Re: [PATCH v2] sbom-cve-check-common: print warnings on unpatched CVEs

[Benjamin Robin <benjamin.robin@bootlin.com>]

Hello Antonin,

Looks good to me. I have just a slight suggestion.

On Tuesday, April 21, 2026 at 3:01 PM, Antonin Godard wrote:
> The now removed cve-check class used to print warnings when CVEs with
> status "Unpatched" were found. Add this feature to the
> sbom-cve-check class with the same default value (enabled).
> 
> For now it only does so when the cvecheck report type is enabled. It may
> be possible to do the same for the SPDX report type.
> 
> Sample output:
> 
> WARNING: core-image-minimal-1.0-r0 do_sbom_cve_check: busybox-1.37.0: Found unpatched CVEs: CVE-2024-58251
> WARNING: core-image-minimal-1.0-r0 do_sbom_cve_check: expat-2.7.5: Found unpatched CVEs: CVE-2025-66382, CVE-2026-41080
> WARNING: core-image-minimal-1.0-r0 do_sbom_cve_check: glibc-2.43+git: Found unpatched CVEs: CVE-2010-4756, CVE-2026-4046
> 
> Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
> ---
> Changes in v2:
> - Apply suggestions from Paul
> - Link to v1: https://patch.msgid.link/20260421-sbom-cve-check-warnings-v1-1-df7861a0a0bc@bootlin.com
> ---
>  meta/classes/sbom-cve-check-common.bbclass | 30 ++++++++++++++++++++++++++++++
>  1 file changed, 30 insertions(+)
> 
> diff --git a/meta/classes/sbom-cve-check-common.bbclass b/meta/classes/sbom-cve-check-common.bbclass
> index 6963ad71c61..32c29a0ec2c 100644
> --- a/meta/classes/sbom-cve-check-common.bbclass
> +++ b/meta/classes/sbom-cve-check-common.bbclass
> @@ -48,6 +48,32 @@ SBOM_CVE_CHECK_UPDATE_DB_DEPENDENCIES ?= " \
>      sbom-cve-check-update-nvd-native:do_patch \
>  "
>  
> +SBOM_CVE_CHECK_SHOW_WARNINGS ?= "1"
> +SBOM_CVE_CHECK_SHOW_WARNINGS[doc] = "Show warning messages when unpatched CVEs are found. \
> +Requires the SBOM_CVE_CHECK_EXPORT_CVECHECK report type to be enabled"
> +
> +def show_warnings_from_file(cvecheck_export_file):
> +    import json
> +
> +    try:
> +        with open(cvecheck_export_file, "r") as f:
> +            report = json.load(f)
> +    except (json.JSONDecodeError, UnicodeDecodeError) as e:
> +        bb.error(f"Failed to open JSON report file {f}: {e}")
> +        return
> +
> +    packages = report.get("package", [])
> +    for package in packages:
> +        unpatched = []
> +        cves = package.get("issue", [])
> +        for cve in cves:
> +            if cve["status"] == "Unpatched":
> +                unpatched.append(cve["id"])

A more Pythonic way of writing that is:

       for package in packages:
           cves = package.get("issue", [])
           unpatched = [cve["id"] for cve in cves if cve["status"] == "Unpatched"]

> +        if unpatched:
> +            pname = package["name"]
> +            version = package["version"]
> +            bb.warn(f"{pname}-{version}: Found unpatched CVEs: {', '.join(unpatched)}")
> +
>  def run_sbom_cve_check(d, sbom_path, export_base_name, export_link_name=None):
>      import os
>      import bb
> @@ -94,9 +120,13 @@ def run_sbom_cve_check(d, sbom_path, export_base_name, export_link_name=None):
>          bb.error(f"sbom-cve-check failed: {e}")
>          return
>  
> +    show_warnings = bb.utils.to_boolean(d.getVar("SBOM_CVE_CHECK_SHOW_WARNINGS"))
> +
>      for export_type, export_file, export_link in export_files:
>          bb.note(f"sbom-cve-check exported: {export_file}")
>          if export_link:
>              update_symlinks(export_file, export_link)
> +        if show_warnings and export_type == d.getVarFlag("SBOM_CVE_CHECK_EXPORT_CVECHECK", "type"):
> +            show_warnings_from_file(export_file)
>  
>  
> 
> ---
> base-commit: 9a83f0878b6bacbc7b322cfec076b4e79ad7b8fb
> change-id: 20260421-sbom-cve-check-warnings-408de9776bc0
> 
> 
> 
> 


-- 
Benjamin Robin, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com