Re: [PATCH v2] sbom-cve-check-common: print warnings on unpatched CVEs

public inbox for openembedded-core@lists.openembedded.org
 help / color / mirror / Atom feed

From: Benjamin Robin <benjamin.robin@bootlin.com>
To: openembedded-core@lists.openembedded.org,
	Antonin Godard <antonin.godard@bootlin.com>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Subject: Re: [PATCH v2] sbom-cve-check-common: print warnings on unpatched CVEs
Date: Wed, 22 Apr 2026 08:53:29 +0200	[thread overview]
Message-ID: <53NyEVGwRGarcYy4JYMYFw@bootlin.com> (raw)
In-Reply-To: <20260421-sbom-cve-check-warnings-v2-1-79ae1d2395be@bootlin.com>

Hello Antonin,

Looks good to me. I have just a slight suggestion.

On Tuesday, April 21, 2026 at 3:01 PM, Antonin Godard wrote:
> The now removed cve-check class used to print warnings when CVEs with
> status "Unpatched" were found. Add this feature to the
> sbom-cve-check class with the same default value (enabled).
> 
> For now it only does so when the cvecheck report type is enabled. It may
> be possible to do the same for the SPDX report type.
> 
> Sample output:
> 
> WARNING: core-image-minimal-1.0-r0 do_sbom_cve_check: busybox-1.37.0: Found unpatched CVEs: CVE-2024-58251
> WARNING: core-image-minimal-1.0-r0 do_sbom_cve_check: expat-2.7.5: Found unpatched CVEs: CVE-2025-66382, CVE-2026-41080
> WARNING: core-image-minimal-1.0-r0 do_sbom_cve_check: glibc-2.43+git: Found unpatched CVEs: CVE-2010-4756, CVE-2026-4046
> 
> Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
> ---
> Changes in v2:
> - Apply suggestions from Paul
> - Link to v1: https://patch.msgid.link/20260421-sbom-cve-check-warnings-v1-1-df7861a0a0bc@bootlin.com
> ---
>  meta/classes/sbom-cve-check-common.bbclass | 30 ++++++++++++++++++++++++++++++
>  1 file changed, 30 insertions(+)
> 
> diff --git a/meta/classes/sbom-cve-check-common.bbclass b/meta/classes/sbom-cve-check-common.bbclass
> index 6963ad71c61..32c29a0ec2c 100644
> --- a/meta/classes/sbom-cve-check-common.bbclass
> +++ b/meta/classes/sbom-cve-check-common.bbclass
> @@ -48,6 +48,32 @@ SBOM_CVE_CHECK_UPDATE_DB_DEPENDENCIES ?= " \
>      sbom-cve-check-update-nvd-native:do_patch \
>  "
>  
> +SBOM_CVE_CHECK_SHOW_WARNINGS ?= "1"
> +SBOM_CVE_CHECK_SHOW_WARNINGS[doc] = "Show warning messages when unpatched CVEs are found. \
> +Requires the SBOM_CVE_CHECK_EXPORT_CVECHECK report type to be enabled"
> +
> +def show_warnings_from_file(cvecheck_export_file):
> +    import json
> +
> +    try:
> +        with open(cvecheck_export_file, "r") as f:
> +            report = json.load(f)
> +    except (json.JSONDecodeError, UnicodeDecodeError) as e:
> +        bb.error(f"Failed to open JSON report file {f}: {e}")
> +        return
> +
> +    packages = report.get("package", [])
> +    for package in packages:
> +        unpatched = []
> +        cves = package.get("issue", [])
> +        for cve in cves:
> +            if cve["status"] == "Unpatched":
> +                unpatched.append(cve["id"])

A more Pythonic way of writing that is:

       for package in packages:
           cves = package.get("issue", [])
           unpatched = [cve["id"] for cve in cves if cve["status"] == "Unpatched"]

> +        if unpatched:
> +            pname = package["name"]
> +            version = package["version"]
> +            bb.warn(f"{pname}-{version}: Found unpatched CVEs: {', '.join(unpatched)}")
> +
>  def run_sbom_cve_check(d, sbom_path, export_base_name, export_link_name=None):
>      import os
>      import bb
> @@ -94,9 +120,13 @@ def run_sbom_cve_check(d, sbom_path, export_base_name, export_link_name=None):
>          bb.error(f"sbom-cve-check failed: {e}")
>          return
>  
> +    show_warnings = bb.utils.to_boolean(d.getVar("SBOM_CVE_CHECK_SHOW_WARNINGS"))
> +
>      for export_type, export_file, export_link in export_files:
>          bb.note(f"sbom-cve-check exported: {export_file}")
>          if export_link:
>              update_symlinks(export_file, export_link)
> +        if show_warnings and export_type == d.getVarFlag("SBOM_CVE_CHECK_EXPORT_CVECHECK", "type"):
> +            show_warnings_from_file(export_file)
>  
>  
> 
> ---
> base-commit: 9a83f0878b6bacbc7b322cfec076b4e79ad7b8fb
> change-id: 20260421-sbom-cve-check-warnings-408de9776bc0
> 
> 
> 
> 


-- 
Benjamin Robin, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

     prev parent reply	other threads:[~2026-04-22  6:53 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-04-21 13:01 [PATCH v2] sbom-cve-check-common: print warnings on unpatched CVEs Antonin Godard
2026-04-22  6:53 ` Benjamin Robin [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=53NyEVGwRGarcYy4JYMYFw@bootlin.com \
    --to=benjamin.robin@bootlin.com \
    --cc=antonin.godard@bootlin.com \
    --cc=openembedded-core@lists.openembedded.org \
    --cc=thomas.petazzoni@bootlin.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox