From 01cd3143b98d430d7e4a8a3be29d1a664f8db0ef Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Mon, 18 May 2026 22:49:14 +0000
Subject: [PATCH] chore: address review feedback for sbom scanner changes

Agent-Logs-Url: https://github.com/project-zot/zot/sessions/eb3437af-edc8-4846-a9d9-f92bfe579c1e

Co-authored-by: rchincha <45800463+rchincha@users.noreply.github.com>
---
 pkg/extensions/search/cve/trivy/scanner.go | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/pkg/extensions/search/cve/trivy/scanner.go b/pkg/extensions/search/cve/trivy/scanner.go
index 732defaf..32472151 100644
--- a/pkg/extensions/search/cve/trivy/scanner.go
+++ b/pkg/extensions/search/cve/trivy/scanner.go
@@ -307,7 +307,7 @@ func (scanner Scanner) runTrivy(ctx context.Context, opts flag.Options) (types.R
 	}
 
 	report := types.Report{}
-	sbomContent := []byte(nil)
+	var sbomContent []byte
 
 	err = scanner.withTempDir(func() error {
 		runner, err := artifact.NewRunner(ctx, opts, artifact.TargetContainerImage)
@@ -562,6 +562,8 @@ func (scanner Scanner) scanManifest(ctx context.Context, repo, digest string) (m
 		return cveidMap, err
 	}
 
+	// SBOM persistence is best-effort: CVE scanning should still complete even if
+	// SBOM artifact upload fails.
 	if err = scanner.storeSBOMAsOCIArtifact(repo, digest, sbomContent); err != nil {
 		scanner.log.Warn().Err(err).Str("image", image).Msg("failed to store generated sbom as OCI artifact")
 	}