fix: skip vulnerability scanning for packages that failed to build

Root cause: When multiple packages depend on the same package (e.g., api/go:lib),
and that package's build fails, the build lock mechanism causes a race condition:

1. Goroutine A obtains the lock and starts building the shared dependency
2. Goroutine B waits on the lock
3. If Goroutine A's build fails, it releases the lock and returns an error
4. Goroutine B wakes up, sees the lock is released, and returns nil (success)
5. The error propagates up through Goroutine A's dependency chain only
6. If the target package's dependency chain goes through Goroutine B, the
   main build 'succeeds' even though the dependency failed
7. Vulnerability scanning runs and fails because the package isn't in cache

This fix:
- Passes the package build status map to vulnerability scanning
- Only scans packages with status PackageBuilt or PackageDownloaded
- Skips packages that failed verification, download, or build
- Logs which packages are skipped and why

This prevents fatal errors in vulnerability scanning when a dependency build
fails in a parallel goroutine. The build will still fail if the dependency
error propagates through the main dependency chain, but vulnerability scanning
won't cause an additional confusing error.

Fixes the issue in gitpod-next PR #11869 where api/go:lib build failed in a
parallel goroutine, but the main build continued and vulnerability scanning
crashed trying to scan a package that wasn't in cache.

Co-authored-by: Ona <no-reply@ona.com>

Author: leodido

pkg/leeway/build.go

@@ -748,8 +748,10 @@ func Build(pkg *Package, opts ...BuildOption) (err error) {
 
 	// Scan all packages for vulnerabilities after the build completes
 	// This ensures we scan even cached packages that weren't rebuilt
+	// Only scan packages that were successfully built or downloaded to avoid
+	// errors when a dependency build failed in a parallel goroutine
 	if pkg.C.W.SBOM.Enabled && pkg.C.W.SBOM.ScanVulnerabilities {
-		if err := scanAllPackagesForVulnerabilities(ctx, allpkg); err != nil {
+		if err := scanAllPackagesForVulnerabilities(ctx, allpkg, pkgstatus); err != nil {
 			return err
 		}
 	}

pkg/leeway/sbom-scan.go

@@ -49,7 +49,11 @@ type PackageVulnerabilityStats struct {
 // This function is called after the build process completes to identify security issues
 // in all built packages, including those loaded from cache. It generates comprehensive
 // vulnerability reports in multiple formats and collects statistics across all packages.
-func scanAllPackagesForVulnerabilities(buildctx *buildContext, packages []*Package, customOutputDir ...string) error {
+//
+// Only packages with successful build status (PackageBuilt or PackageDownloaded) are scanned.
+// This prevents errors when a dependency build fails in a parallel goroutine but the main
+// build continues (due to the build lock mechanism allowing other goroutines to proceed).
+func scanAllPackagesForVulnerabilities(buildctx *buildContext, packages []*Package, pkgstatus map[*Package]PackageBuildStatus, customOutputDir ...string) error {
 	if len(packages) == 0 {
 		return nil
 	}
@@ -74,6 +78,15 @@ func scanAllPackagesForVulnerabilities(buildctx *buildContext, packages []*Packa
 
 	// Process each package
 	for _, p := range packages {
+		// Skip packages that were not successfully built or downloaded
+		// This can happen when a dependency build fails in a parallel goroutine
+		// but other goroutines continue due to the build lock mechanism
+		status := pkgstatus[p]
+		if status != PackageBuilt && status != PackageDownloaded {
+			buildctx.Reporter.PackageBuildLog(p, false, []byte(fmt.Sprintf("Skipping vulnerability scan for package %s (status: %s)\n", p.FullName(), status)))
+			continue
+		}
+
 		if !p.C.W.SBOM.Enabled {
 			errMsg := fmt.Append(nil, "SBOM feature is disabled, cannot scan for vulnerabilities")
 			buildctx.Reporter.PackageBuildLog(p, false, errMsg)
@@ -88,9 +101,10 @@ func scanAllPackagesForVulnerabilities(buildctx *buildContext, packages []*Packa
 
 		location, exists := buildctx.LocalCache.Location(p)
 		if !exists {
-			errMsg := fmt.Appendf(nil, "Package %s not found in local cache, cannot scan for vulnerabilities\n", p.FullName())
-			buildctx.Reporter.PackageBuildLog(p, false, errMsg)
-			return xerrors.Errorf(string(errMsg))
+			// This should not happen since we already filtered by build status,
+			// but handle it gracefully just in case
+			buildctx.Reporter.PackageBuildLog(p, false, []byte(fmt.Sprintf("Package %s not found in local cache, skipping vulnerability scan\n", p.FullName())))
+			continue
 		}
 
 		// Create temporary file for SBOM content
@@ -194,6 +208,8 @@ func scanAllPackagesForVulnerabilities(buildctx *buildContext, packages []*Packa
 // ScanAllPackagesForVulnerabilities provides a public API for scanning packages for vulnerabilities.
 // It creates a build context with the provided local cache and reporter, then calls the internal
 // scanAllPackagesForVulnerabilities function to perform the actual scanning.
+//
+// This function assumes all provided packages are already built and available in the local cache.
 func ScanAllPackagesForVulnerabilities(localCache cache.LocalCache, packages []*Package, customOutputDir ...string) error {
 	buildctx := &buildContext{
 		buildOptions: buildOptions{
@@ -202,7 +218,14 @@ func ScanAllPackagesForVulnerabilities(localCache cache.LocalCache, packages []*
 		},
 	}
 
-	return scanAllPackagesForVulnerabilities(buildctx, packages, customOutputDir...)
+	// Create a status map marking all packages as built (since this is a public API
+	// that expects packages to already be in cache)
+	pkgstatus := make(map[*Package]PackageBuildStatus)
+	for _, p := range packages {
+		pkgstatus[p] = PackageBuilt
+	}
+
+	return scanAllPackagesForVulnerabilities(buildctx, packages, pkgstatus, customOutputDir...)
 }
 
 // scanSBOMForVulnerabilities scans an SBOM file for vulnerabilities and generates reports.