[PATCH v3 0/6] sbom-cve-check: add CVE analysis tool and class

[PATCH v3 0/6] sbom-cve-check: add CVE analysis tool and class

[Benjamin Robin]

This patch series introduces the `sbom-cve-check` tool and its
dependencies. The tool requires `python3-spdx-python-model`, which has
the following build-time dependencies (not required at runtime):
- `python3-hatch-build-scripts`
- `python3-shacl2code`

Additionally, this series includes a post-build CVE analysis class,
similar to the existing `cve-check` functionality.

`sbom-cve-check` is a lightweight SBOM CVE analysis tool, which
supports SBOMs in SPDX 2.2 or SPDX 3.0 formats. The tool is designed as
an efficient replacement for the `cve-check` logic currently available
in Yocto Project. It fetches data from multiple databases, including NVD
and the CVE List, and supports various annotation formats, such as
OpenVEX and the Yocto Project's custom VEX manifest.

For export, `sbom-cve-check` can generate a SPDX 3.0 file, a
`cve-check`-compatible JSON file, and a summary report that lists all
vulnerabilities per component, styled similarly to the output of the
Yocto Project's `cve-check` class.

For more context on the inclusion of `sbom-cve-check` in OpenEmbedded
Core, see the discussion [1].

For detailed documentation about `sbom-cve-check`, visit [2].

After the inclusion of SPDX3 Joshua changes ("Add SPDX 3 Recipe
Information") in OE-Core [3], and after the release of sbom-cve-check
1.2.0, I am going to submit a very small follow-up series.

[1] https://lists.openembedded.org/g/openembedded-core/topic/117638558
[2] https://sbom-cve-check.readthedocs.io/
[3] https://lists.openembedded.org/g/openembedded-core/message/231519

Signed-off-by: Benjamin Robin <benjamin.robin@bootlin.com>
---
Changes in v3:
- Improve first commit message about sorting maintainers.inc.
- Add missing maintainers information for sbom-cve-check-update-*-native
  recipes...
- Link to v2: https://lore.kernel.org/r/20260225-add-sbom-cve-check-v2-0-eeffa285b901@bootlin.com

Changes in v2:
- Sort maintainers.inc list in alphabetical order.
- Add missing maintainers information for new recipes.
- python3-spdx-python-model depends on native shacl2code and
  hatch-build-scripts recipes.
- Link to v1: https://lore.kernel.org/r/20260224-add-sbom-cve-check-v1-0-1c76fbd7f01b@bootlin.com

---
Benjamin Robin (6):
      maintainers.inc: Sort list in alphabetical order
      python3-shacl2code: add recipe
      python3-hatch-build-scripts: add recipe
      python3-spdx-python-model: add recipe
      sbom-cve-check: add recipe
      sbom-cve-check.bbclass: Add class for post-build CVE analysis

 .../sbom-cve-check-update-db.bbclass               | 87 ++++++++++++++++++++
 meta/classes-recipe/sbom-cve-check.bbclass         | 96 ++++++++++++++++++++++
 meta/conf/distro/include/maintainers.inc           | 74 +++++++++--------
 .../meta/sbom-cve-check-update-cvelist-native.bb   |  7 ++
 .../meta/sbom-cve-check-update-nvd-native.bb       |  7 ++
 .../python/python3-hatch-build-scripts_1.0.0.bb    | 12 +++
 .../python/python3-sbom-cve-check_1.1.0.bb         | 17 ++++
 .../python/python3-shacl2code_0.0.24.bb            | 17 ++++
 ...enerate-bindings-allow-to-use-local-files.patch | 58 +++++++++++++
 .../python/python3-spdx-python-model_0.0.4.bb      | 37 +++++++++
 10 files changed, 378 insertions(+), 34 deletions(-)
---
base-commit: c0c2339a52c689be13c96b66c54b11aed227ca04
change-id: 20260223-add-sbom-cve-check-f34614b147dc

Best regards,
-- 
Benjamin Robin <benjamin.robin@bootlin.com>

[PATCH v3 1/6] maintainers.inc: Sort list in alphabetical order

[Benjamin Robin]

No modification was realized except sorting the content of the file.
This way this is easier to add an entry; we just have to add a line
into maintainers.inc file, and sort it again.

Signed-off-by: Benjamin Robin <benjamin.robin@bootlin.com>
---
 meta/conf/distro/include/maintainers.inc | 68 ++++++++++++++++----------------
 1 file changed, 34 insertions(+), 34 deletions(-)

diff --git a/meta/conf/distro/include/maintainers.inc b/meta/conf/distro/include/maintainers.inc
index b5ab35d92a06..1a3490d6d625 100644
--- a/meta/conf/distro/include/maintainers.inc
+++ b/meta/conf/distro/include/maintainers.inc
@@ -67,8 +67,8 @@ RECIPE_MAINTAINER:pn-bindgen-cli = "Khem Raj <raj.khem@gmail.com>"
 RECIPE_MAINTAINER:pn-binutils = "Khem Raj <raj.khem@gmail.com>"
 RECIPE_MAINTAINER:pn-binutils-cross-${TARGET_ARCH} = "Khem Raj <raj.khem@gmail.com>"
 RECIPE_MAINTAINER:pn-binutils-cross-canadian-${TRANSLATED_TARGET_ARCH} = "Khem Raj <raj.khem@gmail.com>"
-RECIPE_MAINTAINER:pn-binutils-testsuite = "Khem Raj <raj.khem@gmail.com>"
 RECIPE_MAINTAINER:pn-binutils-crosssdk-${SDK_SYS} = "Khem Raj <raj.khem@gmail.com>"
+RECIPE_MAINTAINER:pn-binutils-testsuite = "Khem Raj <raj.khem@gmail.com>"
 RECIPE_MAINTAINER:pn-bison = "Chen Qi <Qi.Chen@windriver.com>"
 RECIPE_MAINTAINER:pn-blktrace = "Unassigned <unassigned@yoctoproject.org>"
 RECIPE_MAINTAINER:pn-blueprint-compiler = "Liu Yiding <liuyd.fnst@fujitsu.com>"
@@ -82,18 +82,18 @@ RECIPE_MAINTAINER:pn-btrfs-tools = "Wang Mingyu <wangmy@fujitsu.com>"
 RECIPE_MAINTAINER:pn-build-appliance-image = "Richard Purdie <richard.purdie@linuxfoundation.org>"
 RECIPE_MAINTAINER:pn-build-sysroots = "Richard Purdie <richard.purdie@linuxfoundation.org>"
 RECIPE_MAINTAINER:pn-builder = "Richard Purdie <richard.purdie@linuxfoundation.org>"
-RECIPE_MAINTAINER:pn-buildtools-extended-tarball = "Richard Purdie <richard.purdie@linuxfoundation.org>"
-RECIPE_MAINTAINER:pn-buildtools-tarball = "Richard Purdie <richard.purdie@linuxfoundation.org>"
 RECIPE_MAINTAINER:pn-buildtools-docs-tarball = "Richard Purdie <richard.purdie@linuxfoundation.org>"
+RECIPE_MAINTAINER:pn-buildtools-extended-tarball = "Richard Purdie <richard.purdie@linuxfoundation.org>"
 RECIPE_MAINTAINER:pn-buildtools-make-tarball = "Richard Purdie <richard.purdie@linuxfoundation.org>"
+RECIPE_MAINTAINER:pn-buildtools-tarball = "Richard Purdie <richard.purdie@linuxfoundation.org>"
 RECIPE_MAINTAINER:pn-busybox = "Andrej Valek <andrej.v@skyrain.eu>"
 RECIPE_MAINTAINER:pn-busybox-inittab = "Denys Dmytriyenko <denis@denix.org>"
 RECIPE_MAINTAINER:pn-bzip2 = "Denys Dmytriyenko <denis@denix.org>"
 RECIPE_MAINTAINER:pn-ca-certificates = "Unassigned <unassigned@yoctoproject.org>"
 RECIPE_MAINTAINER:pn-cairo = "Unassigned <unassigned@yoctoproject.org>"
+RECIPE_MAINTAINER:pn-cantarell-fonts = "Unassigned <unassigned@yoctoproject.org>"
 RECIPE_MAINTAINER:pn-cargo = "Randy MacLeod <Randy.MacLeod@windriver.com>"
 RECIPE_MAINTAINER:pn-cargo-c = "Deepesh Varatharajan <Deepesh.Varatharajan@windriver.com>"
-RECIPE_MAINTAINER:pn-cantarell-fonts = "Unassigned <unassigned@yoctoproject.org>"
 RECIPE_MAINTAINER:pn-ccache = "Robert Yang <liezhi.yang@windriver.com>"
 RECIPE_MAINTAINER:pn-cdrtools-native = "Yi Zhao <yi.zhao@windriver.com>"
 RECIPE_MAINTAINER:pn-chrpath = "Yi Zhao <yi.zhao@windriver.com>"
@@ -110,24 +110,24 @@ RECIPE_MAINTAINER:pn-connman-conf = "Ross Burton <ross.burton@arm.com>"
 RECIPE_MAINTAINER:pn-connman-gnome = "Ross Burton <ross.burton@arm.com>"
 RECIPE_MAINTAINER:pn-consolekit = "Chen Qi <Qi.Chen@windriver.com>"
 RECIPE_MAINTAINER:pn-core-image-base = "Richard Purdie <richard.purdie@linuxfoundation.org>"
+RECIPE_MAINTAINER:pn-core-image-full-cmdline = "Richard Purdie <richard.purdie@linuxfoundation.org>"
 RECIPE_MAINTAINER:pn-core-image-initramfs-boot = "Ross Burton <ross.burton@arm.com>"
+RECIPE_MAINTAINER:pn-core-image-kernel-dev = "Richard Purdie <richard.purdie@linuxfoundation.org>"
 RECIPE_MAINTAINER:pn-core-image-minimal = "Richard Purdie <richard.purdie@linuxfoundation.org>"
 RECIPE_MAINTAINER:pn-core-image-minimal-dev = "Richard Purdie <richard.purdie@linuxfoundation.org>"
 RECIPE_MAINTAINER:pn-core-image-minimal-initramfs = "Richard Purdie <richard.purdie@linuxfoundation.org>"
 RECIPE_MAINTAINER:pn-core-image-minimal-mtdutils = "Richard Purdie <richard.purdie@linuxfoundation.org>"
-RECIPE_MAINTAINER:pn-core-image-tiny-initramfs = "Richard Purdie <richard.purdie@linuxfoundation.org>"
-RECIPE_MAINTAINER:pn-core-image-full-cmdline = "Richard Purdie <richard.purdie@linuxfoundation.org>"
-RECIPE_MAINTAINER:pn-core-image-kernel-dev = "Richard Purdie <richard.purdie@linuxfoundation.org>"
 RECIPE_MAINTAINER:pn-core-image-ptest-all = "Richard Purdie <richard.purdie@linuxfoundation.org>"
 RECIPE_MAINTAINER:pn-core-image-ptest-fast = "Richard Purdie <richard.purdie@linuxfoundation.org>"
 RECIPE_MAINTAINER:pn-core-image-sato = "Richard Purdie <richard.purdie@linuxfoundation.org>"
+RECIPE_MAINTAINER:pn-core-image-sato-dev = "Richard Purdie <richard.purdie@linuxfoundation.org>"
 RECIPE_MAINTAINER:pn-core-image-sato-sdk = "Richard Purdie <richard.purdie@linuxfoundation.org>"
-RECIPE_MAINTAINER:pn-core-image-testcontroller-initramfs = "Richard Purdie <richard.purdie@linuxfoundation.org>"
 RECIPE_MAINTAINER:pn-core-image-testcontroller = "Richard Purdie <richard.purdie@linuxfoundation.org>"
+RECIPE_MAINTAINER:pn-core-image-testcontroller-initramfs = "Richard Purdie <richard.purdie@linuxfoundation.org>"
+RECIPE_MAINTAINER:pn-core-image-tiny-initramfs = "Richard Purdie <richard.purdie@linuxfoundation.org>"
 RECIPE_MAINTAINER:pn-core-image-weston = "Richard Purdie <richard.purdie@linuxfoundation.org>"
 RECIPE_MAINTAINER:pn-core-image-weston-sdk = "Richard Purdie <richard.purdie@linuxfoundation.org>"
 RECIPE_MAINTAINER:pn-core-image-x11 = "Richard Purdie <richard.purdie@linuxfoundation.org>"
-RECIPE_MAINTAINER:pn-core-image-sato-dev = "Richard Purdie <richard.purdie@linuxfoundation.org>"
 RECIPE_MAINTAINER:pn-coreutils = "Chen Qi <Qi.Chen@windriver.com>"
 RECIPE_MAINTAINER:pn-cpio = "Denys Dmytriyenko <denis@denix.org>"
 RECIPE_MAINTAINER:pn-cracklib = "Unassigned <unassigned@yoctoproject.org>"
@@ -167,8 +167,8 @@ RECIPE_MAINTAINER:pn-dtc = "Wang Mingyu <wangmy@fujitsu.com>"
 RECIPE_MAINTAINER:pn-dwarfsrcfiles = "Unassigned <unassigned@yoctoproject.org>"
 RECIPE_MAINTAINER:pn-e2fsprogs = "Robert Yang <liezhi.yang@windriver.com>"
 RECIPE_MAINTAINER:pn-ed = "Unassigned <unassigned@yoctoproject.org>"
-RECIPE_MAINTAINER:pn-efivar = "Ross Burton <ross.burton@arm.com>"
 RECIPE_MAINTAINER:pn-efibootmgr = "Ross Burton <ross.burton@arm.com>"
+RECIPE_MAINTAINER:pn-efivar = "Ross Burton <ross.burton@arm.com>"
 RECIPE_MAINTAINER:pn-elfutils = "Unassigned <unassigned@yoctoproject.org>"
 RECIPE_MAINTAINER:pn-ell = "Unassigned <unassigned@yoctoproject.org>"
 RECIPE_MAINTAINER:pn-enchant2 = "Unassigned <unassigned@yoctoproject.org>"
@@ -179,8 +179,8 @@ RECIPE_MAINTAINER:pn-ethtool = "Unassigned <unassigned@yoctoproject.org>"
 RECIPE_MAINTAINER:pn-eudev = "Unassigned <unassigned@yoctoproject.org>"
 RECIPE_MAINTAINER:pn-expat = "Yi Zhao <yi.zhao@windriver.com>"
 RECIPE_MAINTAINER:pn-expect = "Unassigned <unassigned@yoctoproject.org>"
-RECIPE_MAINTAINER:pn-ffmpeg = "Unassigned <unassigned@yoctoproject.org>"
 RECIPE_MAINTAINER:pn-fastfloat = "Markus Volk <f_l_k@t-online.de>"
+RECIPE_MAINTAINER:pn-ffmpeg = "Unassigned <unassigned@yoctoproject.org>"
 RECIPE_MAINTAINER:pn-file = "Yi Zhao <yi.zhao@windriver.com>"
 RECIPE_MAINTAINER:pn-findutils = "Chen Qi <Qi.Chen@windriver.com>"
 RECIPE_MAINTAINER:pn-flac = "Michael Opdenacker <michael.opdenacker@rootcommit.com>"
@@ -201,6 +201,7 @@ RECIPE_MAINTAINER:pn-gcc-crosssdk-${SDK_SYS} = "Khem Raj <raj.khem@gmail.com>"
 RECIPE_MAINTAINER:pn-gcc-runtime = "Khem Raj <raj.khem@gmail.com>"
 RECIPE_MAINTAINER:pn-gcc-sanitizers = "Khem Raj <raj.khem@gmail.com>"
 RECIPE_MAINTAINER:pn-gcc-source-15.2.0 = "Khem Raj <raj.khem@gmail.com>"
+RECIPE_MAINTAINER:pn-gcompat = "Khem Raj <raj.khem@gmail.com>"
 RECIPE_MAINTAINER:pn-gconf = "Ross Burton <ross.burton@arm.com>"
 RECIPE_MAINTAINER:pn-gcr = "Unassigned <unassigned@yoctoproject.org>"
 RECIPE_MAINTAINER:pn-gdb = "Khem Raj <raj.khem@gmail.com>"
@@ -222,8 +223,8 @@ RECIPE_MAINTAINER:pn-glibc-locale = "Khem Raj <raj.khem@gmail.com>"
 RECIPE_MAINTAINER:pn-glibc-mtrace = "Khem Raj <raj.khem@gmail.com>"
 RECIPE_MAINTAINER:pn-glibc-scripts = "Khem Raj <raj.khem@gmail.com>"
 RECIPE_MAINTAINER:pn-glibc-testsuite = "Khem Raj <raj.khem@gmail.com>"
-RECIPE_MAINTAINER:pn-gmp = "Khem Raj <raj.khem@gmail.com>"
 RECIPE_MAINTAINER:pn-glslang = "Jose Quaresma <quaresma.jose@gmail.com>"
+RECIPE_MAINTAINER:pn-gmp = "Khem Raj <raj.khem@gmail.com>"
 RECIPE_MAINTAINER:pn-gn = "Khem Raj <raj.khem@gmail.com>"
 RECIPE_MAINTAINER:pn-gnome-desktop-testing = "Ross Burton <ross.burton@arm.com>"
 RECIPE_MAINTAINER:pn-gnu-config = "Robert Yang <liezhi.yang@windriver.com>"
@@ -241,7 +242,6 @@ RECIPE_MAINTAINER:pn-gobject-introspection = "Unassigned <unassigned@yoctoprojec
 RECIPE_MAINTAINER:pn-gperf = "Unassigned <unassigned@yoctoproject.org>"
 RECIPE_MAINTAINER:pn-gpgme = "Hongxu Jia <hongxu.jia@windriver.com>"
 RECIPE_MAINTAINER:pn-gptfdisk = "Unassigned <unassigned@yoctoproject.org>"
-RECIPE_MAINTAINER:pn-gcompat = "Khem Raj <raj.khem@gmail.com>"
 RECIPE_MAINTAINER:pn-graphene = "Markus Volk <f_l_k@t-online.de>"
 RECIPE_MAINTAINER:pn-grep = "Denys Dmytriyenko <denis@denix.org>"
 RECIPE_MAINTAINER:pn-groff = "Hongxu Jia <hongxu.jia@windriver.com>"
@@ -262,8 +262,8 @@ RECIPE_MAINTAINER:pn-gstreamer1.0-python = "Unassigned <unassigned@yoctoproject.
 RECIPE_MAINTAINER:pn-gstreamer1.0-rtsp-server = "Unassigned <unassigned@yoctoproject.org>"
 RECIPE_MAINTAINER:pn-gstreamer1.0-vaapi = "Unassigned <unassigned@yoctoproject.org>"
 RECIPE_MAINTAINER:pn-gtk+3 = "Ross Burton <ross.burton@arm.com>"
-RECIPE_MAINTAINER:pn-gtk4 = "Markus Volk <f_l_k@t-online.de>"
 RECIPE_MAINTAINER:pn-gtk-doc = "Unassigned <unassigned@yoctoproject.org>"
+RECIPE_MAINTAINER:pn-gtk4 = "Markus Volk <f_l_k@t-online.de>"
 RECIPE_MAINTAINER:pn-gzip = "Denys Dmytriyenko <denis@denix.org>"
 RECIPE_MAINTAINER:pn-harfbuzz = "Unassigned <unassigned@yoctoproject.org>"
 RECIPE_MAINTAINER:pn-hdparm = "Denys Dmytriyenko <denis@denix.org>"
@@ -298,7 +298,6 @@ RECIPE_MAINTAINER:pn-iputils = "Unassigned <unassigned@yoctoproject.org>"
 RECIPE_MAINTAINER:pn-iso-codes = "Wang Mingyu <wangmy@cn.fujitsu.com>"
 RECIPE_MAINTAINER:pn-itstool = "Unassigned <unassigned@yoctoproject.org>"
 RECIPE_MAINTAINER:pn-iw = "Unassigned <unassigned@yoctoproject.org>"
-RECIPE_MAINTAINER:pn-libjpeg-turbo = "Unassigned <unassigned@yoctoproject.org>"
 RECIPE_MAINTAINER:pn-json-c = "Yi Zhao <yi.zhao@windriver.com>"
 RECIPE_MAINTAINER:pn-json-glib = "Yi Zhao <yi.zhao@windriver.com>"
 RECIPE_MAINTAINER:pn-kbd = "Unassigned <unassigned@yoctoproject.org>"
@@ -354,8 +353,8 @@ RECIPE_MAINTAINER:pn-libgcrypt = "Hongxu Jia <hongxu.jia@windriver.com>"
 RECIPE_MAINTAINER:pn-libgfortran = "Khem Raj <raj.khem@gmail.com>"
 RECIPE_MAINTAINER:pn-libgit2 = "Unassigned <unassigned@yoctoproject.org>"
 RECIPE_MAINTAINER:pn-libgloss = "Alejandro Hernandez <alejandro@enedino.org>"
-RECIPE_MAINTAINER:pn-libglvnd = "Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>"
 RECIPE_MAINTAINER:pn-libglu = "Ross Burton <ross.burton@arm.com>"
+RECIPE_MAINTAINER:pn-libglvnd = "Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>"
 RECIPE_MAINTAINER:pn-libgpg-error = "Hongxu Jia <hongxu.jia@windriver.com>"
 RECIPE_MAINTAINER:pn-libgudev = "Ross Burton <ross.burton@arm.com>"
 RECIPE_MAINTAINER:pn-libhandy = "Unassigned <unassigned@yoctoproject.org>"
@@ -364,14 +363,15 @@ RECIPE_MAINTAINER:pn-libice = "Unassigned <unassigned@yoctoproject.org>"
 RECIPE_MAINTAINER:pn-libidn2 = "Ross Burton <ross.burton@arm.com>"
 RECIPE_MAINTAINER:pn-libinput = "Ross Burton <ross.burton@arm.com>"
 RECIPE_MAINTAINER:pn-libjitterentropy = "Ross Burton <ross.burton@arm.com>"
+RECIPE_MAINTAINER:pn-libjpeg-turbo = "Unassigned <unassigned@yoctoproject.org>"
 RECIPE_MAINTAINER:pn-libksba = "Unassigned <unassigned@yoctoproject.org>"
 RECIPE_MAINTAINER:pn-libmatchbox = "Ross Burton <ross.burton@arm.com>"
 RECIPE_MAINTAINER:pn-libmd = "Unassigned <unassigned@yoctoproject.org>"
 RECIPE_MAINTAINER:pn-libmicrohttpd = "Unassigned <unassigned@yoctoproject.org>"
 RECIPE_MAINTAINER:pn-libmnl = "Khem Raj <raj.khem@gmail.com>"
-RECIPE_MAINTAINER:pn-libmpc = "Khem Raj <raj.khem@gmail.com>"
 RECIPE_MAINTAINER:pn-libmodule-build-perl = "Tim Orling <tim.orling@konsulko.com>"
 RECIPE_MAINTAINER:pn-libmodulemd = "Unassigned <unassigned@yoctoproject.org>"
+RECIPE_MAINTAINER:pn-libmpc = "Khem Raj <raj.khem@gmail.com>"
 RECIPE_MAINTAINER:pn-libnl = "Unassigned <unassigned@yoctoproject.org>"
 RECIPE_MAINTAINER:pn-libnotify = "Unassigned <unassigned@yoctoproject.org>"
 RECIPE_MAINTAINER:pn-libnsl2 = "Khem Raj <raj.khem@gmail.com>"
@@ -386,12 +386,11 @@ RECIPE_MAINTAINER:pn-libpipeline = "Wang Mingyu <wangmy@fujitsu.com>"
 RECIPE_MAINTAINER:pn-libpng = "Unassigned <unassigned@yoctoproject.org>"
 RECIPE_MAINTAINER:pn-libportal = "Unassigned <unassigned@yoctoproject.org>"
 RECIPE_MAINTAINER:pn-libproxy = "Unassigned <unassigned@yoctoproject.org>"
+RECIPE_MAINTAINER:pn-libpsl = "Unassigned <unassigned@yoctoproject.org>"
 RECIPE_MAINTAINER:pn-libpthread-stubs = "Unassigned <unassigned@yoctoproject.org>"
 RECIPE_MAINTAINER:pn-libptytty = "Unassigned <unassigned@yoctoproject.org>"
-RECIPE_MAINTAINER:pn-libpsl = "Unassigned <unassigned@yoctoproject.org>"
 RECIPE_MAINTAINER:pn-librepo = "Wang Mingyu <wangmy@fujitsu.com>"
 RECIPE_MAINTAINER:pn-librsvg = "Unassigned <unassigned@yoctoproject.org>"
-RECIPE_MAINTAINER:pn-libstd-rs = "Randy MacLeod <Randy.MacLeod@windriver.com>"
 RECIPE_MAINTAINER:pn-libsamplerate0 = "Unassigned <unassigned@yoctoproject.org>"
 RECIPE_MAINTAINER:pn-libsass = "Simone Weiß <simone.p.weiss@posteo.com>"
 RECIPE_MAINTAINER:pn-libsdl2 = "Yi Zhao <yi.zhao@windriver.com>"
@@ -404,6 +403,7 @@ RECIPE_MAINTAINER:pn-libsolv = "Unassigned <unassigned@yoctoproject.org>"
 RECIPE_MAINTAINER:pn-libsoup = "Unassigned <unassigned@yoctoproject.org>"
 RECIPE_MAINTAINER:pn-libssh2 = "Unassigned <unassigned@yoctoproject.org>"
 RECIPE_MAINTAINER:pn-libssp-nonshared = "Khem Raj <raj.khem@gmail.com>"
+RECIPE_MAINTAINER:pn-libstd-rs = "Randy MacLeod <Randy.MacLeod@windriver.com>"
 RECIPE_MAINTAINER:pn-libtasn1 = "Unassigned <unassigned@yoctoproject.org>"
 RECIPE_MAINTAINER:pn-libtest-fatal-perl = "Tim Orling <tim.orling@konsulko.com>"
 RECIPE_MAINTAINER:pn-libtest-needs-perl = "Tim Orling <tim.orling@konsulko.com>"
@@ -416,12 +416,12 @@ RECIPE_MAINTAINER:pn-libtool-cross = "Robert Yang <liezhi.yang@windriver.com>"
 RECIPE_MAINTAINER:pn-libtool-native = "Robert Yang <liezhi.yang@windriver.com>"
 RECIPE_MAINTAINER:pn-libtraceevent = "Bruce Ashfield <bruce.ashfield@gmail.com>"
 RECIPE_MAINTAINER:pn-libtry-tiny-perl = "Tim Orling <tim.orling@konsulko.com>"
+RECIPE_MAINTAINER:pn-libubootenv = "Stefano Babic <sbabic@nabladev.com>"
 RECIPE_MAINTAINER:pn-libucontext = "Khem Raj <raj.khem@gmail.com>"
 RECIPE_MAINTAINER:pn-libunistring = "Unassigned <unassigned@yoctoproject.org>"
 RECIPE_MAINTAINER:pn-libunwind = "Bruce Ashfield <bruce.ashfield@gmail.com>"
 RECIPE_MAINTAINER:pn-liburcu = "Wang Mingyu <wangmy@fujitsu.com>"
 RECIPE_MAINTAINER:pn-libusb1 = "Unassigned <unassigned@yoctoproject.org>"
-RECIPE_MAINTAINER:pn-libubootenv = "Stefano Babic <sbabic@nabladev.com>"
 RECIPE_MAINTAINER:pn-libuv = "Unassigned <unassigned@yoctoproject.org>"
 RECIPE_MAINTAINER:pn-libva = "Unassigned <unassigned@yoctoproject.org>"
 RECIPE_MAINTAINER:pn-libva-initial = "Unassigned <unassigned@yoctoproject.org>"
@@ -433,11 +433,11 @@ RECIPE_MAINTAINER:pn-libx11 = "Unassigned <unassigned@yoctoproject.org>"
 RECIPE_MAINTAINER:pn-libx11-compose-data = "Unassigned <unassigned@yoctoproject.org>"
 RECIPE_MAINTAINER:pn-libxau = "Unassigned <unassigned@yoctoproject.org>"
 RECIPE_MAINTAINER:pn-libxcb = "Unassigned <unassigned@yoctoproject.org>"
-RECIPE_MAINTAINER:pn-libxcvt = "Unassigned <unassigned@yoctoproject.org>"
 RECIPE_MAINTAINER:pn-libxcomposite = "Unassigned <unassigned@yoctoproject.org>"
-RECIPE_MAINTAINER:pn-libxcursor = "Unassigned <unassigned@yoctoproject.org>"
 RECIPE_MAINTAINER:pn-libxcrypt = "Khem Raj <raj.khem@gmail.com>"
 RECIPE_MAINTAINER:pn-libxcrypt-compat = "Khem Raj <raj.khem@gmail.com>"
+RECIPE_MAINTAINER:pn-libxcursor = "Unassigned <unassigned@yoctoproject.org>"
+RECIPE_MAINTAINER:pn-libxcvt = "Unassigned <unassigned@yoctoproject.org>"
 RECIPE_MAINTAINER:pn-libxdamage = "Unassigned <unassigned@yoctoproject.org>"
 RECIPE_MAINTAINER:pn-libxdmcp = "Unassigned <unassigned@yoctoproject.org>"
 RECIPE_MAINTAINER:pn-libxext = "Unassigned <unassigned@yoctoproject.org>"
@@ -473,20 +473,20 @@ RECIPE_MAINTAINER:pn-libxxf86vm = "Unassigned <unassigned@yoctoproject.org>"
 RECIPE_MAINTAINER:pn-libyaml = "Wang Mingyu <wangmy@fujitsu.com>"
 RECIPE_MAINTAINER:pn-lighttpd = "Unassigned <unassigned@yoctoproject.org>"
 RECIPE_MAINTAINER:pn-linux-dummy = "Unassigned <unassigned@yoctoproject.org>"
-RECIPE_MAINTAINER:pn-linux-yocto-fitimage = "Adrian Freihofer <adrian.freihofer@siemens.com>"
 RECIPE_MAINTAINER:pn-linux-firmware = "Unassigned <unassigned@yoctoproject.org>"
 RECIPE_MAINTAINER:pn-linux-libc-headers = "Bruce Ashfield <bruce.ashfield@gmail.com>"
 RECIPE_MAINTAINER:pn-linux-yocto = "Bruce Ashfield <bruce.ashfield@gmail.com>"
 RECIPE_MAINTAINER:pn-linux-yocto-dev = "Bruce Ashfield <bruce.ashfield@gmail.com>"
+RECIPE_MAINTAINER:pn-linux-yocto-fitimage = "Adrian Freihofer <adrian.freihofer@siemens.com>"
 RECIPE_MAINTAINER:pn-linux-yocto-rt = "Bruce Ashfield <bruce.ashfield@gmail.com>"
 RECIPE_MAINTAINER:pn-linux-yocto-tiny = "Bruce Ashfield <bruce.ashfield@gmail.com>"
 RECIPE_MAINTAINER:pn-lld = "Khem Raj <raj.khem@gmail.com>"
