From: Benjamin Robin <benjamin.robin@bootlin.com>
To: openembedded-core@lists.openembedded.org,
Ross Burton <ross.burton@arm.com>
Subject: Re: [RFC PATCH 3/3] sbom-cve-check: add prototype recipe scanning task
Date: Fri, 03 Apr 2026 10:24:39 +0200 [thread overview]
Message-ID: <1813900.QkHrqEjB74@brobin-bootlin> (raw)
In-Reply-To: <20260402162510.1945892-3-ross.burton@arm.com>
On Thursday, April 2, 2026 at 6:25 PM, Ross Burton wrote:
> Add a new task, sbom_cve_check_recipe, that will do a CVE scan of the
> SPDX for the specified recipe.
>
> This is mainly useful for top-level or aggregration packages (e.g.
> meta-world-recipe-sbom) as it follows dependencies, so running it on a
> single package (e.g. curl) will also show CVEs for its dependencies
> (e.g. zlib).
>
> Signed-off-by: Ross Burton <ross.burton@arm.com>
> ---
> meta/classes/sbom-cve-check.bbclass | 29 +++++++++++++++++++++++++++++
> 1 file changed, 29 insertions(+)
>
> diff --git a/meta/classes/sbom-cve-check.bbclass b/meta/classes/sbom-cve-check.bbclass
> index fef6f0c2aa..fc89ab9799 100644
> --- a/meta/classes/sbom-cve-check.bbclass
> +++ b/meta/classes/sbom-cve-check.bbclass
> @@ -94,6 +94,9 @@ def run_sbom_cve_check(d, recipe_name, link_name=None):
> update_symlinks(export_file, export_link)
>
>
> +#
> +# Scan the SBOM of an image.
> +#
> python do_sbom_cve_check() {
> """
> Task: Run sbom-cve-check analysis on SBOM.
> @@ -119,3 +122,29 @@ python do_sbom_cve_check_setscene() {
> sstate_setscene(d)
> }
> addtask do_sbom_cve_check_setscene
> +
> +
> +#
> +# Scan the SBOM of a recipe.
> +#
> +
> +python do_sbom_cve_check_recipe() {
> + recipe = d.getVar("SPDX_RECIPE_SBOM_NAME")
> + run_sbom_cve_check(d, recipe)
Call run_sbom_cve_check() with the path of the SPDX3 SBOM file that needs
to be analyzed.
> +}
> +
> +addtask do_sbom_cve_check_recipe after do_create_recipe_sbom
> +
> +SSTATETASKS += "do_sbom_cve_check_recipe"
> +do_sbom_cve_check_recipe[cleandirs] = "${SBOM_CVE_CHECK_DEPLOYDIR}"
> +do_sbom_cve_check_recipe[sstate-inputdirs] = "${SBOM_CVE_CHECK_DEPLOYDIR}"
> +do_sbom_cve_check_recipe[sstate-outputdirs] = "${DEPLOY_DIR_IMAGE}"
> +do_sbom_cve_check_recipe[depends] += " \
> + python3-sbom-cve-check-native:do_populate_sysroot \
> + sbom-cve-check-update-cvelist-native:do_unpack \
> + sbom-cve-check-update-nvd-native:do_unpack \
Maybe we should create a variable that contains the list of
sbom-cve-check-update-* database recipes dependencies. This way if an user
want to add a database, it could do it easily, and it does not need to
duplicate the configuration.
So I am proposing something like that:
SBOM_CVE_CHECK_UPDATE_DB_DEPENDENCIES ?= " \
sbom-cve-check-update-cvelist-native:do_unpack \
sbom-cve-check-update-nvd-native:do_unpack \
"
do_sbom_cve_check_recipe[depends] += " \
python3-sbom-cve-check-native:do_populate_sysroot \
${SBOM_CVE_CHECK_UPDATE_DB_DEPENDENCIES} \
"
> +"
> +python do_sbom_cve_check_recipe_setscene() {
> + sstate_setscene(d)
> +}
> +addtask do_sbom_cve_check_recipe_setscene
>
--
Benjamin Robin, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
next prev parent reply other threads:[~2026-04-03 8:24 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-02 16:25 [RFC PATCH 1/3] sbom-cve-check: refactor do_sbom_cve_check Ross Burton
2026-04-02 16:25 ` [RFC PATCH 2/3] sbom-cve-check: move to classes from classes-recipe Ross Burton
2026-04-02 16:30 ` Patchtest results for " patchtest
2026-04-02 16:25 ` [RFC PATCH 3/3] sbom-cve-check: add prototype recipe scanning task Ross Burton
2026-04-03 8:24 ` Benjamin Robin [this message]
2026-04-03 8:19 ` [RFC PATCH 1/3] sbom-cve-check: refactor do_sbom_cve_check Benjamin Robin
2026-04-03 8:26 ` [OE-core] " Antonin Godard
2026-04-03 8:33 ` Benjamin Robin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1813900.QkHrqEjB74@brobin-bootlin \
--to=benjamin.robin@bootlin.com \
--cc=openembedded-core@lists.openembedded.org \
--cc=ross.burton@arm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox