From: Ross Burton <ross.burton@arm.com>
To: openembedded-core@lists.openembedded.org
Cc: benjamin.robin@bootlin.com
Subject: [RFC PATCH 3/3] sbom-cve-check: add prototype recipe scanning task
Date: Thu, 2 Apr 2026 17:25:10 +0100 [thread overview]
Message-ID: <20260402162510.1945892-3-ross.burton@arm.com> (raw)
In-Reply-To: <20260402162510.1945892-1-ross.burton@arm.com>
Add a new task, sbom_cve_check_recipe, that will do a CVE scan of the
SPDX for the specified recipe.
This is mainly useful for top-level or aggregration packages (e.g.
meta-world-recipe-sbom) as it follows dependencies, so running it on a
single package (e.g. curl) will also show CVEs for its dependencies
(e.g. zlib).
Signed-off-by: Ross Burton <ross.burton@arm.com>
---
meta/classes/sbom-cve-check.bbclass | 29 +++++++++++++++++++++++++++++
1 file changed, 29 insertions(+)
diff --git a/meta/classes/sbom-cve-check.bbclass b/meta/classes/sbom-cve-check.bbclass
index fef6f0c2aa..fc89ab9799 100644
--- a/meta/classes/sbom-cve-check.bbclass
+++ b/meta/classes/sbom-cve-check.bbclass
@@ -94,6 +94,9 @@ def run_sbom_cve_check(d, recipe_name, link_name=None):
update_symlinks(export_file, export_link)
+#
+# Scan the SBOM of an image.
+#
python do_sbom_cve_check() {
"""
Task: Run sbom-cve-check analysis on SBOM.
@@ -119,3 +122,29 @@ python do_sbom_cve_check_setscene() {
sstate_setscene(d)
}
addtask do_sbom_cve_check_setscene
+
+
+#
+# Scan the SBOM of a recipe.
+#
+
+python do_sbom_cve_check_recipe() {
+ recipe = d.getVar("SPDX_RECIPE_SBOM_NAME")
+ run_sbom_cve_check(d, recipe)
+}
+
+addtask do_sbom_cve_check_recipe after do_create_recipe_sbom
+
+SSTATETASKS += "do_sbom_cve_check_recipe"
+do_sbom_cve_check_recipe[cleandirs] = "${SBOM_CVE_CHECK_DEPLOYDIR}"
+do_sbom_cve_check_recipe[sstate-inputdirs] = "${SBOM_CVE_CHECK_DEPLOYDIR}"
+do_sbom_cve_check_recipe[sstate-outputdirs] = "${DEPLOY_DIR_IMAGE}"
+do_sbom_cve_check_recipe[depends] += " \
+ python3-sbom-cve-check-native:do_populate_sysroot \
+ sbom-cve-check-update-cvelist-native:do_unpack \
+ sbom-cve-check-update-nvd-native:do_unpack \
+"
+python do_sbom_cve_check_recipe_setscene() {
+ sstate_setscene(d)
+}
+addtask do_sbom_cve_check_recipe_setscene
--
2.47.1
next prev parent reply other threads:[~2026-04-02 16:25 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-02 16:25 [RFC PATCH 1/3] sbom-cve-check: refactor do_sbom_cve_check Ross Burton
2026-04-02 16:25 ` [RFC PATCH 2/3] sbom-cve-check: move to classes from classes-recipe Ross Burton
2026-04-02 16:30 ` Patchtest results for " patchtest
2026-04-02 16:25 ` Ross Burton [this message]
2026-04-03 8:24 ` [RFC PATCH 3/3] sbom-cve-check: add prototype recipe scanning task Benjamin Robin
2026-04-03 8:19 ` [RFC PATCH 1/3] sbom-cve-check: refactor do_sbom_cve_check Benjamin Robin
2026-04-03 8:26 ` [OE-core] " Antonin Godard
2026-04-03 8:33 ` Benjamin Robin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260402162510.1945892-3-ross.burton@arm.com \
--to=ross.burton@arm.com \
--cc=benjamin.robin@bootlin.com \
--cc=openembedded-core@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox