CLC-1361: Ignore ephemeral packages during scanning

This is required to be able to do a scan without building them.
Ignoring those is ok, because they don't contribute build artifacts that need scanning.

Author: geropl

cmd/sbom-scan.go

@@ -54,7 +54,17 @@ If no package is specified, the workspace's default target is used.`,
 			deps := pkg.GetTransitiveDependencies()
 			log.Infof("Scanning SBOMs for %s and %d dependencies to %s", pkg.FullName(), len(deps), outputDir)
 
-			allpkg = append(allpkg, deps...)
+			// Skip ephemeral packages as they're not meant to be cached
+			var filteredDeps []*leeway.Package
+			for _, p := range deps {
+				if p.Ephemeral {
+					log.Infof("Skipping vulnerability scan for ephemeral package %s\n", p.FullName())
+					continue
+				}
+				filteredDeps = append(filteredDeps, p)
+			}
+
+			allpkg = append(allpkg, filteredDeps...)
 		}
 
 		// Download packages from remote cache when needed

pkg/leeway/sbom-scan.go

@@ -80,6 +80,12 @@ func scanAllPackagesForVulnerabilities(buildctx *buildContext, packages []*Packa
 			return xerrors.Errorf(string(errMsg))
 		}
 
+		// Skip ephemeral packages as they're not meant to be cached
+		if p.Ephemeral {
+			buildctx.Reporter.PackageBuildLog(p, false, []byte(fmt.Sprintf("Skipping vulnerability scan for ephemeral package %s\n", p.FullName())))
+			continue
+		}
+
 		location, exists := buildctx.LocalCache.Location(p)
 		if !exists {
 			errMsg := fmt.Appendf(nil, "Package %s not found in local cache, cannot scan for vulnerabilities\n", p.FullName())