From: Benjamin Robin <benjamin.robin@bootlin.com>
To: openembedded-core@lists.openembedded.org,
Antonin Godard <antonin.godard@bootlin.com>
Cc: richard.purdie@linuxfoundation.org, rybczynska@gmail.com,
ross.burton@arm.com, peter.marko@siemens.com,
jpewhacker@gmail.com, olivier.benjamin@bootlin.com,
mathieu.dubois-briand@bootlin.com, thomas.petazzoni@bootlin.com
Subject: Re: [PATCH v6] sbom-cve-check: Add class for post-build CVE analysis
Date: Mon, 23 Mar 2026 11:29:09 +0100 [thread overview]
Message-ID: <3066728.e9J7NaK4W3@brobin-bootlin> (raw)
In-Reply-To: <DHA0QE0OIQWS.27293QOT1ZJFK@bootlin.com>
Hello Antonin,
Thank you for the review.
On Monday, March 23, 2026 at 9:28 AM, Antonin Godard wrote:
> Hi,
>
> Some suggestions and questions I picked while reviewing this patch.
>
> On Thu Mar 19, 2026 at 4:42 PM CET, Benjamin Robin wrote:
> > By default, the sbom-cve-check class generates these export files:
> > - A JSON in `cve-check` format, named `${IMAGE_NAME}.cve-check.json`
> > - An SPDX 3.0 SBOM, named `${IMAGE_NAME}.cve-check.spdx.json`.
> >
> > A user can add or remove export file formats by using the
> > `SBOM_CVE_CHECK_EXPORT_VARS` variable.
> >
> > By default, the CVE databases are downloaded using the following
> > recipes:
> > - sbom-cve-check-update-cvelist-native.bb
> > - sbom-cve-check-update-nvd-native.bb
> >
> > The database fetch and deploy logic is implemented in
> > sbom-cve-check-update-db.inc. The CVE databases are stored in the
> > download directory (`DL_DIR`) by default. This can be configured by
> > the `SBOM_CVE_CHECK_DATABASES_DIR` variable defined in
> > meta/recipes-core/meta/sbom-cve-check-config.inc.
>
> Yet the default definition is:
>
> SBOM_CVE_CHECK_DATABASES_DIR ??= "${DEPLOY_DIR}/sbom_cve_check/databases"
>
> Which does not point to the DL_DIR? The commit message seems a bit misleading.
In the v7 this is going to be fixed.
> > diff --git a/meta/classes-recipe/sbom-cve-check.bbclass b/meta/classes-recipe/sbom-cve-check.bbclass
> > new file mode 100644
> > index 000000000000..32f92a0bab29
> > --- /dev/null
> > +++ b/meta/classes-recipe/sbom-cve-check.bbclass
> > @@ -0,0 +1,121 @@
> > +# SPDX-License-Identifier: MIT
> > +
> > +# To enable this class, it is recommended to add this to local.conf
> > +# OE_FRAGMENTS += "core/yocto/sbom-cve-check"
>
> I'd rather recommend the tool normally used to manage fragments, which modifies
> toolcfg.conf, made for this purpose.
>
> ```
> # It is recommended to enable this class through the sbom-cve-check fragment:
> # bitbake-config-build enable-fragment sbom-cve-check
> ```
I improved the comment, but I kept the original explanation.
For example this could be useful for writing KAS configuration.
> > +
> > +require recipes-core/meta/sbom-cve-check-config.inc
> > +
> > +SBOM_CVE_CHECK_DEPLOYDIR = "${WORKDIR}/sbom_cve_check/image-deploy"
>
> Nitpick, but why use underscore for "sbom_cve_check"? Here, and in the other
> places in this patch. Using "sbom-cve-check" everywhere would perhaps be more
> coherent?
I standardized all directory names, it should be named with dash now.