 RECIPE_MAINTAINER:pn-lldb = "Khem Raj <raj.khem@gmail.com>"
+RECIPE_MAINTAINER:pn-llvm = "Khem Raj <raj.khem@gmail.com>"
 RECIPE_MAINTAINER:pn-llvm-project-source-21.1.8 = "Khem Raj <raj.khem@gmail.com>"
 RECIPE_MAINTAINER:pn-llvm-tblgen-native = "Khem Raj <raj.khem@gmail.com>"
-RECIPE_MAINTAINER:pn-llvm = "Khem Raj <raj.khem@gmail.com>"
-RECIPE_MAINTAINER:pn-logrotate = "Yi Zhao <yi.zhao@windriver.com>"
 RECIPE_MAINTAINER:pn-log4cplus = "Unassigned <unassigned@yoctoproject.org>"
+RECIPE_MAINTAINER:pn-logrotate = "Yi Zhao <yi.zhao@windriver.com>"
 RECIPE_MAINTAINER:pn-lrzsz = "Unassigned <unassigned@yoctoproject.org>"
 RECIPE_MAINTAINER:pn-lsb-release = "Hongxu Jia <hongxu.jia@windriver.com>"
 RECIPE_MAINTAINER:pn-lsof = "Ross Burton <ross.burton@arm.com>"
@@ -496,17 +496,17 @@ RECIPE_MAINTAINER:pn-lttng-tools = "Richard Purdie <richard.purdie@linuxfoundati
 RECIPE_MAINTAINER:pn-lttng-ust = "Richard Purdie <richard.purdie@linuxfoundation.org>"
 RECIPE_MAINTAINER:pn-lua = "Unassigned <unassigned@yoctoproject.org>"
 RECIPE_MAINTAINER:pn-lz4 = "Denys Dmytriyenko <denis@denix.org>"
-RECIPE_MAINTAINER:pn-lzo = "Denys Dmytriyenko <denis@denix.org>"
 RECIPE_MAINTAINER:pn-lzip = "Denys Dmytriyenko <denis@denix.org>"
 RECIPE_MAINTAINER:pn-lzlib = "Denys Dmytriyenko <denis@denix.org>"
+RECIPE_MAINTAINER:pn-lzo = "Denys Dmytriyenko <denis@denix.org>"
 RECIPE_MAINTAINER:pn-lzop = "Marek Vasut <marex@denx.de>"
 RECIPE_MAINTAINER:pn-m4 = "Robert Yang <liezhi.yang@windriver.com>"
 RECIPE_MAINTAINER:pn-m4-native = "Robert Yang <liezhi.yang@windriver.com>"
 RECIPE_MAINTAINER:pn-make = "Robert Yang <liezhi.yang@windriver.com>"
+RECIPE_MAINTAINER:pn-make-mod-scripts = "Bruce Ashfield <bruce.ashfield@gmail.com>"
 RECIPE_MAINTAINER:pn-makedepend = "Robert Yang <liezhi.yang@windriver.com>"
 RECIPE_MAINTAINER:pn-makedevs = "Chen Qi <Qi.Chen@windriver.com>"
 RECIPE_MAINTAINER:pn-makedumpfile = "Etienne Cordonnier <ecordonnier@snap.com>"
-RECIPE_MAINTAINER:pn-make-mod-scripts = "Bruce Ashfield <bruce.ashfield@gmail.com>"
 RECIPE_MAINTAINER:pn-man-db = "Hongxu Jia <hongxu.jia@windriver.com>"
 RECIPE_MAINTAINER:pn-man-pages = "Hongxu Jia <hongxu.jia@windriver.com>"
 RECIPE_MAINTAINER:pn-matchbox-config-gtk = "Ross Burton <ross.burton@arm.com>"
@@ -557,12 +557,12 @@ RECIPE_MAINTAINER:pn-nativesdk-libtool = "Richard Purdie <richard.purdie@linuxfo
 RECIPE_MAINTAINER:pn-nativesdk-packagegroup-sdk-host = "Ross Burton <ross.burton@arm.com>"
 RECIPE_MAINTAINER:pn-nativesdk-qemu-helper = "Richard Purdie <richard.purdie@linuxfoundation.org>"
 RECIPE_MAINTAINER:pn-nativesdk-sdk-provides-dummy = "Richard Purdie <richard.purdie@linuxfoundation.org>"
-RECIPE_MAINTAINER:pn-newlib = "Alejandro Hernandez <alejandro@enedino.org>"
 RECIPE_MAINTAINER:pn-ncurses = "Hongxu Jia <hongxu.jia@windriver.com>"
 RECIPE_MAINTAINER:pn-neard = "Unassigned <unassigned@yoctoproject.org>"
 RECIPE_MAINTAINER:pn-net-tools = "Unassigned <unassigned@yoctoproject.org>"
 RECIPE_MAINTAINER:pn-netbase = "Unassigned <unassigned@yoctoproject.org>"
 RECIPE_MAINTAINER:pn-nettle = "Unassigned <unassigned@yoctoproject.org>"
+RECIPE_MAINTAINER:pn-newlib = "Alejandro Hernandez <alejandro@enedino.org>"
 RECIPE_MAINTAINER:pn-nfs-export-root = "Robert Yang <liezhi.yang@windriver.com>"
 RECIPE_MAINTAINER:pn-nfs-utils = "Robert Yang <liezhi.yang@windriver.com>"
 RECIPE_MAINTAINER:pn-nghttp2 = "Unassigned <unassigned@yoctoproject.org>"
@@ -741,10 +741,10 @@ RECIPE_MAINTAINER:pn-python3-testtools = "Trevor Gamblin <tgamblin@baylibre.com>
 RECIPE_MAINTAINER:pn-python3-trove-classifiers = "Trevor Gamblin <tgamblin@baylibre.com>"
 RECIPE_MAINTAINER:pn-python3-typing-extensions = "Tim Orling <tim.orling@konsulko.com>"
 RECIPE_MAINTAINER:pn-python3-typogrify = "Trevor Gamblin <tgamblin@baylibre.com>"
-RECIPE_MAINTAINER:pn-python3-uv-build = "Unassigned <unassigned@yoctoproject.org>"
 RECIPE_MAINTAINER:pn-python3-unittest-automake-output = "Ross Burton <ross.burton@arm.com>"
 RECIPE_MAINTAINER:pn-python3-uritools = "Marta Rybczynska <marta.rybczynska@ygreky.com>"
 RECIPE_MAINTAINER:pn-python3-urllib3 = "Tim Orling <tim.orling@konsulko.com>"
+RECIPE_MAINTAINER:pn-python3-uv-build = "Unassigned <unassigned@yoctoproject.org>"
 RECIPE_MAINTAINER:pn-python3-vcversioner = "Bruce Ashfield <bruce.ashfield@gmail.com>"
 RECIPE_MAINTAINER:pn-python3-wcwidth = "Tim Orling <tim.orling@konsulko.com>"
 RECIPE_MAINTAINER:pn-python3-webcolors = "Bruce Ashfield <bruce.ashfield@gmail.com>"
@@ -766,8 +766,8 @@ RECIPE_MAINTAINER:pn-readline = "Hongxu Jia <hongxu.jia@windriver.com>"
 RECIPE_MAINTAINER:pn-repo = "Unassigned <unassigned@yoctoproject.org>"
 RECIPE_MAINTAINER:pn-resolvconf = "Chen Qi <Qi.Chen@windriver.com>"
 RECIPE_MAINTAINER:pn-rgb = "Unassigned <unassigned@yoctoproject.org>"
-RECIPE_MAINTAINER:pn-rpcbind = "Hongxu Jia <hongxu.jia@windriver.com>"
 RECIPE_MAINTAINER:pn-rng-tools = "Unassigned <unassigned@yoctoproject.org>"
+RECIPE_MAINTAINER:pn-rpcbind = "Hongxu Jia <hongxu.jia@windriver.com>"
 RECIPE_MAINTAINER:pn-rpcsvc-proto = "Khem Raj <raj.khem@gmail.com>"
 RECIPE_MAINTAINER:pn-rpm = "Robert Yang <liezhi.yang@windriver.com>"
 RECIPE_MAINTAINER:pn-rpm-sequoia = "Zoltán Böszörményi <zboszor@gmail.com>"
@@ -780,8 +780,8 @@ RECIPE_MAINTAINER:pn-rust = "Randy MacLeod <Randy.MacLeod@windriver.com>"
 RECIPE_MAINTAINER:pn-rust-cross-canadian-${TRANSLATED_TARGET_ARCH} = "Randy MacLeod <Randy.MacLeod@windriver.com>"
 RECIPE_MAINTAINER:pn-rxvt-unicode = "Unassigned <unassigned@yoctoproject.org>"
 RECIPE_MAINTAINER:pn-sassc = "Simone Weiß <simone.p.weiss@posteo.com>"
-RECIPE_MAINTAINER:pn-sato-screenshot = "Ross Burton <ross.burton@arm.com>"
 RECIPE_MAINTAINER:pn-sato-icon-theme = "Richard Purdie <richard.purdie@linuxfoundation.org>"
+RECIPE_MAINTAINER:pn-sato-screenshot = "Ross Burton <ross.burton@arm.com>"
 RECIPE_MAINTAINER:pn-sbc = "Unassigned <unassigned@yoctoproject.org>"
 RECIPE_MAINTAINER:pn-scdoc = "Alex Kiernan <alex.kiernan@gmail.com>"
 RECIPE_MAINTAINER:pn-screen = "Unassigned <unassigned@yoctoproject.org>"
@@ -790,10 +790,10 @@ RECIPE_MAINTAINER:pn-sed = "Chen Qi <Qi.Chen@windriver.com>"
 RECIPE_MAINTAINER:pn-serf = "Unassigned <unassigned@yoctoproject.org>"
 RECIPE_MAINTAINER:pn-setserial = "Yi Zhao <yi.zhao@windriver.com>"
 RECIPE_MAINTAINER:pn-settings-daemon = "Unassigned <unassigned@yoctoproject.org>"
+RECIPE_MAINTAINER:pn-shaderc = "Jose Quaresma <quaresma.jose@gmail.com>"
 RECIPE_MAINTAINER:pn-shadow = "Chen Qi <Qi.Chen@windriver.com>"
 RECIPE_MAINTAINER:pn-shadow-securetty = "Chen Qi <Qi.Chen@windriver.com>"
 RECIPE_MAINTAINER:pn-shadow-sysroot = "Chen Qi <Qi.Chen@windriver.com>"
-RECIPE_MAINTAINER:pn-shaderc = "Jose Quaresma <quaresma.jose@gmail.com>"
 RECIPE_MAINTAINER:pn-shared-mime-info = "Unassigned <unassigned@yoctoproject.org>"
 RECIPE_MAINTAINER:pn-shutdown-desktop = "Unassigned <unassigned@yoctoproject.org>"
 RECIPE_MAINTAINER:pn-signing-keys = "Richard Purdie <richard.purdie@linuxfoundation.org>"
@@ -819,9 +819,9 @@ RECIPE_MAINTAINER:pn-syslinux = "Unassigned <unassigned@yoctoproject.org>"
 RECIPE_MAINTAINER:pn-sysstat = "Chen Qi <Qi.Chen@windriver.com>"
 RECIPE_MAINTAINER:pn-systemd = "Chen Qi <Qi.Chen@windriver.com>"
 RECIPE_MAINTAINER:pn-systemd-boot = "Chen Qi <Qi.Chen@windriver.com>"
+RECIPE_MAINTAINER:pn-systemd-boot-native = "Viswanath Kraleti <quic_vkraleti@quicinc.com>"
 RECIPE_MAINTAINER:pn-systemd-bootchart = "Chen Qi <Qi.Chen@windriver.com>"
 RECIPE_MAINTAINER:pn-systemd-bootconf = "Chen Qi <Qi.Chen@windriver.com>"
-RECIPE_MAINTAINER:pn-systemd-boot-native = "Viswanath Kraleti <quic_vkraleti@quicinc.com>"
 RECIPE_MAINTAINER:pn-systemd-conf = "Chen Qi <Qi.Chen@windriver.com>"
 RECIPE_MAINTAINER:pn-systemd-machine-units = "Chen Qi <Qi.Chen@windriver.com>"
 RECIPE_MAINTAINER:pn-systemd-serialgetty = "Chen Qi <Qi.Chen@windriver.com>"
@@ -854,10 +854,10 @@ RECIPE_MAINTAINER:pn-uninative-tarball = "Richard Purdie <richard.purdie@linuxfo
 RECIPE_MAINTAINER:pn-unzip = "Denys Dmytriyenko <denis@denix.org>"
 RECIPE_MAINTAINER:pn-update-rc.d = "Ross Burton <ross.burton@arm.com>"
 RECIPE_MAINTAINER:pn-usbutils = "Unassigned <unassigned@yoctoproject.org>"
+RECIPE_MAINTAINER:pn-utfcpp = "Unassigned <unassigned@yoctoproject.org>"
 RECIPE_MAINTAINER:pn-util-linux = "Chen Qi <Qi.Chen@windriver.com>"
 RECIPE_MAINTAINER:pn-util-linux-libuuid = "Chen Qi <Qi.Chen@windriver.com>"
 RECIPE_MAINTAINER:pn-util-macros = "Unassigned <unassigned@yoctoproject.org>"
-RECIPE_MAINTAINER:pn-utfcpp = "Unassigned <unassigned@yoctoproject.org>"
 RECIPE_MAINTAINER:pn-v86d = "Unassigned <unassigned@yoctoproject.org>"
 RECIPE_MAINTAINER:pn-vala = "Unassigned <unassigned@yoctoproject.org>"
 RECIPE_MAINTAINER:pn-valgrind = "Mingli Yu <mingli.yu@windriver.com>"

-- 
2.53.0

[PATCH v3 2/6] python3-shacl2code: add recipe

[Benjamin Robin]

 - Build dependency of python3-spdx-python-model.
 - Part of the dependency chain for sbom-cve-check

Signed-off-by: Benjamin Robin <benjamin.robin@bootlin.com>
---
 meta/conf/distro/include/maintainers.inc                |  1 +
 .../python/python3-shacl2code_0.0.24.bb                 | 17 +++++++++++++++++
 2 files changed, 18 insertions(+)

diff --git a/meta/conf/distro/include/maintainers.inc b/meta/conf/distro/include/maintainers.inc
index 1a3490d6d625..b3913a04140c 100644
--- a/meta/conf/distro/include/maintainers.inc
+++ b/meta/conf/distro/include/maintainers.inc
@@ -718,6 +718,7 @@ RECIPE_MAINTAINER:pn-python3-semantic-version = "Tim Orling <tim.orling@konsulko
 RECIPE_MAINTAINER:pn-python3-setuptools = "Trevor Gamblin <tgamblin@baylibre.com>"
 RECIPE_MAINTAINER:pn-python3-setuptools-rust = "Tim Orling <tim.orling@konsulko.com>"
 RECIPE_MAINTAINER:pn-python3-setuptools-scm = "Trevor Gamblin <tgamblin@baylibre.com>"
+RECIPE_MAINTAINER:pn-python3-shacl2code = "Benjamin Robin <benjamin.robin@bootlin.com>"
 RECIPE_MAINTAINER:pn-python3-six = "Trevor Gamblin <tgamblin@baylibre.com>"
 RECIPE_MAINTAINER:pn-python3-smartypants = "Trevor Gamblin <tgamblin@baylibre.com>"
 RECIPE_MAINTAINER:pn-python3-smmap = "Trevor Gamblin <tgamblin@baylibre.com>"
diff --git a/meta/recipes-devtools/python/python3-shacl2code_0.0.24.bb b/meta/recipes-devtools/python/python3-shacl2code_0.0.24.bb
new file mode 100644
index 000000000000..93ed9a253040
--- /dev/null
+++ b/meta/recipes-devtools/python/python3-shacl2code_0.0.24.bb
@@ -0,0 +1,17 @@
+SUMMARY = "Convert SHACL model to code bindings"
+HOMEPAGE = "https://pypi.org/project/shacl2code/"
+SECTION = "devel/python"
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=0582f358628f299f29c23bf5fb2f73c9"
+
+PYPI_PACKAGE = "shacl2code"
+SRC_URI[sha256sum] = "d8b511054ca564b4514b9186ece7f5eb8048cfc5daa6625def1a3adba13c4f66"
+
+inherit pypi python_hatchling
+
+RDEPENDS:${PN} += " \
+    python3-jinja2 \
+    python3-rdflib \
+"
+
+BBCLASSEXTEND = "native nativesdk"

-- 
2.53.0

[PATCH v3 3/6] python3-hatch-build-scripts: add recipe

[Benjamin Robin]

 - Build dependency of python3-spdx-python-model.
 - Part of the dependency chain for sbom-cve-check

Signed-off-by: Benjamin Robin <benjamin.robin@bootlin.com>
---
 meta/conf/distro/include/maintainers.inc                     |  1 +
 .../python/python3-hatch-build-scripts_1.0.0.bb              | 12 ++++++++++++
 2 files changed, 13 insertions(+)

diff --git a/meta/conf/distro/include/maintainers.inc b/meta/conf/distro/include/maintainers.inc
index b3913a04140c..d65960f8e1bc 100644
--- a/meta/conf/distro/include/maintainers.inc
+++ b/meta/conf/distro/include/maintainers.inc
@@ -649,6 +649,7 @@ RECIPE_MAINTAINER:pn-python3-extras = "Trevor Gamblin <tgamblin@baylibre.com>"
 RECIPE_MAINTAINER:pn-python3-flit-core = "Tim Orling <tim.orling@konsulko.com>"
 RECIPE_MAINTAINER:pn-python3-git = "Trevor Gamblin <tgamblin@baylibre.com>"
 RECIPE_MAINTAINER:pn-python3-gitdb = "Trevor Gamblin <tgamblin@baylibre.com>"
+RECIPE_MAINTAINER:pn-python3-hatch-build-scripts = "Benjamin Robin <benjamin.robin@bootlin.com>"
 RECIPE_MAINTAINER:pn-python3-hatch-fancy-pypi-readme = "Ross Burton <ross.burton@arm.com>"
 RECIPE_MAINTAINER:pn-python3-hatch-vcs = "Ross Burton <ross.burton@arm.com>"
 RECIPE_MAINTAINER:pn-python3-hatchling = "Ross Burton <ross.burton@arm.com>"
diff --git a/meta/recipes-devtools/python/python3-hatch-build-scripts_1.0.0.bb b/meta/recipes-devtools/python/python3-hatch-build-scripts_1.0.0.bb
new file mode 100644
index 000000000000..ba7d8b40ffc5
--- /dev/null
+++ b/meta/recipes-devtools/python/python3-hatch-build-scripts_1.0.0.bb
@@ -0,0 +1,12 @@
+SUMMARY = "A plugin for Hatch that runs build scripts and saves their artifacts"
+HOMEPAGE = "https://pypi.org/project/hatch_build_scripts/"
+SECTION = "devel/python"
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=9ad584cda56221c7eaf48c23a5874a2a"
+
+PYPI_PACKAGE = "hatch_build_scripts"
+SRC_URI[sha256sum] = "563735e2f265c9e1b92dece6f762309114505ffaf6e5d51d462eb6a3b4f14640"
+
+inherit pypi python_hatchling
+
+BBCLASSEXTEND = "native nativesdk"

-- 
2.53.0

[PATCH v3 4/6] python3-spdx-python-model: add recipe

[Benjamin Robin]

 - Part of the dependency chain for sbom-cve-check

Signed-off-by: Benjamin Robin <benjamin.robin@bootlin.com>
---
 meta/conf/distro/include/maintainers.inc           |  1 +
 ...enerate-bindings-allow-to-use-local-files.patch | 58 ++++++++++++++++++++++
 .../python/python3-spdx-python-model_0.0.4.bb      | 37 ++++++++++++++
 3 files changed, 96 insertions(+)

diff --git a/meta/conf/distro/include/maintainers.inc b/meta/conf/distro/include/maintainers.inc
index d65960f8e1bc..3bc1d00bc1c7 100644
--- a/meta/conf/distro/include/maintainers.inc
+++ b/meta/conf/distro/include/maintainers.inc
@@ -725,6 +725,7 @@ RECIPE_MAINTAINER:pn-python3-smartypants = "Trevor Gamblin <tgamblin@baylibre.co
 RECIPE_MAINTAINER:pn-python3-smmap = "Trevor Gamblin <tgamblin@baylibre.com>"
 RECIPE_MAINTAINER:pn-python3-snowballstemmer = "Tim Orling <tim.orling@konsulko.com>"
 RECIPE_MAINTAINER:pn-python3-sortedcontainers = "Tim Orling <tim.orling@konsulko.com>"
+RECIPE_MAINTAINER:pn-python3-spdx-python-model = "Benjamin Robin <benjamin.robin@bootlin.com>"
 RECIPE_MAINTAINER:pn-python3-spdx-tools = "Marta Rybczynska <marta.rybczynska@ygreky.com>"
 RECIPE_MAINTAINER:pn-python3-sphinx = "Trevor Gamblin <tgamblin@baylibre.com>"
 RECIPE_MAINTAINER:pn-python3-sphinx-argparse = "Antonin Godard <antonin.godard@bootlin.com>"
diff --git a/meta/recipes-devtools/python/python3-spdx-python-model/0001-generate-bindings-allow-to-use-local-files.patch b/meta/recipes-devtools/python/python3-spdx-python-model/0001-generate-bindings-allow-to-use-local-files.patch
new file mode 100644
index 000000000000..ec24d7beb3c5
--- /dev/null
+++ b/meta/recipes-devtools/python/python3-spdx-python-model/0001-generate-bindings-allow-to-use-local-files.patch
@@ -0,0 +1,58 @@
+From 9fb565a0a70c6985fa1efde13cfe7fb4851588ce Mon Sep 17 00:00:00 2001
+From: Benjamin Robin <benjamin.robin@bootlin.com>
+Date: Tue, 24 Feb 2026 10:59:25 +0100
+Subject: [PATCH] generate-bindings: allow to use local files
+
+shacl2code needs to download the following URLs during build time:
+ - https://spdx.org/rdf/3.0.1/spdx-model.ttl
+ - https://spdx.org/rdf/3.0.1/spdx-json-serialize-annotations.ttl
+ - https://spdx.org/rdf/3.0.1/spdx-context.jsonld
+
+There are a lot of package build tools that do not allow to download
+a file during the build. So provide a way to use local file:
+If the environment variable SHACL2CODE_SPDX_DIR is defined, load
+the SPDX model and SPDX context from the directory specified by this
+environment variable.
+
+Upstream-Status: Submitted [https://github.com/spdx/spdx-python-model/pull/19]
+
+Signed-off-by: Benjamin Robin <benjamin.robin@bootlin.com>
+---
+ gen/generate-bindings | 22 ++++++++++++++++------
+ 1 file changed, 16 insertions(+), 6 deletions(-)
+
+diff --git a/gen/generate-bindings b/gen/generate-bindings
+index b963c55a3bc9..bc7041ee3bb9 100755
+--- a/gen/generate-bindings
++++ b/gen/generate-bindings
+@@ -14,12 +14,22 @@ echo "# Import all versions" > __init__.py
+ for v in $SPDX_VERSIONS; do
+     MODNAME="v$(echo "$v" | sed 's/[^a-zA-Z0-9_]/_/g')"
+
+-    shacl2code generate --input https://spdx.org/rdf/$v/spdx-model.ttl \
+-        --input https://spdx.org/rdf/$v/spdx-json-serialize-annotations.ttl \
+-        --context https://spdx.org/rdf/$v/spdx-context.jsonld \
+-        --license Apache-2.0 \
+-        python \
+-        -o "$MODNAME.py"
++    if [ -n "${SHACL2CODE_SPDX_DIR}" ] && [ -d "${SHACL2CODE_SPDX_DIR}/$v" ]
++    then
++        shacl2code generate --input "file://${SHACL2CODE_SPDX_DIR}/$v/spdx-model.ttl" \
++            --input "file://${SHACL2CODE_SPDX_DIR}/$v/spdx-json-serialize-annotations.ttl" \
++            --context-url "file://${SHACL2CODE_SPDX_DIR}/$v/spdx-context.jsonld" https://spdx.org/rdf/$v/spdx-context.jsonld  \
++            --license Apache-2.0 \
++            python \
++            -o "$MODNAME.py"
++    else
++        shacl2code generate --input https://spdx.org/rdf/$v/spdx-model.ttl \
++            --input https://spdx.org/rdf/$v/spdx-json-serialize-annotations.ttl \
++            --context https://spdx.org/rdf/$v/spdx-context.jsonld \
++            --license Apache-2.0 \
++            python \
++            -o "$MODNAME.py"
++    fi
+
+     echo "from . import $MODNAME" >> __init__.py
+ done
+--
+2.53.0
diff --git a/meta/recipes-devtools/python/python3-spdx-python-model_0.0.4.bb b/meta/recipes-devtools/python/python3-spdx-python-model_0.0.4.bb
new file mode 100644
index 000000000000..00c3b3913c2e
--- /dev/null
+++ b/meta/recipes-devtools/python/python3-spdx-python-model_0.0.4.bb
@@ -0,0 +1,37 @@
+SUMMARY = "Generated Python code for SPDX Spec version 3"
+HOMEPAGE = "https://pypi.org/project/spdx-python-model/"
+SECTION = "devel/python"
+LICENSE = "Apache-2.0"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=86d3f3a95c324c9479bd8986968f4327"
+
+PYPI_PACKAGE = "spdx_python_model"
+SRC_URI[sha256sum] = "bdec725398babcbdd4bcb7c16cf23497d06a48d0ef3ea1edb19a3b0d431ab8c1"
+
+SRC_URI += " \
+    https://spdx.org/rdf/3.0.1/spdx-context.jsonld;name=spdx1 \
+    https://spdx.org/rdf/3.0.1/spdx-json-serialize-annotations.ttl;name=spdx2 \
+    https://spdx.org/rdf/3.0.1/spdx-model.ttl;name=spdx3 \
+    file://0001-generate-bindings-allow-to-use-local-files.patch \
+"
+
+SRC_URI[spdx1.sha256sum] = "c72b0928f094c83e5c127784edb1ebca2af74a104fcacc007c332b23cbc788bd"
+SRC_URI[spdx2.sha256sum] = "c6a54b51230eb2bf3b31302546af201f303e0b7931c1db404d7f5b72b6f863e6"
+SRC_URI[spdx3.sha256sum] = "30ebb4af2d70a9809044ef46f44cc3dc5125226d70f818a50ed2e1d5f404c593"
+
+inherit pypi python_hatchling
+
+export SHACL2CODE_SPDX_DIR = "${S}/spdx"
+
+do_configure:append() {
+    mkdir -p "${SHACL2CODE_SPDX_DIR}/3.0.1/"
+    cp ${UNPACKDIR}/spdx-context.jsonld "${SHACL2CODE_SPDX_DIR}/3.0.1/"
+    cp ${UNPACKDIR}/spdx-json-serialize-annotations.ttl "${SHACL2CODE_SPDX_DIR}/3.0.1/"
+    cp ${UNPACKDIR}/spdx-model.ttl "${SHACL2CODE_SPDX_DIR}/3.0.1/"
+}
+
+DEPENDS += " \
+    python3-shacl2code-native \
+    python3-hatch-build-scripts-native \
+"
+
+BBCLASSEXTEND = "native nativesdk"

-- 
2.53.0

[PATCH v3 5/6] sbom-cve-check: add recipe

[Benjamin Robin]

Provide sbom-cve-check (native) executable.

Signed-off-by: Benjamin Robin <benjamin.robin@bootlin.com>
---
 meta/conf/distro/include/maintainers.inc                |  1 +
 .../python/python3-sbom-cve-check_1.1.0.bb              | 17 +++++++++++++++++
 2 files changed, 18 insertions(+)

diff --git a/meta/conf/distro/include/maintainers.inc b/meta/conf/distro/include/maintainers.inc
index 3bc1d00bc1c7..c43107ccdccd 100644
--- a/meta/conf/distro/include/maintainers.inc
+++ b/meta/conf/distro/include/maintainers.inc
@@ -714,6 +714,7 @@ RECIPE_MAINTAINER:pn-python3-rfc3987 = "Bruce Ashfield <bruce.ashfield@gmail.com
 RECIPE_MAINTAINER:pn-python3-roman-numerals = "Trevor Gamblin <tgamblin@baylibre.com>"
 RECIPE_MAINTAINER:pn-python3-rpds-py = "Tim Orling <tim.orling@konsulko.com>"
 RECIPE_MAINTAINER:pn-python3-ruamel-yaml = "Bruce Ashfield <bruce.ashfield@gmail.com>"
+RECIPE_MAINTAINER:pn-python3-sbom-cve-check = "Benjamin Robin <benjamin.robin@bootlin.com>"
 RECIPE_MAINTAINER:pn-python3-scons = "Tim Orling <tim.orling@konsulko.com>"
 RECIPE_MAINTAINER:pn-python3-semantic-version = "Tim Orling <tim.orling@konsulko.com>"
 RECIPE_MAINTAINER:pn-python3-setuptools = "Trevor Gamblin <tgamblin@baylibre.com>"
diff --git a/meta/recipes-devtools/python/python3-sbom-cve-check_1.1.0.bb b/meta/recipes-devtools/python/python3-sbom-cve-check_1.1.0.bb
new file mode 100644
index 000000000000..3d1c581e9f86
--- /dev/null
+++ b/meta/recipes-devtools/python/python3-sbom-cve-check_1.1.0.bb
@@ -0,0 +1,17 @@
+SUMMARY = "Lightweight SBOM CVE analysis tool"
+HOMEPAGE = "https://github.com/bootlin/sbom-cve-check"
+SECTION = "devel/python"
+LICENSE = "GPL-2.0-only"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=570a9b3749dd0463a1778803b12a6dce"
+
+PYPI_PACKAGE = "sbom_cve_check"
+SRC_URI[sha256sum] = "953256ac99851ba59bc8649b8023303007ff2981edbc4ee395011bd91c118095"
+
+inherit pypi python_hatchling
+
+RDEPENDS:${PN} += " \
+    python3-spdx-python-model \
+    python3-pyyaml \
+"
+
+BBCLASSEXTEND = "native nativesdk"

-- 
2.53.0

[PATCH v3 6/6] sbom-cve-check.bbclass: Add class for post-build CVE analysis

[Benjamin Robin]

By default, the CVE databases are downloaded using the following
recipes:
 - sbom-cve-check-update-cvelist-native.bb
 - sbom-cve-check-update-nvd-native.bb

The database download logic is implemented in
sbom-cve-check-update-db.bbclass. The CVE databases are stored in the
download directory (`DL_DIR`). Access to the database is managed using
an exclusive file lock (`flock`) on the directory. During CVE analysis,
sbom-cve-check acquires a shared lock, allowing multiple analyses to
run in parallel. However, if the database is being updated, any
ongoing CVE analysis is temporarily paused.

This design ensures that, under normal circumstances, sbom-cve-check
can run without requiring network access. If a user needs network
access during execution (e.g., to download annotation databases),
they can set `SBOM_CVE_CHECK_ALLOW_NETWORK` to "1".

Signed-off-by: Benjamin Robin <benjamin.robin@bootlin.com>
---
 .../sbom-cve-check-update-db.bbclass               | 87 ++++++++++++++++++++
 meta/classes-recipe/sbom-cve-check.bbclass         | 96 ++++++++++++++++++++++
 meta/conf/distro/include/maintainers.inc           |  2 +
 .../meta/sbom-cve-check-update-cvelist-native.bb   |  7 ++
 .../meta/sbom-cve-check-update-nvd-native.bb       |  7 ++
 5 files changed, 199 insertions(+)

diff --git a/meta/classes-recipe/sbom-cve-check-update-db.bbclass b/meta/classes-recipe/sbom-cve-check-update-db.bbclass
new file mode 100644
index 000000000000..4f62c831eb72
--- /dev/null
+++ b/meta/classes-recipe/sbom-cve-check-update-db.bbclass
@@ -0,0 +1,87 @@
+# SPDX-License-Identifier: MIT
+
+INHIBIT_DEFAULT_DEPS = "1"
+EXCLUDE_FROM_WORLD = "1"
+
+inherit native
+
+deltask do_patch
+deltask do_configure
+deltask do_compile
+deltask do_install
+deltask do_populate_sysroot
+
+SBOM_CVE_CHECK_FETCH_PATH[doc] = "Path to the Git repository to be downloaded. \
+    Should be prefixed by {DL_DIR}/sbom_cve_check/databases/"
+
+SBOM_CVE_CHECK_FETCH_URL[doc] = "Git clone URL of the CVE database"
+
+SBOM_CVE_CHECK_FETCH_INTERVAL ?= "57600"
+SBOM_CVE_CHECK_FETCH_INTERVAL[doc] = "\
+    CVE database update interval, in seconds. By default every 16 hours. \
+    Use 0 to force the update. Use a negative value to skip the update. \
+"
+
+python do_fetch() {
+    from datetime import datetime, timezone, timedelta
+    import fcntl
+    import os
+    import pathlib
+    import subprocess
+
+    bb.utils.export_proxies(d)
+
+    fetch_interval = int(d.get("SBOM_CVE_CHECK_FETCH_INTERVAL"))
+    git_url = d.getVar("SBOM_CVE_CHECK_FETCH_URL")
+    git_dir = pathlib.Path(d.getVar("SBOM_CVE_CHECK_FETCH_PATH"))
+    git_dir.mkdir(parents=True, exist_ok=True)
+
+    def _exec_git_cmd(args):
+        cmd = ["git"]
+        cmd.extend(args)
+        return subprocess.run(
+            cmd,
+            input="",
+            capture_output=True,
+            check=True,
+            cwd=git_dir,
+            encoding="utf-8",
+        )
+
+    # Lock the git directory: take an exclusive lock
+    lock_fd = os.open(git_dir, os.O_RDONLY | os.O_NOCTTY)
+    try:
+        fcntl.flock(lock_fd, fcntl.LOCK_EX)
+
+        # Clone the git repository if it does not exist
+        if not git_dir.joinpath(".git", "HEAD").is_file():
+            _exec_git_cmd(["clone", "--depth", "1", "--single-branch", git_url, "."])
+            return
+
+        # Check if an updated is necessary
+        if fetch_interval < 0:
+            return
+
+        if fetch_interval > 0:
+            # Get date of last commit
+            r = _exec_git_cmd(["show", "-s", "--format=%ct", "HEAD"])
+            commit_date = datetime.fromtimestamp(int(r.stdout.strip()), tz=timezone.utc)
+            delta_last_commit = datetime.now(timezone.utc) - commit_date
+            if delta_last_commit < timedelta(seconds=fetch_interval):
+                return
+
+        _exec_git_cmd(["pull"])
+    except subprocess.SubprocessError as e:
+        bb.error(f"{e.cmd} failed:\n{e.stdout}\n---\n{e.stderr}\n")
+    finally:
+        # Release the exclusive lock
+        os.close(lock_fd)
+}
+
+do_fetch[file-checksums] = ""
+do_fetch[vardeps] = " \
+    SBOM_CVE_CHECK_FETCH_PATH \
+    SBOM_CVE_CHECK_FETCH_URL \
+    SBOM_CVE_CHECK_FETCH_INTERVAL \
+"
+do_fetch[nostamp] = "1"
diff --git a/meta/classes-recipe/sbom-cve-check.bbclass b/meta/classes-recipe/sbom-cve-check.bbclass
new file mode 100644
index 000000000000..86e06bdf7c23
--- /dev/null
+++ b/meta/classes-recipe/sbom-cve-check.bbclass
@@ -0,0 +1,96 @@
+# SPDX-License-Identifier: MIT
+
+SBOM_CVE_CHECK_WORKDIR ??= "${WORKDIR}/sbom_cve_check"
+SBOM_CVE_CHECK_DEPLOYDIR = "${SBOM_CVE_CHECK_WORKDIR}/image-deploy"
+
+SBOM_CVE_CHECK_EXTRA_ARGS[doc] = "Allow to specify extra arguments to sbom-cve-check. For example to add filtering"
+SBOM_CVE_CHECK_EXTRA_ARGS ?= ""
+
+SBOM_CVE_CHECK_EXPORT_VARS[doc] = "List of variables that declare export files to generate. Each variable must have a 'type' and an 'ext' flag set"
+SBOM_CVE_CHECK_EXPORT_VARS ?= "SBOM_CVE_CHECK_EXPORT_FILE"
+
+SBOM_CVE_CHECK_EXPORT_FILE[doc] = "Default configuration of generated export file"
+SBOM_CVE_CHECK_EXPORT_FILE[type] ?= "spdx3"
+SBOM_CVE_CHECK_EXPORT_FILE[ext] ?= ".cve-check.spdx.json"
+
+SBOM_CVE_CHECK_ALLOW_NETWORK[doc] = "Set to 1 to enable network usage."
+SBOM_CVE_CHECK_ALLOW_NETWORK ?= "0"
+
+python do_sbom_cve_check() {
+    """
+    Task: Run sbom-cve-check analysis on SBOM.
+    """
+    import os
+    import bb
+    from oe.cve_check import update_symlinks
+
+    if not bb.data.inherits_class("vex", d):
+        bb.fatal("Cannot execute sbom-cve-check missing vex inherit.")
+    if not bb.data.inherits_class("create-spdx-3.0", d):
+        bb.fatal("Cannot execute sbom-cve-check missing create-spdx-3.0 inherit.")
+
+    sbom_path = d.expand("${DEPLOY_DIR_IMAGE}/${IMAGE_LINK_NAME}.spdx.json")
+    vex_manifest_path = d.expand("${DEPLOY_DIR_IMAGE}/${IMAGE_LINK_NAME}.json")
+    dl_db_dir = d.expand("${DL_DIR}/sbom_cve_check/databases")
+    deploy_dir = d.getVar("SBOM_CVE_CHECK_DEPLOYDIR")
+    img_link_name = d.getVar("IMAGE_LINK_NAME")
+    img_name = d.getVar("IMAGE_NAME")
+
+    export_files = []
+    for export_var in d.getVar("SBOM_CVE_CHECK_EXPORT_VARS").split():
+        export_ext = d.getVarFlag(export_var, "ext")
+        export_path = f"{deploy_dir}/{img_name}{export_ext}"
+        export_link = f"{deploy_dir}/{img_link_name}{export_ext}"
+        export_type = d.getVarFlag(export_var, "type")
+        export_files.append((export_type, export_path, export_link))
+
+    cmd_env = os.environ.copy()
+    cmd_env["SBOM_CVE_CHECK_DATABASES_DIR"] = dl_db_dir
+
+    cmd_args = [
+        d.expand("${STAGING_BINDIR_NATIVE}/sbom-cve-check"),
+        "--sbom-path",
+        sbom_path,
+        "--yocto-vex-manifest",
+        vex_manifest_path,
+    ]
+
+    for export_file in export_files:
+        cmd_args.extend(
+            ["--export-type", export_file[0], "--export-path", export_file[1]]
+        )
+
+    cmd_args.extend(d.getVar("SBOM_CVE_CHECK_EXTRA_ARGS").split())
+
+    try:
+        bb.note("Running: {}".format(" ".join(cmd_args)))
+        bb.process.run(cmd_args, env=cmd_env)
+    except bb.process.ExecutionError as e:
+        bb.fatal(
+            f"sbom-cve-check failed with exit code {e.exitcode}\n{e.stdout}\n{e.stderr}"
+        )
+        return
+
+    for export_file in export_files:
+        bb.note(f"sbom-cve-check exported: {export_file[1]}")
+        update_symlinks(export_file[1], export_file[2])
+}
+
+addtask do_sbom_cve_check after do_create_image_sbom_spdx before do_build
+
+SSTATETASKS += "do_sbom_cve_check"
+SSTATE_SKIP_CREATION:task-sbom-cve-check = "1"
+do_sbom_cve_check[cleandirs] = "${SBOM_CVE_CHECK_DEPLOYDIR}"
+do_sbom_cve_check[sstate-inputdirs] = "${SBOM_CVE_CHECK_DEPLOYDIR}"
+do_sbom_cve_check[sstate-outputdirs] = "${DEPLOY_DIR_IMAGE}"
+do_sbom_cve_check[recrdeptask] += "do_create_image_sbom_spdx"
+do_sbom_cve_check[depends] += " \
+    python3-sbom-cve-check-native:do_populate_sysroot \
+    ${@oe.utils.conditional('SBOM_CVE_CHECK_ALLOW_NETWORK','0',' \
+        sbom-cve-check-update-cvelist-native:do_fetch \
+        sbom-cve-check-update-nvd-native:do_fetch \
+    ','',d)} \
+"
+
+do_sbom_cve_check[network] = "${SBOM_CVE_CHECK_ALLOW_NETWORK}"
+do_sbom_cve_check[nostamp] = "1"
diff --git a/meta/conf/distro/include/maintainers.inc b/meta/conf/distro/include/maintainers.inc
index c43107ccdccd..a48db2df7b2f 100644
--- a/meta/conf/distro/include/maintainers.inc
+++ b/meta/conf/distro/include/maintainers.inc
@@ -787,6 +787,8 @@ RECIPE_MAINTAINER:pn-sassc = "Simone Weiß <simone.p.weiss@posteo.com>"
 RECIPE_MAINTAINER:pn-sato-icon-theme = "Richard Purdie <richard.purdie@linuxfoundation.org>"
 RECIPE_MAINTAINER:pn-sato-screenshot = "Ross Burton <ross.burton@arm.com>"
 RECIPE_MAINTAINER:pn-sbc = "Unassigned <unassigned@yoctoproject.org>"
+RECIPE_MAINTAINER:pn-sbom-cve-check-update-cvelist-native = "Benjamin Robin <benjamin.robin@bootlin.com>"
+RECIPE_MAINTAINER:pn-sbom-cve-check-update-nvd-native = "Benjamin Robin <benjamin.robin@bootlin.com>"
 RECIPE_MAINTAINER:pn-scdoc = "Alex Kiernan <alex.kiernan@gmail.com>"
 RECIPE_MAINTAINER:pn-screen = "Unassigned <unassigned@yoctoproject.org>"
 RECIPE_MAINTAINER:pn-seatd = "Unassigned <unassigned@yoctoproject.org>"
diff --git a/meta/recipes-core/meta/sbom-cve-check-update-cvelist-native.bb b/meta/recipes-core/meta/sbom-cve-check-update-cvelist-native.bb
new file mode 100644
index 000000000000..cd5ed680b4dd
--- /dev/null
+++ b/meta/recipes-core/meta/sbom-cve-check-update-cvelist-native.bb
@@ -0,0 +1,7 @@
+SUMMARY = "Updates the CVE List database"
+LICENSE = "MIT"
+
+SBOM_CVE_CHECK_FETCH_PATH = "${DL_DIR}/sbom_cve_check/databases/cvelist"
+SBOM_CVE_CHECK_FETCH_URL = "https://github.com/CVEProject/cvelistV5.git"
+
+inherit sbom-cve-check-update-db
diff --git a/meta/recipes-core/meta/sbom-cve-check-update-nvd-native.bb b/meta/recipes-core/meta/sbom-cve-check-update-nvd-native.bb
new file mode 100644
index 000000000000..7add8e6bfba5
--- /dev/null
+++ b/meta/recipes-core/meta/sbom-cve-check-update-nvd-native.bb
@@ -0,0 +1,7 @@
+SUMMARY = "Updates the NVD CVE database"
+LICENSE = "MIT"
+
+SBOM_CVE_CHECK_FETCH_PATH = "${DL_DIR}/sbom_cve_check/databases/nvd-fkie"
+SBOM_CVE_CHECK_FETCH_URL = "https://github.com/fkie-cad/nvd-json-data-feeds.git"
+
+inherit sbom-cve-check-update-db

-- 
2.53.0

Re: [OE-core] [PATCH v3 6/6] sbom-cve-check.bbclass: Add class for post-build CVE analysis

[Paul Barker]

[-- Attachment #1: Type: text/plain, Size: 1887 bytes --]

On Thu, 2026-02-26 at 18:01 +0100, Benjamin Robin via
lists.openembedded.org wrote:
> By default, the CVE databases are downloaded using the following
> recipes:
>  - sbom-cve-check-update-cvelist-native.bb
>  - sbom-cve-check-update-nvd-native.bb
> 
> The database download logic is implemented in
> sbom-cve-check-update-db.bbclass. The CVE databases are stored in the
> download directory (`DL_DIR`). Access to the database is managed using
> an exclusive file lock (`flock`) on the directory. During CVE analysis,
> sbom-cve-check acquires a shared lock, allowing multiple analyses to
> run in parallel. However, if the database is being updated, any
> ongoing CVE analysis is temporarily paused.
> 
> This design ensures that, under normal circumstances, sbom-cve-check
> can run without requiring network access. If a user needs network
> access during execution (e.g., to download annotation databases),
> they can set `SBOM_CVE_CHECK_ALLOW_NETWORK` to "1".
> 
> Signed-off-by: Benjamin Robin <benjamin.robin@bootlin.com>

Hi Benjamin,

Patches 1-5 of this series were accepted, but we had some concerns with
this one.

We would prefer not to override do_fetch for sbom-cve-check-update-*.bb.
We should be able to use the standard git fetcher here, with a hardcoded
SRCREV to allow offline parsing to succeed. A config fragment should
then be defined which enables the sbom-cve-check bbclass and sets the
srcrevs for the update recipes to ${AUTOREV}.

Running sbom-cve-check offline should be supported, but manual config
may be needed to set an appropriate srcrev. We should provide an example
of this in the docs.

We should also be able to avoid setting do_sbom_cve_check[nostamp]. With
dependencies set correctly, this should only re-run if the image changes
or the cve database has been updated.

Best regards,

-- 
Paul Barker


[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 252 bytes --]

Re: [OE-core] [PATCH v3 6/6] sbom-cve-check.bbclass: Add class for post-build CVE analysis

[Benjamin Robin]

Hello Paul,

On Thursday, March 5, 2026 at 2:47 PM, Paul Barker wrote:
> Hi Benjamin,
> 
> Patches 1-5 of this series were accepted, but we had some concerns with
> this one.

Thanks!

> We would prefer not to override do_fetch for sbom-cve-check-update-*.bb.
> We should be able to use the standard git fetcher here, with a hardcoded
> SRCREV to allow offline parsing to succeed. A config fragment should
> then be defined which enables the sbom-cve-check bbclass and sets the
> srcrevs for the update recipes to ${AUTOREV}.

Honestly, I've been considering the best approach for fetching the CVE
databases. While using the Yocto internal fetcher is indeed cleaner, it
raises a few questions:

 - Is it possible to implement updates at fixed intervals (e.g., every X
   hours)? If so, how could this be done?
   If this isn't feasible, it's not a major concern, having the latest
   updates is more important than performance.

 - Would there be any objections to updating the `RM_WORK_EXCLUDE`
   variable within the database update recipes to exclude the recipe
   itself? Unpacking the CVE database is quite slow, especially given its
   size (~3GB).

 - By retaining the unpacked databases, we could store the database index
   in the `$workdir`. This would avoid the need to recompute the database
   index each time, which is something we'd prefer to avoid.

 - However, it feels questionable to use an extracted Git repository from
   another recipe: My whole (new) idea on how to fix this looks wrong.
   I checked how `cve-update-nvd2-native.bb` handles this, the database
   is moved to the download directory. But if we do this, the database
   will still be unpacked for every analysis, which we try to avoid.

My primary aim is to avoid extracting the database repeatedly for every
build, and to be able to keep the database index somewhere.

> Running sbom-cve-check offline should be supported, but manual config
> may be needed to set an appropriate srcrev. We should provide an example
> of this in the docs.

I plan to write documentation (in yocto-docs) as soon as this series is
merged :)

> We should also be able to avoid setting do_sbom_cve_check[nostamp]. With
> dependencies set correctly, this should only re-run if the image changes
> or the cve database has been updated.

I am going to fix that (at least try, see discussion above)!

Best regards,
-- 
Benjamin Robin, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

Re: [OE-core] [PATCH v3 6/6] sbom-cve-check.bbclass: Add class for post-build CVE analysis

[Benjamin Robin]

Hello Paul,

On Thursday, March 5, 2026 at 5:22 PM, Benjamin Robin wrote:
> On Thursday, March 5, 2026 at 2:47 PM, Paul Barker wrote:
> > We would prefer not to override do_fetch for sbom-cve-check-update-*.bb.
> > We should be able to use the standard git fetcher here, with a hardcoded
> > SRCREV to allow offline parsing to succeed. A config fragment should
> > then be defined which enables the sbom-cve-check bbclass and sets the
> > srcrevs for the update recipes to ${AUTOREV}.
> 
> Honestly, I've been considering the best approach for fetching the CVE
> databases. While using the Yocto internal fetcher is indeed cleaner, it
> raises a few questions:
> 
>  - Is it possible to implement updates at fixed intervals (e.g., every X
>    hours)? If so, how could this be done?
>    If this isn't feasible, it's not a major concern, having the latest
>    updates is more important than performance.
> 
>  - Would there be any objections to updating the `RM_WORK_EXCLUDE`
>    variable within the database update recipes to exclude the recipe
>    itself? Unpacking the CVE database is quite slow, especially given its
>    size (~3GB).
> 
>  - By retaining the unpacked databases, we could store the database index
>    in the `$workdir`. This would avoid the need to recompute the database
>    index each time, which is something we'd prefer to avoid.
> 
>  - However, it feels questionable to use an extracted Git repository from
>    another recipe: My whole (new) idea on how to fix this looks wrong.
>    I checked how `cve-update-nvd2-native.bb` handles this, the database
>    is moved to the download directory. But if we do this, the database
>    will still be unpacked for every analysis, which we try to avoid.
> 
> My primary aim is to avoid extracting the database repeatedly for every
> build, and to be able to keep the database index somewhere.

I am proposing two solutions to address this issue:

- First RFC [1]: A refined version of the original solution using a
  custom `do_fetch`. While performance on an NFS-mounted download directory
  may not be optimal, this approach now includes a configurable variable to
  specify the CVE database storage location.

- Second RFC [2]: An alternative approach leveraging BitBake’s internal
  fetcher.

I prefer the first solution, as it appears cleaner to me. It supports
shallow cloning (depth of 1) and allows explicit control over update
intervals.

Once feedback is received, I will prepare a formal patch based on the
chosen solution.

> > Running sbom-cve-check offline should be supported, but manual config
> > may be needed to set an appropriate srcrev. We should provide an example
> > of this in the docs.

For fully offline use of `sbom-cve-check`, there is already a commit in
the main branch that introduces the `--disable-auto-updates` flag. I
plan to release this update for `sbom-cve-check` soon (within one or two
weeks) to integrate it into the OE-core class. If this timeline is not OK,
please let me know.
 
> I plan to write documentation (in yocto-docs) as soon as this series is
> merged :)
> 
> > We should also be able to avoid setting do_sbom_cve_check[nostamp]. With
> > dependencies set correctly, this should only re-run if the image changes
> > or the cve database has been updated.
> 
> I am going to fix that (at least try, see discussion above)!

[1] https://lore.kernel.org/r/20260309-add-sbom-cve-check-p2-v1-0-72a0771e1f12@bootlin.com
[2] https://lore.kernel.org/r/20260309-add-sbom-cve-check-p2b-v1-0-09165cddfcf1@bootlin.com

Best regards,
-- 
Benjamin Robin, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com