Fix SBOM team permission handling (#1499)

ryanlink · ryan link · zlav · web-flow · commit c029a4135960 · 2025-01-30T10:19:39.000-06:00
* Fix SBOM team permission handling

- Include team information in SBOM analyze metadata
- Add test coverage for team-scoped permissions
- Update documentation to clarify team permission behavior

This change allows users with team-scoped permissions to use
fossa sbom analyze --team when they are members of the specified team,
matching the behavior of fossa analyze --team.

* delete test file because this is technically already tested

* add changelog

---------

Co-authored-by: ryan link &lt;ryanlink@ryans-mbp.lan&gt;
Co-authored-by: Zachary LaVallee &lt;zcjlavallee@gmail.com&gt;
diff --git a/Changelog.md b/Changelog.md
@@ -1,5 +1,8 @@
 # FOSSA CLI Changelog
 
+## 3.9.45
+- Preflight: Fix a bug where the preflight checks fail for SBOM team analysis ([#1499](https://github.com/fossas/fossa-cli/pull/1499))
+
 ## 3.9.44
 - Preflight: Fix a bug where the preflight check could fail if you ran fossa multiple times simultaneously ([#1498](https://github.com/fossas/fossa-cli/pull/1498))
 
diff --git a/docs/references/subcommands/sbom.md b/docs/references/subcommands/sbom.md
@@ -23,9 +23,16 @@ In addition to the [usual FOSSA project flags](#common-fossa-project-flags) supp
 
 | Name                                  | Short | Description                                                                         |
 | ------------------------------------- | ----- | ----------------------------------------------------------------------------------- |
-| `--team 'team name'` | `-T` | Specify a team within your FOSSA organization |
+| `--team 'team name'` | `-T` | Specify a team within your FOSSA organization. If you only have team-scoped permissions, you must specify a team of which you are a member. |
 | `--force-rescan`  | | Force the SBOM file to be rescanned, even if this exact revision has been previously uploaded |
 
+### Team Permissions
+
+When using `fossa sbom analyze`, the command respects team-scoped permissions:
+- If you have organization-wide permissions, you can upload SBOMs without specifying a team
+- If you only have team-scoped permissions, you must use the `--team` flag to specify a team of which you are a member
+- The behavior matches that of `fossa analyze --team`
+
 ## `fossa sbom test <path to sbom file>`
 
 The `sbom test` command checks whether the most-recent scan of your FOSSA project raised license-policy or vulnerability issues. This command is usually run immediately after `fossa sbom analyze`.
diff --git a/src/App/Fossa/SBOM/Analyze.hs b/src/App/Fossa/SBOM/Analyze.hs
@@ -34,10 +34,10 @@ analyze ::
   SBOMAnalyzeConfig ->
   m ()
 analyze config = do
-  let emptyMetadata = ProjectMetadata Nothing Nothing Nothing Nothing Nothing Nothing [] Nothing
+  let metadata = ProjectMetadata Nothing Nothing Nothing Nothing (sbomTeam config) Nothing [] Nothing
   let apiOpts = sbomApiOpts config
   trackUsage SBOMAnalyzeUsage
-  void . runFossaApiClient apiOpts . preflightChecks $ AnalyzeChecks (sbomRevision config) emptyMetadata
+  void . runFossaApiClient apiOpts . preflightChecks $ AnalyzeChecks (sbomRevision config) metadata
   runFossaApiClient apiOpts . runStickyLogger (severity config) $ analyzeInternal config
 
 analyzeInternal ::