> > +SBOM_CVE_CHECK_EXTRA_ARGS[doc] = "Allow to specify extra arguments to sbom-cve-check. \
> > + For example to add export flags for filtering (e.g., only export vulnerable CVEs). \
> > +"
> > +SBOM_CVE_CHECK_EXTRA_ARGS ??= ""
> > +
> > +SBOM_CVE_CHECK_EXPORT_VARS[doc] = "List of variables that declare export files to generate. \
> > + Each variable must have a 'type' and an 'ext' flag set. \
> > + The 'type' flag contains the value that is passed to the --export-type command flags. \
> > + The 'ext' flag contains the filename extension (suffix). The output filename is going \
> > + to be ${IMAGE_NAME}${ext} \
> > +"
> > +SBOM_CVE_CHECK_EXPORT_VARS ?= "SBOM_CVE_CHECK_EXPORT_SPDX3 SBOM_CVE_CHECK_EXPORT_CVECHECK"
> > +
> > +SBOM_CVE_CHECK_EXPORT_SPDX3[doc] = "Export configuration to generate an SPDX3 SBOM file, \
> > + with the following name: ${IMAGE_NAME}.cve-check.spdx.json \
> > +"
> > +SBOM_CVE_CHECK_EXPORT_SPDX3[type] ?= "spdx3"
> > +SBOM_CVE_CHECK_EXPORT_SPDX3[ext] ?= ".cve-check.spdx.json"
> > +
> > +SBOM_CVE_CHECK_EXPORT_CVECHECK[doc] = "Export configuration to generate a JSON manifest \
> > + in the same format as the cve-check class, with the following name: \
> > + ${IMAGE_NAME}.cve-check.json \
> > +"
> > +SBOM_CVE_CHECK_EXPORT_CVECHECK[type] ?= "yocto-cve-check-manifest"
> > +SBOM_CVE_CHECK_EXPORT_CVECHECK[ext] ?= ".cve-check.json"
>
> As I understand it, these represent the different kinds of outputs of
> sbom-cve-check. Wouldn't these make more sense as:
>
> SBOM_CVE_CHECK_EXPORT_SPDX3[ext] ?= ".sbom-cve-check.spdx.json"
> SBOM_CVE_CHECK_EXPORT_CVECHECK[ext] ?= ".sbom-cve-check.yocto.json"
>
> first item indicates that this is an sbom-cve-check generated file,
> second item denotes the format of the file : either spdx3, or the yocto specific
> one.
Yeah you are write, it is clearer this way, despite the fact that is it
a bit longer.
> > diff --git a/meta/conf/fragments/yocto/sbom-cve-check.conf b/meta/conf/fragments/yocto/sbom-cve-check.conf
> > new file mode 100644
> > index 000000000000..a3f229acf28a
> > --- /dev/null
> > +++ b/meta/conf/fragments/yocto/sbom-cve-check.conf
> > @@ -0,0 +1,14 @@
> > +BB_CONF_FRAGMENT_SUMMARY = "This fragment enables sbom-cve-check with recommended default options"
> > +BB_CONF_FRAGMENT_DESCRIPTION = "Enables sbom-cve-check and applies the following configurations: \
> > + - Adds the sbom-cve-check class to IMAGE_CLASSES. \
> > + - Configures CVE database recipes to fetch the latest git revision using AUTOREV. \
> > + - Ensures generated SBOM includes all CVE annotations. \
> > + - Configures the Linux kernel recipe to provide compiled sources, \
> > + allowing CVEs to be excluded if the source is not compiled. \
> > +"
> > +
> > +IMAGE_CLASSES:append = " sbom-cve-check"
> > +SRCREV:pn-sbom-cve-check-update-nvd-native = "${AUTOREV}"
> > +SRCREV:pn-sbom-cve-check-update-cvelist-native = "${AUTOREV}"
> > +SPDX_INCLUDE_VEX = "all"
> > +SPDX_INCLUDE_COMPILED_SOURCES:pn-linux-yocto = "1"
>
> Could we also set SBOM_CVE_CHECK_ALLOW_NETWORK to 1 here? Since we already
> require network with AUTOREV anyway.
The do_sbom_cve_check task does not need network by default.
It is only needed if the user want to fetch additional databases, for
example annotation databases.
> > diff --git a/meta/recipes-core/meta/sbom-cve-check-config.inc b/meta/recipes-core/meta/sbom-cve-check-config.inc
> > new file mode 100644
> > index 000000000000..a1a909e22250
> > --- /dev/null
> > +++ b/meta/recipes-core/meta/sbom-cve-check-config.inc
>
> This file and others could be in a more appropriate directory, such are
> recipes-devtools/sbom-cve-check/? I think in a patch review call we said that
> this directory was wrongly used for the previous cve-check-related recipes (you
> weren't in this call IIRC).
This is going to be fixed in the v7 series: The recipes are moved to
recipes-devtools/sbom-cve-check/.
> > @@ -0,0 +1,4 @@
> > +# SPDX-License-Identifier: MIT
> > +
> > +SBOM_CVE_CHECK_DATABASES_DIR ??= "${DEPLOY_DIR}/sbom_cve_check/databases"
>
> I think there is already "${DEPLOY_DIR}/cve" used by cve-check and vex, maybe
> you could re-use this path as:
>
> SBOM_CVE_CHECK_DATABASES_DIR ??= "${DEPLOY_DIR}/cve/sbom_cve_check/databases"
>
> to avoid creating a new directory in DEPLOY_DIR?
I really think this is a bad idea. The ${DEPLOY_DIR}/cve/ directory contains
a lot of json file at the root of this directory. I really do not want to
break existing VEX and/or cve-check tasks.
> > +SBOM_CVE_CHECK_DATABASES_DIR[doc] = "Download directory path where to store the CVE databases"
> > diff --git a/meta/recipes-core/meta/sbom-cve-check-update-cvelist-native.bb b/meta/recipes-core/meta/sbom-cve-check-update-cvelist-native.bb
> > new file mode 100644
> > index 000000000000..ce204db6c51a
> > --- /dev/null
> > +++ b/meta/recipes-core/meta/sbom-cve-check-update-cvelist-native.bb
> > @@ -0,0 +1,12 @@
> > +SUMMARY = "Updates the CVE List database"
> > +LICENSE = "MIT"
> > +LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302"
> > +
> > +HOMEPAGE = "https://github.com/CVEProject/cvelistV5"
> > +SRC_URI = "git://github.com/CVEProject/cvelistV5.git;branch=main;protocol=https"
> > +SBOM_CVE_CHECK_DB_NAME = "cvelist"
> > +
> > +# 2026-03-19_baseline
> > +SRCREV = "ada54ee3cc8380820aa45e4996910bdc9dcb94e7"
> > +
> > +require sbom-cve-check-update-db.inc
> > diff --git a/meta/recipes-core/meta/sbom-cve-check-update-db.inc b/meta/recipes-core/meta/sbom-cve-check-update-db.inc
> > new file mode 100644
> > index 000000000000..5ecb79820247
> > --- /dev/null
> > +++ b/meta/recipes-core/meta/sbom-cve-check-update-db.inc
> > @@ -0,0 +1,28 @@
> > +# SPDX-License-Identifier: MIT
> > +
> > +INHIBIT_DEFAULT_DEPS = "1"
> > +EXCLUDE_FROM_WORLD = "1"
> > +
> > +inherit native
> > +require sbom-cve-check-config.inc
> > +
> > +SBOM_CVE_CHECK_DB_NAME[doc] = "Database name, which is the Git repository directory name. \
> > + The git repository will be stored in ${SBOM_CVE_CHECK_DATABASES_DIR)/"
> > +
> > +DEPENDS += "rsync-native"
> > +
> > +# Leverage BitBake's checksum computation for populated sysroot files to determine
> > +# whether other recipe tasks dependent on this output need to be re-executed.
