From: Paul Barker <paul@pbarker.dev>
To: benjamin.robin@bootlin.com, openembedded-core@lists.openembedded.org
Cc: ross.burton@arm.com, peter.marko@siemens.com,
jpewhacker@gmail.com, olivier.benjamin@bootlin.com,
antonin.godard@bootlin.com, mathieu.dubois-briand@bootlin.com,
thomas.petazzoni@bootlin.com
Subject: Re: [OE-core] [PATCH v3 6/6] sbom-cve-check.bbclass: Add class for post-build CVE analysis
Date: Thu, 05 Mar 2026 13:47:16 +0000 [thread overview]
Message-ID: <8fae3195a70bb6b43872b57cb27b6197c08744b8.camel@pbarker.dev> (raw)
In-Reply-To: <20260226-add-sbom-cve-check-v3-6-2e60423f4d35@bootlin.com>
[-- Attachment #1: Type: text/plain, Size: 1887 bytes --]
On Thu, 2026-02-26 at 18:01 +0100, Benjamin Robin via
lists.openembedded.org wrote:
> By default, the CVE databases are downloaded using the following
> recipes:
> - sbom-cve-check-update-cvelist-native.bb
> - sbom-cve-check-update-nvd-native.bb
>
> The database download logic is implemented in
> sbom-cve-check-update-db.bbclass. The CVE databases are stored in the
> download directory (`DL_DIR`). Access to the database is managed using
> an exclusive file lock (`flock`) on the directory. During CVE analysis,
> sbom-cve-check acquires a shared lock, allowing multiple analyses to
> run in parallel. However, if the database is being updated, any
> ongoing CVE analysis is temporarily paused.
>
> This design ensures that, under normal circumstances, sbom-cve-check
> can run without requiring network access. If a user needs network
> access during execution (e.g., to download annotation databases),
> they can set `SBOM_CVE_CHECK_ALLOW_NETWORK` to "1".
>
> Signed-off-by: Benjamin Robin <benjamin.robin@bootlin.com>
Hi Benjamin,
Patches 1-5 of this series were accepted, but we had some concerns with
this one.
We would prefer not to override do_fetch for sbom-cve-check-update-*.bb.
We should be able to use the standard git fetcher here, with a hardcoded
SRCREV to allow offline parsing to succeed. A config fragment should
then be defined which enables the sbom-cve-check bbclass and sets the
srcrevs for the update recipes to ${AUTOREV}.
Running sbom-cve-check offline should be supported, but manual config
may be needed to set an appropriate srcrev. We should provide an example
of this in the docs.
We should also be able to avoid setting do_sbom_cve_check[nostamp]. With
dependencies set correctly, this should only re-run if the image changes
or the cve database has been updated.
Best regards,
--
Paul Barker
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 252 bytes --]
next prev parent reply other threads:[~2026-03-05 13:47 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-26 17:01 [PATCH v3 0/6] sbom-cve-check: add CVE analysis tool and class Benjamin Robin
2026-02-26 17:01 ` [PATCH v3 1/6] maintainers.inc: Sort list in alphabetical order Benjamin Robin
2026-02-26 17:01 ` [PATCH v3 2/6] python3-shacl2code: add recipe Benjamin Robin
2026-02-26 17:01 ` [PATCH v3 3/6] python3-hatch-build-scripts: " Benjamin Robin
2026-02-26 17:01 ` [PATCH v3 4/6] python3-spdx-python-model: " Benjamin Robin
2026-02-26 17:01 ` [PATCH v3 5/6] sbom-cve-check: " Benjamin Robin
2026-02-26 17:01 ` [PATCH v3 6/6] sbom-cve-check.bbclass: Add class for post-build CVE analysis Benjamin Robin
2026-03-05 13:47 ` Paul Barker [this message]
2026-03-05 16:22 ` [OE-core] " Benjamin Robin
2026-03-09 12:17 ` Benjamin Robin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=8fae3195a70bb6b43872b57cb27b6197c08744b8.camel@pbarker.dev \
--to=paul@pbarker.dev \
--cc=antonin.godard@bootlin.com \
--cc=benjamin.robin@bootlin.com \
--cc=jpewhacker@gmail.com \
--cc=mathieu.dubois-briand@bootlin.com \
--cc=olivier.benjamin@bootlin.com \
--cc=openembedded-core@lists.openembedded.org \
--cc=peter.marko@siemens.com \
--cc=ross.burton@arm.com \
--cc=thomas.petazzoni@bootlin.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox