First of all, I'm sorry if this is not the right place to file this as it's more about the JSON schema for the submissions API, but I could not find a more fitting project to file this for.
Coming from here my ask is to add a field to the JSON body of the submission API that can be used to document any failures during dependency resolution.
Because currently, there seems to be no way to indicate to the API that the dependency resolution process that created the JSON might have been unable to resolve some dependencies (maybe due to temporary network issues), and thus the list of submitted dependencies might be incomplete. This is a problem if the user relies on the dependencies and resulting SBOM to be complete. On the other hand, not submitting the dependency graph at all if just a single dependency failed to resolve (maybe also due to misconfiguration on the project side) is probably not a good solution either.
So IMO the best solution is to simply be transparent and allow the dependency resolver to say so if there were any issues in dependency resolution. The GitHub web UI could then show these errors as part of the dependency graph so that he user knows to take the results "with a grain of salt".
First of all, I'm sorry if this is not the right place to file this as it's more about the JSON schema for the submissions API, but I could not find a more fitting project to file this for.
Coming from here my ask is to add a field to the JSON body of the submission API that can be used to document any failures during dependency resolution.
Because currently, there seems to be no way to indicate to the API that the dependency resolution process that created the JSON might have been unable to resolve some dependencies (maybe due to temporary network issues), and thus the list of submitted dependencies might be incomplete. This is a problem if the user relies on the dependencies and resulting SBOM to be complete. On the other hand, not submitting the dependency graph at all if just a single dependency failed to resolve (maybe also due to misconfiguration on the project side) is probably not a good solution either.
So IMO the best solution is to simply be transparent and allow the dependency resolver to say so if there were any issues in dependency resolution. The GitHub web UI could then show these errors as part of the dependency graph so that he user knows to take the results "with a grain of salt".