> > +do_compile() {
> > + git -C "${S}" rev-parse --verify "HEAD^{object}" > "${WORKDIR}/${SBOM_CVE_CHECK_DB_NAME}.rev"
>
> We're in do_compile(), so you can store the output file in ${B}?
>
> git -C "${S}" rev-parse --verify "HEAD^{object}" > "${B}/${SBOM_CVE_CHECK_DB_NAME}.rev"
This part is going to be removed since it is no longer necessary.
> > +}
> > +
> > +# In the install task, also deploy directly to ${DEPLOY_DIR} using rsync.
> > +# This is an hack, we are not using do_deploy to prevent multiple unecessary copy of the CVE database.
> > +do_install() {
> > + install -m 644 -D -t "${D}${datadir}/sbom_cve_check/databases/" "${WORKDIR}/${SBOM_CVE_CHECK_DB_NAME}.rev"
> > +
> > + dst="${SBOM_CVE_CHECK_DATABASES_DIR}/${SBOM_CVE_CHECK_DB_NAME}"
> > + mkdir -p "$dst"
> > + rsync -aH --delete --link-dest="${S}/" "${S}/" "${dst}/"
> > +}
>
> Why do we need this in both ${datadir} and the deploy dir? Isn't
> sbom-cve-check only using the one in the deploy dir? Was this done to create a
> package out of these recipes? If we don't really need one we could use
> ALLOW_EMPTY:${PN} = "1" instead?
Indeed, we could do that, and in this case the do_sbom_cve_check task should
depend on the do_install task. I am going to use ALLOW_EMPTY on this v7
series.
> > diff --git a/meta/recipes-core/meta/sbom-cve-check-update-nvd-native.bb b/meta/recipes-core/meta/sbom-cve-check-update-nvd-native.bb
> > new file mode 100644
> > index 000000000000..46c86952a164
> > --- /dev/null
> > +++ b/meta/recipes-core/meta/sbom-cve-check-update-nvd-native.bb
> > @@ -0,0 +1,12 @@
> > +SUMMARY = "Updates the NVD CVE database"
> > +LICENSE = "cve-tou"
> > +LIC_FILES_CHKSUM = "file://LICENSES/cve-tou.md;md5=bc5bbf146f01e20ece63d83c8916d8fb"
> > +
> > +HOMEPAGE = "https://github.com/fkie-cad/nvd-json-data-feeds"
> > +SRC_URI = "git://github.com/fkie-cad/nvd-json-data-feeds.git;branch=main;protocol=https"
> > +SBOM_CVE_CHECK_DB_NAME = "nvd-fkie"
> > +
> > +# v2026.03.19-010002
> > +SRCREV = "49f8bbe1b0b0884e16bdc37ab68db997085570a7"
> > +
> > +require sbom-cve-check-update-db.inc
Thanks,
--
Benjamin Robin, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
prev parent reply other threads:[~2026-03-23 10:29 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-19 15:42 [PATCH v6] sbom-cve-check: add CVE analysis tool and class Benjamin Robin
2026-03-19 15:42 ` [PATCH v6] sbom-cve-check: Add class for post-build CVE analysis Benjamin Robin
2026-03-20 15:54 ` Marta Rybczynska
2026-03-20 16:14 ` Benjamin Robin
2026-03-23 8:28 ` Antonin Godard
2026-03-23 10:29 ` Benjamin Robin [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3066728.e9J7NaK4W3@brobin-bootlin \
--to=benjamin.robin@bootlin.com \
--cc=antonin.godard@bootlin.com \
--cc=jpewhacker@gmail.com \
--cc=mathieu.dubois-briand@bootlin.com \
--cc=olivier.benjamin@bootlin.com \
--cc=openembedded-core@lists.openembedded.org \
--cc=peter.marko@siemens.com \
--cc=richard.purdie@linuxfoundation.org \
--cc=ross.burton@arm.com \
--cc=rybczynska@gmail.com \
--cc=thomas.petazzoni@bootlin.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox