Re: [RFC PATCH 1/3] sbom-cve-check: refactor do_sbom_cve_check

[Benjamin Robin <benjamin.robin@bootlin.com>]

Hello Ross,

I have seen that you have made various previous improvement to the
sbom-cve-check class. Thank you!
Don't hesitate to always add me in CC. Sometime I am quite busy, and I
may miss the exchange in the mailing list.

For this RFC, I am overall OK with it. There are few thing that needs
to be fixed/improved.

On Thursday, April 2, 2026 at 6:25 PM, Ross Burton wrote:
> Extract the bulk of the logic to a separate function, so the task just
> has to pass a few variables.
> 
> Signed-off-by: Ross Burton <ross.burton@arm.com>
> ---
>  meta/classes-recipe/sbom-cve-check.bbclass | 29 +++++++++++++---------
>  1 file changed, 17 insertions(+), 12 deletions(-)
> 
> diff --git a/meta/classes-recipe/sbom-cve-check.bbclass b/meta/classes-recipe/sbom-cve-check.bbclass
> index 4abc427c58..fef6f0c2aa 100644
> --- a/meta/classes-recipe/sbom-cve-check.bbclass
> +++ b/meta/classes-recipe/sbom-cve-check.bbclass
> @@ -43,28 +43,24 @@ SBOM_CVE_CHECK_EXPORT_SUMMARY[doc] = "Export configuration to generate a human-r
>  SBOM_CVE_CHECK_EXPORT_SUMMARY[type] ?= "summary"
>  SBOM_CVE_CHECK_EXPORT_SUMMARY[ext] ?= ".cve.txt"
>  
> -python do_sbom_cve_check() {
> -    """
> -    Task: Run sbom-cve-check analysis on SBOM.
> -    """
> +
> +def run_sbom_cve_check(d, recipe_name, link_name=None):

Maybe rename the parameters to: export_base_name and export_link_name?
Another parameter is needed (I guess), the path to the SPDX3 SBOM that needs
to be analyzed.

>      import os
>      import bb
> -    from oe.cve_check import update_symlinks

Do you know why you did remove this import?
It is not necessary? Who import it globally (it this is the case)?

>  
>      if not bb.data.inherits_class("create-spdx-3.0", d):
> -        bb.fatal("Cannot execute sbom-cve-check missing create-spdx-3.0 inherit.")
> +        bb.fatal("Cannot execute sbom-cve-check: missing create-spdx-3.0 inherit.")
>  
> -    sbom_path = d.expand("${DEPLOY_DIR_IMAGE}/${IMAGE_LINK_NAME}.spdx.json")
> +    image_deploy_dir = d.getVar("DEPLOY_DIR_IMAGE")
> +    sbom_path = d.expand(f"{image_deploy_dir}/{recipe_name}.spdx.json")
>      dl_db_dir = d.getVar("SBOM_CVE_CHECK_DEPLOY_DB_DIR")
> -    deploy_dir = d.getVar("SBOM_CVE_CHECK_DEPLOYDIR")
> -    img_link_name = d.getVar("IMAGE_LINK_NAME")
> -    img_name = d.getVar("IMAGE_NAME")
> +    out_deploy_dir = d.getVar("SBOM_CVE_CHECK_DEPLOYDIR")
>  
>      export_files = []
>      for export_var in d.getVar("SBOM_CVE_CHECK_EXPORT_VARS").split():
>          export_ext = d.getVarFlag(export_var, "ext")
> -        export_path = f"{deploy_dir}/{img_name}{export_ext}"
> -        export_link = f"{deploy_dir}/{img_link_name}{export_ext}"
> +        export_path = f"{out_deploy_dir}/{recipe_name}{export_ext}"
> +        export_link = f"{out_deploy_dir}/{link_name}{export_ext}" if link_name else None
>          export_type = d.getVarFlag(export_var, "type")
>          export_files.append((export_type, export_path, export_link))
>  
> @@ -96,6 +92,15 @@ python do_sbom_cve_check() {
>          bb.note(f"sbom-cve-check exported: {export_file}")
>          if export_link:
>              update_symlinks(export_file, export_link)
> +
> +
> +python do_sbom_cve_check() {
> +    """
> +    Task: Run sbom-cve-check analysis on SBOM.
> +    """
> +    image_name = d.getVar("IMAGE_NAME")
> +    link_name = d.getVar("IMAGE_LINK_NAME")
> +    run_sbom_cve_check(d, image_name, link_name, sbom_path)

Here you pass the path to the SBOM, which is (I think) a good idea,
but the variable sbom_path is not declared here.

>  }
>  
>  addtask do_sbom_cve_check after do_create_image_sbom_spdx before do_build
> 


-- 
Benjamin Robin, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com