Currently the vulnerable dependency check is skipped when the SBOM is missing or empty. However, this returns empty vulnerable_sbom_packages by default which can lead to ambiguity about whether there were no vulnerable packages, or whether VDC was skipped. This issue is for returning None for the parent vulnerable_dependencies field to match behavior in PR #109 when the VDC is skipped.
Currently the vulnerable dependency check is skipped when the SBOM is missing or empty. However, this returns empty
vulnerable_sbom_packagesby default which can lead to ambiguity about whether there were no vulnerable packages, or whether VDC was skipped. This issue is for returning None for the parentvulnerable_dependenciesfield to match behavior in PR #109 when the VDC is skipped.