-effective-graph -- -Dverbose.json
snyk_darwin_arm64 test --prune-repeated-subdependencies --print-effective-graph -- -Dverbose.json

snyk test --prune-repeated-subdependencies --print-effective-graph-with-errors -- -Dverbose.json
snyk_darwin_arm64 test --prune-repeated-subdependencies --print-effective-graph-with-errors -- -Dverbose.json

Note:

Dep Graph computed by these commands doesn't have any nodes with pruned=true label; however, snyk test --prune-repeated-subdependencies --print-effective-graph -- -Dverbose produces nodes with pruned=true label for the same pom.xml. As a result, it confirms that --allow-incomplete-sbom operates with the complete graph.

• snyk sbom --format cyclonedx1.6+json --all-projects --allow-incomplete-sbom
• snyk sbom --format cyclonedx1.6+json --allow-incomplete-sbom

[CatalinSnyk]

issue: Please squash the commits into one before merging

[github-actions]

	Warnings
⚠️	There are multiple commits on your branch, please squash them locally before merging!
⚠️	"Merge branch 'main' into feat/CSENG-175-add-new-allow-incomplete-sbom-flag" is too long. Keep the first line of your commit message under 72 characters.

Generated by 🚫 dangerJS against 103f5f9