Re: [OE-core] [PATCH] sbom-cve-check-common: print warnings on unpatched CVEs

[Paul Barker <paul@pbarker.dev>]

[-- Attachment #1: Type: text/plain, Size: 3454 bytes --]

On Tue, 2026-04-21 at 11:15 +0200, Antonin Godard via
lists.openembedded.org wrote:
> The now removed cve-check class used to print warnings when CVEs with
> status "Unpatched" were found. Add this feature to the
> sbom-cve-check class with the same default value (enabled).
> 
> For now it only does so when the cvecheck report type is enabled. It may
> be possible to do the same for the SPDX report type.
> 
> Sample output:
> 
> WARNING: core-image-minimal-1.0-r0 do_sbom_cve_check: busybox-1.37.0: Found unpatched CVEs: CVE-2024-58251
> WARNING: core-image-minimal-1.0-r0 do_sbom_cve_check: expat-2.7.5: Found unpatched CVEs: CVE-2025-66382, CVE-2026-41080
> WARNING: core-image-minimal-1.0-r0 do_sbom_cve_check: glibc-2.43+git: Found unpatched CVEs: CVE-2010-4756, CVE-2026-4046
> 
> Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
> ---
>  meta/classes/sbom-cve-check-common.bbclass | 31 ++++++++++++++++++++++++++++++
>  1 file changed, 31 insertions(+)
> 
> diff --git a/meta/classes/sbom-cve-check-common.bbclass b/meta/classes/sbom-cve-check-common.bbclass
> index 6963ad71c61..d84416c8a50 100644
> --- a/meta/classes/sbom-cve-check-common.bbclass
> +++ b/meta/classes/sbom-cve-check-common.bbclass
> @@ -48,6 +48,33 @@ SBOM_CVE_CHECK_UPDATE_DB_DEPENDENCIES ?= " \
>      sbom-cve-check-update-nvd-native:do_patch \
>  "
>  
> +SBOM_CVE_CHECK_SHOW_WARNINGS ?= "1"
> +SBOM_CVE_CHECK_SHOW_WARNINGS[doc] = "Show warning messages when unpatched CVEs are found. \
> +Requires the SBOM_CVE_CHECK_EXPORT_CVECHECK report type to be enabled"
> +
> +def show_warnings_from_file(cvecheck_export_file):
> +    import json
> +    report = {}

We shouldn't need to initialise report here as it is always set if we
get past the try block below.

> +
> +    try:
> +        with open(cvecheck_export_file, "r") as f:
> +            report = json.load(f)
> +    except (json.JSONDecodeError, UnicodeDecodeError) as e:
> +        bb.error(f"Failed to open JSON report file {f}: {e}")
> +        return
> +
> +    packages = report.get("package", [])
> +    for package in packages:
> +        unpatched = []
> +        cves = package.get("issue", [])
> +        for cve in cves:
> +            if cve["status"] == "Unpatched":
> +                unpatched.append(cve["id"])
> +        if unpatched:
> +            pname = package["name"]
> +            version = package["version"]
> +            bb.warn(f"{pname}-{version}: Found unpatched CVEs: {', '.join(unpatched)}")
> +
>  def run_sbom_cve_check(d, sbom_path, export_base_name, export_link_name=None):
>      import os
>      import bb
> @@ -94,9 +121,13 @@ def run_sbom_cve_check(d, sbom_path, export_base_name, export_link_name=None):
>          bb.error(f"sbom-cve-check failed: {e}")
>          return
>  
> +    show_warnings = oe.utils.vartrue("SBOM_CVE_CHECK_SHOW_WARNINGS", True, False, d)

I think this can be:

    show_warnings = bb.utils.to_boolean(d.getVar("SBOM_CVE_CHECK_SHOW_WARNINGS"))

> +
>      for export_type, export_file, export_link in export_files:
>          bb.note(f"sbom-cve-check exported: {export_file}")
>          if export_link:
>              update_symlinks(export_file, export_link)
> +        if show_warnings and export_type == d.getVarFlag("SBOM_CVE_CHECK_EXPORT_CVECHECK", "type"):
> +            show_warnings_from_file(export_file)

Best regards,

-- 
Paul Barker


[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 252 bytes --]