[PATCH v7 0/2] sbom-cve-check: add CVE analysis tool and class

[PATCH v7 0/2] sbom-cve-check: add CVE analysis tool and class

[Benjamin Robin]

This patch series introduces the `sbom-cve-check` tool and its
dependencies. The tool requires `python3-spdx-python-model`, which has
the following build-time dependencies (not required at runtime):
- `python3-hatch-build-scripts`
- `python3-shacl2code`

Note: This part has already been merged into master.

Additionally, this series includes a post-build CVE analysis class,
similar to the existing `cve-check` functionality, which this v7 version
aims to provide.

This v7 series requires `sbom-cve-check` in version 1.2.0, which is
provided by the following patch: ("python3-sbom-cve-check: Update to
release 1.2.0") [4].

The series is split into two commits:
- The main part, which provides the `sbom-cve-check` class.
- A second commit that enables the use of the `sbom-cve-check` internal
  fetcher.

This is split into two commits because we may want to merge only the
first one if there is too much discussion about the second commit.

For context, `sbom-cve-check` is a lightweight SBOM CVE analysis tool,
which supports SBOMs in SPDX 2.2 or SPDX 3.0 formats. The tool is
designed as an efficient replacement for the `cve-check` logic currently
available in Yocto Project. It fetches data from multiple databases,
including NVD and the CVE List, and supports various annotation formats,
such as OpenVEX and the Yocto Project's custom VEX manifest.

For export, `sbom-cve-check` can generate a SPDX 3.0 file, a
`cve-check`-compatible JSON file, and a summary report that lists all
vulnerabilities per component, styled similarly to the output of the
Yocto Project's `cve-check` class.

For more context on the inclusion of `sbom-cve-check` in OpenEmbedded
Core, see the discussion [1].

For detailed documentation about `sbom-cve-check`, visit [2].

[1] https://lists.openembedded.org/g/openembedded-core/topic/117638558
[2] https://sbom-cve-check.readthedocs.io/
[3] https://lists.openembedded.org/g/openembedded-core/message/231519
[4] https://lore.kernel.org/r/20260317-update-sbom-cve-check-recipe-v1-1-49b50bf80bf2@bootlin.com

Signed-off-by: Benjamin Robin <benjamin.robin@bootlin.com>
---
Changes in v7:
- Fix commit message, the databases are not longer extracted in DL_DIR.
- Add bitbake-config-build enable-fragment command in comment.
- Always use sbom-cve-check for directory name instead of sbom_cve_check.
- Change extension (suffix) for generated files, it is now:
  - .sbom-cve-check.spdx.json.
  - .sbom-cve-check.yocto.json
- Move recipes to recipes-devtools/sbom-cve-check/
- No longer install the database .rev file, and use ALLOW_EMPTY:${PN} = "1".
- Split the usage of sbom-cve-check internal fetcher to a separate commit.
- Link to v6: https://patch.msgid.link/20260319-add-sbom-cve-check-v6-0-cfc657daa6b7@bootlin.com

Changes in v6:
- Add missing BB_CONF_FRAGMENT_SUMMARY/BB_CONF_FRAGMENT_DESCRIPTION.
- Link to v5: https://patch.msgid.link/20260319-add-sbom-cve-check-v5-0-e310cce7399d@bootlin.com

Changes in v5:
- Use "cve-tou" license for sbom-cve-check-update-nvd-native.bb
- Use internal Bitbake fetcher to download the git repository.
- Execute sbom-cve-check with --disable-auto-update flag (require 1.2.0).
- Add meta/conf/fragments/yocto/sbom-cve-check.conf config fragment.
- Link to v4: https://patch.msgid.link/20260311-add-sbom-cve-check-v4-0-f4e6c4cee8ca@bootlin.com

Changes in v4:
- Remove the `nostamp` flag from the `do_sbom_cve_check` task.
- Remove the unnecessary "recrdeptask" on `do_create_image_sbom_spdx`.
  The only required dependency is to run after the
  `do_create_image_sbom_spdx` task of the image recipe.
- Add the `do_sbom_cve_check_setscene` task.
- Update the dependency for the two CVE database-fetching recipes: the
  `do_sbom_cve_check` task now runs after their `do_populate_sysroot`.
- In the two CVE database-fetching recipes, include a file in the
  sysroot containing the Git revision of the fetched CVE database. This
  leverages BitBake's checksum computation for sysroot files to
  determine if dependent tasks need re-execution.
- Add missing `HOMEPAGE` links to `sbom-cve-check-update-*-native.bb`.
- Move the code in `sbom-cve-check-update-db.bbclass` to a simple
  include file. Other layers that may want to add a new recipe to
  download another database can still include it using:
  `require recipes-core/meta/sbom-cve-check-update-db.inc`.
- Rename configuration variables for clarity.
- Add `SBOM_CVE_CHECK_DATABASES_DIR` to define the base directory for
  CVE databases, allowing users to configure an alternate storage
  location.
- Improve documentation for all configuration variables.
- By default, the class now generates a JSON file in the `cve-check`
  format in addition to the exported SPDX 3.0 output.
- Link to v3: https://lore.kernel.org/r/20260226-add-sbom-cve-check-v3-0-2e60423f4d35@bootlin.com

Changes in v3:
- Improve first commit message about sorting maintainers.inc.
- Add missing maintainers information for sbom-cve-check-update-*-native
  recipes...
- Link to v2: https://lore.kernel.org/r/20260225-add-sbom-cve-check-v2-0-eeffa285b901@bootlin.com

Changes in v2:
- Sort maintainers.inc list in alphabetical order.
- Add missing maintainers information for new recipes.
- python3-spdx-python-model depends on native shacl2code and
  hatch-build-scripts recipes.
- Link to v1: https://lore.kernel.org/r/20260224-add-sbom-cve-check-v1-0-1c76fbd7f01b@bootlin.com

---
Benjamin Robin (2):
      sbom-cve-check: Add class for post-build CVE analysis
      sbom-cve-check: allows to use network and internal fetcher

 meta/classes-recipe/sbom-cve-check.bbclass         | 127 +++++++++++++++++++++
 meta/conf/distro/include/maintainers.inc           |   2 +
 meta/conf/fragments/yocto/sbom-cve-check.conf      |  14 +++
 .../sbom-cve-check/sbom-cve-check-config.inc       |  20 ++++
 .../sbom-cve-check-update-cvelist-native.bb        |  12 ++
 .../sbom-cve-check/sbom-cve-check-update-db.inc    |  21 ++++
 .../sbom-cve-check-update-nvd-native.bb            |  12 ++
 7 files changed, 208 insertions(+)
---
base-commit: 531f87111d83430615f2e20dd41a3dd5fc25c7ab
change-id: 20260223-add-sbom-cve-check-f34614b147dc

Best regards,
--  
Benjamin Robin <benjamin.robin@bootlin.com>

[PATCH v7 1/2] sbom-cve-check: Add class for post-build CVE analysis

[Benjamin Robin]

By default, the sbom-cve-check class generates these export files:
 - A JSON in `cve-check` format, named `${IMAGE_NAME}.cve-check.json`
 - An SPDX 3.0 SBOM, named `${IMAGE_NAME}.cve-check.spdx.json`.

A user can add or remove export file formats by using the
`SBOM_CVE_CHECK_EXPORT_VARS` variable.

By default, the CVE databases are downloaded using the following
recipes:
 - sbom-cve-check-update-cvelist-native.bb
 - sbom-cve-check-update-nvd-native.bb

The database fetch and deploy logic is implemented in
sbom-cve-check-update-db.inc. The CVE databases are deployed in
`${DEPLOY_DIR}/sbom-cve-check/databases/`. This can be configured
by the `SBOM_CVE_CHECK_DEPLOY_DB_DIR` variable defined in
meta/recipes-core/meta/sbom-cve-check-config.inc.

The CVE git databases are fetched using the Bitbake fetcher. Currently,
Bitbake fetcher does not support a shallow clone that can be updated.
While `BB_GIT_SHALLOW` exists, it creates multiple tarballs in the
download directory, which is inefficient for updates. For now, the git
database is fully fetched.

The `SRCREV` of the git database is set to a fixed version. A user can
override this by specifying any other version, or `AUTOREV` can be
specified.

To simplify the activation and configuration of sbom-cve-check, a
configuration fragment is provided with recommended default values.

`sbom-cve-check` is configured to run without requiring network access.
The CVE analysis runs only if either the original SBOM changes or the
CVE databases are updated. In the two CVE database-fetching recipes, a
file in the sysroot is written, containing the Git revision of the
fetched CVE database.

`sbom-cve-check` is executed with the generated VEX manifest only if
enabled and if `SPDX_INCLUDE_VEX` is set to a value other than "all".
When `SPDX_INCLUDE_VEX=all`, the SPDX 3.0 file already contains all the
necessary information for CVE analysis, making the VEX manifest
redundant.

Signed-off-by: Benjamin Robin <benjamin.robin@bootlin.com>
---
 meta/classes-recipe/sbom-cve-check.bbclass         | 115 +++++++++++++++++++++
 meta/conf/distro/include/maintainers.inc           |   2 +
 meta/conf/fragments/yocto/sbom-cve-check.conf      |  14 +++
 .../sbom-cve-check/sbom-cve-check-config.inc       |   5 +
 .../sbom-cve-check-update-cvelist-native.bb        |  12 +++
 .../sbom-cve-check/sbom-cve-check-update-db.inc    |  21 ++++
 .../sbom-cve-check-update-nvd-native.bb            |  12 +++
 7 files changed, 181 insertions(+)

diff --git a/meta/classes-recipe/sbom-cve-check.bbclass b/meta/classes-recipe/sbom-cve-check.bbclass
new file mode 100644
index 000000000000..536bbe17c020
--- /dev/null
+++ b/meta/classes-recipe/sbom-cve-check.bbclass
@@ -0,0 +1,115 @@
+# SPDX-License-Identifier: MIT
+
+# It is recommended to enable this class through the sbom-cve-check fragment:
+# bitbake-config-build enable-fragment core/yocto/sbom-cve-check
+#
+# Or it is possible to add this line in local.conf:
+# OE_FRAGMENTS += "core/yocto/sbom-cve-check"
+
+require recipes-devtools/sbom-cve-check/sbom-cve-check-config.inc
+
+SBOM_CVE_CHECK_DEPLOYDIR = "${WORKDIR}/sbom-cve-check/image-deploy"
+
+SBOM_CVE_CHECK_EXTRA_ARGS[doc] = "Allow to specify extra arguments to sbom-cve-check. \
+    For example to add export flags for filtering (e.g., only export vulnerable CVEs). \
+"
+SBOM_CVE_CHECK_EXTRA_ARGS ??= ""
+
+SBOM_CVE_CHECK_EXPORT_VARS[doc] = "List of variables that declare export files to generate. \
+    Each variable must have a 'type' and an 'ext' flag set. \
+    The 'type' flag contains the value that is passed to the --export-type command flags. \
+    The 'ext' flag contains the filename extension (suffix). The output filename is going \
+    to be ${IMAGE_NAME}${ext} \
+"
+SBOM_CVE_CHECK_EXPORT_VARS ?= "SBOM_CVE_CHECK_EXPORT_SPDX3 SBOM_CVE_CHECK_EXPORT_CVECHECK"
+
+SBOM_CVE_CHECK_EXPORT_SPDX3[doc] = "Export configuration to generate an SPDX3 SBOM file, \
+    with the following name: ${IMAGE_NAME}.sbom-cve-check.spdx.json \
+"
+SBOM_CVE_CHECK_EXPORT_SPDX3[type] ?= "spdx3"
+SBOM_CVE_CHECK_EXPORT_SPDX3[ext] ?= ".sbom-cve-check.spdx.json"
+
+SBOM_CVE_CHECK_EXPORT_CVECHECK[doc] = "Export configuration to generate a JSON manifest \
+    in the same format as the cve-check class, with the following name: \
+    ${IMAGE_NAME}.sbom-cve-check.json \
+"
+SBOM_CVE_CHECK_EXPORT_CVECHECK[type] ?= "yocto-cve-check-manifest"
+SBOM_CVE_CHECK_EXPORT_CVECHECK[ext] ?= ".sbom-cve-check.yocto.json"
+
+python do_sbom_cve_check() {
+    """
+    Task: Run sbom-cve-check analysis on SBOM.
+    """
+    import os
+    import bb
+    from oe.cve_check import update_symlinks
+
+    if not bb.data.inherits_class("create-spdx-3.0", d):
+        bb.fatal("Cannot execute sbom-cve-check missing create-spdx-3.0 inherit.")
+
+    sbom_path = d.expand("${DEPLOY_DIR_IMAGE}/${IMAGE_LINK_NAME}.spdx.json")
+    vex_manifest_path = d.expand("${DEPLOY_DIR_IMAGE}/${IMAGE_LINK_NAME}.json")
+    dl_db_dir = d.getVar("SBOM_CVE_CHECK_DEPLOY_DB_DIR")
+    deploy_dir = d.getVar("SBOM_CVE_CHECK_DEPLOYDIR")
+    img_link_name = d.getVar("IMAGE_LINK_NAME")
+    img_name = d.getVar("IMAGE_NAME")
+
+    export_files = []
+    for export_var in d.getVar("SBOM_CVE_CHECK_EXPORT_VARS").split():
+        export_ext = d.getVarFlag(export_var, "ext")
+        export_path = f"{deploy_dir}/{img_name}{export_ext}"
+        export_link = f"{deploy_dir}/{img_link_name}{export_ext}"
+        export_type = d.getVarFlag(export_var, "type")
+        export_files.append((export_type, export_path, export_link))
+
+    cmd_env = os.environ.copy()
+    cmd_env["SBOM_CVE_CHECK_DATABASES_DIR"] = dl_db_dir
+
+    cmd_args = [
+        d.expand("${STAGING_BINDIR_NATIVE}/sbom-cve-check"),
+        "--sbom-path",
+        sbom_path,
+        "--disable-auto-updates"
+    ]
+
+    # Assume that SPDX_INCLUDE_VEX is set globally to "all", and not only for the
+    # image recipe, which is very unlikely. This is not an issue to include the
+    # VEX manifest even if not needed.
+    if bb.data.inherits_class("vex", d) and d.getVar("SPDX_INCLUDE_VEX") != "all":
+        cmd_args.extend(["--yocto-vex-manifest", vex_manifest_path])
+
+    for export_file in export_files:
+        cmd_args.extend(
+            ["--export-type", export_file[0], "--export-path", export_file[1]]
+        )
+
+    cmd_args.extend(d.getVar("SBOM_CVE_CHECK_EXTRA_ARGS").split())
+
+    try:
+        bb.note("Running: {}".format(" ".join(cmd_args)))
+        bb.process.run(cmd_args, env=cmd_env)
+    except bb.process.ExecutionError as e:
+        bb.error(f"sbom-cve-check failed: {e}")
+        return
+
+    for export_file in export_files:
+        bb.note(f"sbom-cve-check exported: {export_file[1]}")
+        update_symlinks(export_file[1], export_file[2])
+}
+
+addtask do_sbom_cve_check after do_create_image_sbom_spdx before do_build
+
+SSTATETASKS += "do_sbom_cve_check"
+do_sbom_cve_check[cleandirs] = "${SBOM_CVE_CHECK_DEPLOYDIR}"
+do_sbom_cve_check[sstate-inputdirs] = "${SBOM_CVE_CHECK_DEPLOYDIR}"
+do_sbom_cve_check[sstate-outputdirs] = "${DEPLOY_DIR_IMAGE}"
+do_sbom_cve_check[depends] += " \
+    python3-sbom-cve-check-native:do_populate_sysroot \
+    sbom-cve-check-update-cvelist-native:do_install \
+    sbom-cve-check-update-nvd-native:do_install \
+"
+
+python do_sbom_cve_check_setscene() {
+    sstate_setscene(d)
+}
+addtask do_sbom_cve_check_setscene
diff --git a/meta/conf/distro/include/maintainers.inc b/meta/conf/distro/include/maintainers.inc
index c7a646a643e6..c8f215188f83 100644
--- a/meta/conf/distro/include/maintainers.inc
+++ b/meta/conf/distro/include/maintainers.inc
@@ -789,6 +789,8 @@ RECIPE_MAINTAINER:pn-sassc = "Simone Weiß <simone.p.weiss@posteo.com>"
 RECIPE_MAINTAINER:pn-sato-icon-theme = "Richard Purdie <richard.purdie@linuxfoundation.org>"
 RECIPE_MAINTAINER:pn-sato-screenshot = "Ross Burton <ross.burton@arm.com>"
 RECIPE_MAINTAINER:pn-sbc = "Unassigned <unassigned@yoctoproject.org>"
+RECIPE_MAINTAINER:pn-sbom-cve-check-update-cvelist-native = "Benjamin Robin <benjamin.robin@bootlin.com>"
+RECIPE_MAINTAINER:pn-sbom-cve-check-update-nvd-native = "Benjamin Robin <benjamin.robin@bootlin.com>"
 RECIPE_MAINTAINER:pn-scdoc = "Alex Kiernan <alex.kiernan@gmail.com>"
 RECIPE_MAINTAINER:pn-screen = "Unassigned <unassigned@yoctoproject.org>"
 RECIPE_MAINTAINER:pn-seatd = "Unassigned <unassigned@yoctoproject.org>"
diff --git a/meta/conf/fragments/yocto/sbom-cve-check.conf b/meta/conf/fragments/yocto/sbom-cve-check.conf
new file mode 100644
index 000000000000..a3f229acf28a
--- /dev/null
+++ b/meta/conf/fragments/yocto/sbom-cve-check.conf
@@ -0,0 +1,14 @@
+BB_CONF_FRAGMENT_SUMMARY = "This fragment enables sbom-cve-check with recommended default options"
+BB_CONF_FRAGMENT_DESCRIPTION = "Enables sbom-cve-check and applies the following configurations: \
+ - Adds the sbom-cve-check class to IMAGE_CLASSES. \
+ - Configures CVE database recipes to fetch the latest git revision using AUTOREV. \
+ - Ensures generated SBOM includes all CVE annotations. \
+ - Configures the Linux kernel recipe to provide compiled sources, \
+   allowing CVEs to be excluded if the source is not compiled. \
+"
+
+IMAGE_CLASSES:append = " sbom-cve-check"
+SRCREV:pn-sbom-cve-check-update-nvd-native = "${AUTOREV}"
+SRCREV:pn-sbom-cve-check-update-cvelist-native = "${AUTOREV}"
+SPDX_INCLUDE_VEX = "all"
+SPDX_INCLUDE_COMPILED_SOURCES:pn-linux-yocto = "1"
diff --git a/meta/recipes-devtools/sbom-cve-check/sbom-cve-check-config.inc b/meta/recipes-devtools/sbom-cve-check/sbom-cve-check-config.inc
new file mode 100644
index 000000000000..d337cef2355c
--- /dev/null
+++ b/meta/recipes-devtools/sbom-cve-check/sbom-cve-check-config.inc
@@ -0,0 +1,5 @@
+# SPDX-License-Identifier: MIT
+
+SBOM_CVE_CHECK_DEPLOY_DB_DIR ??= "${DEPLOY_DIR}/sbom-cve-check/databases"
+SBOM_CVE_CHECK_DEPLOY_DB_DIR[doc] = "Path to the directory where the CVE databases, \
+    fetched by the sbom-cve-check-update-* recipes, are extracted for use."
diff --git a/meta/recipes-devtools/sbom-cve-check/sbom-cve-check-update-cvelist-native.bb b/meta/recipes-devtools/sbom-cve-check/sbom-cve-check-update-cvelist-native.bb
new file mode 100644
index 000000000000..ce204db6c51a
--- /dev/null
+++ b/meta/recipes-devtools/sbom-cve-check/sbom-cve-check-update-cvelist-native.bb
@@ -0,0 +1,12 @@
+SUMMARY = "Updates the CVE List database"
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302"
+
+HOMEPAGE = "https://github.com/CVEProject/cvelistV5"
+SRC_URI = "git://github.com/CVEProject/cvelistV5.git;branch=main;protocol=https"
+SBOM_CVE_CHECK_DB_NAME = "cvelist"
+
+# 2026-03-19_baseline
+SRCREV = "ada54ee3cc8380820aa45e4996910bdc9dcb94e7"
+
+require sbom-cve-check-update-db.inc
diff --git a/meta/recipes-devtools/sbom-cve-check/sbom-cve-check-update-db.inc b/meta/recipes-devtools/sbom-cve-check/sbom-cve-check-update-db.inc
new file mode 100644
index 000000000000..5d7a07001c67
--- /dev/null
+++ b/meta/recipes-devtools/sbom-cve-check/sbom-cve-check-update-db.inc
@@ -0,0 +1,21 @@
+# SPDX-License-Identifier: MIT
+
+INHIBIT_DEFAULT_DEPS = "1"
+EXCLUDE_FROM_WORLD = "1"
+
+inherit native
+require sbom-cve-check-config.inc
+
+SBOM_CVE_CHECK_DB_NAME[doc] = "Database name, which is the Git repository directory name. \
+    The git repository will be stored in ${SBOM_CVE_CHECK_DEPLOY_DB_DIR)/"
+
+DEPENDS += "rsync-native"
+ALLOW_EMPTY:${PN} = "1"
+
+# In the install task, also deploy directly to ${DEPLOY_DIR} using rsync.
+# This is an hack, we are not using do_deploy to prevent multiple unnecessary copy of the CVE database.
+do_install() {
+    dst="${SBOM_CVE_CHECK_DEPLOY_DB_DIR}/${SBOM_CVE_CHECK_DB_NAME}"
+    mkdir -p "$dst"
+    rsync -aH --delete --link-dest="${S}/" "${S}/" "${dst}/"
+}
diff --git a/meta/recipes-devtools/sbom-cve-check/sbom-cve-check-update-nvd-native.bb b/meta/recipes-devtools/sbom-cve-check/sbom-cve-check-update-nvd-native.bb
new file mode 100644
index 000000000000..46c86952a164
--- /dev/null
+++ b/meta/recipes-devtools/sbom-cve-check/sbom-cve-check-update-nvd-native.bb
@@ -0,0 +1,12 @@
+SUMMARY = "Updates the NVD CVE database"
+LICENSE = "cve-tou"
+LIC_FILES_CHKSUM = "file://LICENSES/cve-tou.md;md5=bc5bbf146f01e20ece63d83c8916d8fb"
+
+HOMEPAGE = "https://github.com/fkie-cad/nvd-json-data-feeds"
+SRC_URI = "git://github.com/fkie-cad/nvd-json-data-feeds.git;branch=main;protocol=https"
+SBOM_CVE_CHECK_DB_NAME = "nvd-fkie"
+
+# v2026.03.19-010002
+SRCREV = "49f8bbe1b0b0884e16bdc37ab68db997085570a7"
+
+require sbom-cve-check-update-db.inc

-- 
2.53.0

[PATCH v7 2/2] sbom-cve-check: allows to use network and internal fetcher

[Benjamin Robin]

For advanced usage of sbom-cve-check, allow users to leverage the
internal fetcher (e.g., for downloading annotation databases).

Introduce the SBOM_CVE_CHECK_INTERNAL_FETCHER configuration variable
to control this behavior. When set to 1, the do_sbom_cve_check task
is granted network access and the task is always run (nostamp = 1).

Additionally, allow overriding the default download location for
databases fetched by the internal fetcher by introducing the
SBOM_CVE_CHECK_DATABASES_DIR Yocto variable.

Signed-off-by: Benjamin Robin <benjamin.robin@bootlin.com>
---
 meta/classes-recipe/sbom-cve-check.bbclass         | 26 ++++++++++++++++------
 .../sbom-cve-check/sbom-cve-check-config.inc       | 15 +++++++++++++
 2 files changed, 34 insertions(+), 7 deletions(-)

diff --git a/meta/classes-recipe/sbom-cve-check.bbclass b/meta/classes-recipe/sbom-cve-check.bbclass
index 536bbe17c020..c51ea4575985 100644
--- a/meta/classes-recipe/sbom-cve-check.bbclass
+++ b/meta/classes-recipe/sbom-cve-check.bbclass
@@ -49,7 +49,6 @@ python do_sbom_cve_check() {
 
     sbom_path = d.expand("${DEPLOY_DIR_IMAGE}/${IMAGE_LINK_NAME}.spdx.json")
     vex_manifest_path = d.expand("${DEPLOY_DIR_IMAGE}/${IMAGE_LINK_NAME}.json")
-    dl_db_dir = d.getVar("SBOM_CVE_CHECK_DEPLOY_DB_DIR")
     deploy_dir = d.getVar("SBOM_CVE_CHECK_DEPLOYDIR")
     img_link_name = d.getVar("IMAGE_LINK_NAME")
     img_name = d.getVar("IMAGE_NAME")
@@ -62,16 +61,21 @@ python do_sbom_cve_check() {
         export_type = d.getVarFlag(export_var, "type")
         export_files.append((export_type, export_path, export_link))
 
-    cmd_env = os.environ.copy()
-    cmd_env["SBOM_CVE_CHECK_DATABASES_DIR"] = dl_db_dir
-
     cmd_args = [
         d.expand("${STAGING_BINDIR_NATIVE}/sbom-cve-check"),
         "--sbom-path",
         sbom_path,
-        "--disable-auto-updates"
     ]
 
+    cmd_env = os.environ.copy()
+    if int(d.getVar("SBOM_CVE_CHECK_INTERNAL_FETCHER")):
+        db_dir = d.getVar("SBOM_CVE_CHECK_DATABASES_DIR")
+        if db_dir:
+            cmd_env["SBOM_CVE_CHECK_DATABASES_DIR"] = db_dir
+    else:
+        cmd_args.append("--disable-auto-updates")
+        cmd_env["SBOM_CVE_CHECK_DATABASES_DIR"] = d.getVar("SBOM_CVE_CHECK_DEPLOY_DB_DIR")
+
     # Assume that SPDX_INCLUDE_VEX is set globally to "all", and not only for the
     # image recipe, which is very unlikely. This is not an issue to include the
     # VEX manifest even if not needed.
@@ -97,6 +101,12 @@ python do_sbom_cve_check() {
         update_symlinks(export_file[1], export_file[2])
 }
 
+python() {
+    if int(d.getVar("SBOM_CVE_CHECK_INTERNAL_FETCHER")):
+        d.setVarFlag("do_sbom_cve_check", "network", "1")
+        d.setVarFlag("do_sbom_cve_check", "nostamp", "1")
+}
+
 addtask do_sbom_cve_check after do_create_image_sbom_spdx before do_build
 
 SSTATETASKS += "do_sbom_cve_check"
@@ -105,8 +115,10 @@ do_sbom_cve_check[sstate-inputdirs] = "${SBOM_CVE_CHECK_DEPLOYDIR}"
 do_sbom_cve_check[sstate-outputdirs] = "${DEPLOY_DIR_IMAGE}"
 do_sbom_cve_check[depends] += " \
     python3-sbom-cve-check-native:do_populate_sysroot \
-    sbom-cve-check-update-cvelist-native:do_install \
-    sbom-cve-check-update-nvd-native:do_install \
+    ${@oe.utils.conditional('SBOM_CVE_CHECK_INTERNAL_FETCHER','0',' \
+        sbom-cve-check-update-cvelist-native:do_install \
+        sbom-cve-check-update-nvd-native:do_install \
+    ','',d)} \
 "
 
 python do_sbom_cve_check_setscene() {
diff --git a/meta/recipes-devtools/sbom-cve-check/sbom-cve-check-config.inc b/meta/recipes-devtools/sbom-cve-check/sbom-cve-check-config.inc
index d337cef2355c..dd8fb5db11a1 100644
--- a/meta/recipes-devtools/sbom-cve-check/sbom-cve-check-config.inc
+++ b/meta/recipes-devtools/sbom-cve-check/sbom-cve-check-config.inc
@@ -3,3 +3,18 @@
 SBOM_CVE_CHECK_DEPLOY_DB_DIR ??= "${DEPLOY_DIR}/sbom-cve-check/databases"
 SBOM_CVE_CHECK_DEPLOY_DB_DIR[doc] = "Path to the directory where the CVE databases, \
     fetched by the sbom-cve-check-update-* recipes, are extracted for use."
+
+SBOM_CVE_CHECK_DATABASES_DIR ??= ""
+SBOM_CVE_CHECK_DATABASES_DIR[doc] = "Allows to configure the directory where the \
+    CVE databases are extracted for use, if fetched by sbom-cve-check itself. \
+    This variable is only used if SBOM_CVE_CHECK_INTERNAL_FETCHER is set to 1. \
+"
+
+SBOM_CVE_CHECK_INTERNAL_FETCHER ?= "0"
+SBOM_CVE_CHECK_INTERNAL_FETCHER[doc] = "Set to 1 to use sbom-cve-check internal fetcher. \
+    In this case sbom-cve-check task will have access to network, and the downloaded \
+    databases are stored in the default location or in the directory specified by \
+    SBOM_CVE_CHECK_DATABASES_DIR if not empty. \
+    This is useful, if a user needs network access during execution (e.g., to download \
+    annotation databases), they can set `SBOM_CVE_CHECK_ALLOW_NETWORK` to "1". \
+"

-- 
2.53.0

Re: [PATCH v7 1/2] sbom-cve-check: Add class for post-build CVE analysis

[Antonin Godard]

Hi,

Thanks for the new version. I'll suggest a simplification to how the databases
are unpacked, since I understand this is a costly operation.

This gets rid of the do_install() task, and rsync-native dependency. What this
does is let the BitBake fetcher handle the unpacking/checkout of the databases
directly in the DEPLOYDIR. This simplifies the recipe and removes one copy
operation, I think.

I've successfully generated the two json output files with this (with the class
added for the core-image-minimal build).

diff --git a/meta/classes-recipe/sbom-cve-check.bbclass b/meta/classes-recipe/sbom-cve-check.bbclass
index c51ea45759..a5c23142b7 100644
--- a/meta/classes-recipe/sbom-cve-check.bbclass
+++ b/meta/classes-recipe/sbom-cve-check.bbclass
@@ -116,8 +116,8 @@ do_sbom_cve_check[sstate-outputdirs] = "${DEPLOY_DIR_IMAGE}"
 do_sbom_cve_check[depends] += " \
     python3-sbom-cve-check-native:do_populate_sysroot \
     ${@oe.utils.conditional('SBOM_CVE_CHECK_INTERNAL_FETCHER','0',' \
-        sbom-cve-check-update-cvelist-native:do_install \
-        sbom-cve-check-update-nvd-native:do_install \
+        sbom-cve-check-update-cvelist-native:do_unpack \
+        sbom-cve-check-update-nvd-native:do_unpack \
     ','',d)} \
 "

diff --git a/meta/recipes-devtools/sbom-cve-check/sbom-cve-check-update-db.inc b/meta/recipes-devtools/sbom-cve-check/sbom-cve-check-update-db
.inc
index 5d7a07001c..6a968e941c 100644
--- a/meta/recipes-devtools/sbom-cve-check/sbom-cve-check-update-db.inc
+++ b/meta/recipes-devtools/sbom-cve-check/sbom-cve-check-update-db.inc
@@ -9,13 +9,12 @@ require sbom-cve-check-config.inc
 SBOM_CVE_CHECK_DB_NAME[doc] = "Database name, which is the Git repository directory name. \
     The git repository will be stored in ${SBOM_CVE_CHECK_DEPLOY_DB_DIR)/"

-DEPENDS += "rsync-native"
-ALLOW_EMPTY:${PN} = "1"
+deltask do_patch
+deltask do_configure
+deltask do_compile
+deltask do_install
+deltask do_populate_sysroot

-# In the install task, also deploy directly to ${DEPLOY_DIR} using rsync.
-# This is an hack, we are not using do_deploy to prevent multiple unnecessary copy of the CVE database.
-do_install() {
-    dst="${SBOM_CVE_CHECK_DEPLOY_DB_DIR}/${SBOM_CVE_CHECK_DB_NAME}"
-    mkdir -p "$dst"
-    rsync -aH --delete --link-dest="${S}/" "${S}/" "${dst}/"
-}
+UNPACKDIR = "${SBOM_CVE_CHECK_DEPLOY_DB_DIR}"
+S = "${UNPACKDIR}"
+BB_GIT_DEFAULT_DESTSUFFIX = "${SBOM_CVE_CHECK_DB_NAME}"
diff --git a/meta/recipes-devtools/sbom-cve-check/sbom-cve-check-update-nvd-native.bb b/meta/recipes-devtools/sbom-cve-check/sbom-cve-check-up
date-nvd-native.bb
index 46c86952a1..30c7868b2a 100644
--- a/meta/recipes-devtools/sbom-cve-check/sbom-cve-check-update-nvd-native.bb
+++ b/meta/recipes-devtools/sbom-cve-check/sbom-cve-check-update-nvd-native.bb
@@ -1,6 +1,6 @@
 SUMMARY = "Updates the NVD CVE database"
 LICENSE = "cve-tou"
-LIC_FILES_CHKSUM = "file://LICENSES/cve-tou.md;md5=bc5bbf146f01e20ece63d83c8916d8fb"
+LIC_FILES_CHKSUM = "file://${SBOM_CVE_CHECK_DB_NAME}/LICENSES/cve-tou.md;md5=bc5bbf146f01e20ece63d83c8916d8fb"

 HOMEPAGE = "https://github.com/fkie-cad/nvd-json-data-feeds"
 SRC_URI = "git://github.com/fkie-cad/nvd-json-data-feeds.git;branch=main;protocol=https"


Antonin

Re: [PATCH v7 1/2] sbom-cve-check: Add class for post-build CVE analysis

[Benjamin Robin]

Hi,

On Tuesday, March 24, 2026 at 10:21 AM, Antonin Godard wrote:
> Hi,
> 
> Thanks for the new version. I'll suggest a simplification to how the databases
> are unpacked, since I understand this is a costly operation.
> 
> This gets rid of the do_install() task, and rsync-native dependency. What this
> does is let the BitBake fetcher handle the unpacking/checkout of the databases
> directly in the DEPLOYDIR. This simplifies the recipe and removes one copy
> operation, I think.

Thank you Antonin for this suggestion, really good idea.
This is a bit simpler and faster, and should be completely safe.

I am going to send a v8 with these changes after running various tests.

The only thing left to have something way faster (for the initial build)
would be to have a true support of shallow clone that can be updated.
But this will be implemented later :)

> diff --git a/meta/recipes-devtools/sbom-cve-check/sbom-cve-check-update-db.inc b/meta/recipes-devtools/sbom-cve-check/sbom-cve-check-update-db
> .inc
> index 5d7a07001c..6a968e941c 100644
> --- a/meta/recipes-devtools/sbom-cve-check/sbom-cve-check-update-db.inc
> +++ b/meta/recipes-devtools/sbom-cve-check/sbom-cve-check-update-db.inc
> @@ -9,13 +9,12 @@ require sbom-cve-check-config.inc
>  SBOM_CVE_CHECK_DB_NAME[doc] = "Database name, which is the Git repository directory name. \
>      The git repository will be stored in ${SBOM_CVE_CHECK_DEPLOY_DB_DIR)/"
> 
> -DEPENDS += "rsync-native"
> -ALLOW_EMPTY:${PN} = "1"
> +deltask do_patch
> +deltask do_configure
> +deltask do_compile
> +deltask do_install
> +deltask do_populate_sysroot
> 
> -# In the install task, also deploy directly to ${DEPLOY_DIR} using rsync.
> -# This is an hack, we are not using do_deploy to prevent multiple unnecessary copy of the CVE database.
> -do_install() {
> -    dst="${SBOM_CVE_CHECK_DEPLOY_DB_DIR}/${SBOM_CVE_CHECK_DB_NAME}"
> -    mkdir -p "$dst"
> -    rsync -aH --delete --link-dest="${S}/" "${S}/" "${dst}/"
> -}
> +UNPACKDIR = "${SBOM_CVE_CHECK_DEPLOY_DB_DIR}"
> +S = "${UNPACKDIR}"
> +BB_GIT_DEFAULT_DESTSUFFIX = "${SBOM_CVE_CHECK_DB_NAME}"


-- 
Benjamin Robin, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com