On Tue, 2026-04-21 at 11:15 +0200, Antonin Godard via lists.openembedded.org wrote: > The now removed cve-check class used to print warnings when CVEs with > status "Unpatched" were found. Add this feature to the > sbom-cve-check class with the same default value (enabled). > > For now it only does so when the cvecheck report type is enabled. It may > be possible to do the same for the SPDX report type. > > Sample output: > > WARNING: core-image-minimal-1.0-r0 do_sbom_cve_check: busybox-1.37.0: Found unpatched CVEs: CVE-2024-58251 > WARNING: core-image-minimal-1.0-r0 do_sbom_cve_check: expat-2.7.5: Found unpatched CVEs: CVE-2025-66382, CVE-2026-41080 > WARNING: core-image-minimal-1.0-r0 do_sbom_cve_check: glibc-2.43+git: Found unpatched CVEs: CVE-2010-4756, CVE-2026-4046 > > Signed-off-by: Antonin Godard > --- > meta/classes/sbom-cve-check-common.bbclass | 31 ++++++++++++++++++++++++++++++ > 1 file changed, 31 insertions(+) > > diff --git a/meta/classes/sbom-cve-check-common.bbclass b/meta/classes/sbom-cve-check-common.bbclass > index 6963ad71c61..d84416c8a50 100644 > --- a/meta/classes/sbom-cve-check-common.bbclass > +++ b/meta/classes/sbom-cve-check-common.bbclass > @@ -48,6 +48,33 @@ SBOM_CVE_CHECK_UPDATE_DB_DEPENDENCIES ?= " \ > sbom-cve-check-update-nvd-native:do_patch \ > " > > +SBOM_CVE_CHECK_SHOW_WARNINGS ?= "1" > +SBOM_CVE_CHECK_SHOW_WARNINGS[doc] = "Show warning messages when unpatched CVEs are found. \ > +Requires the SBOM_CVE_CHECK_EXPORT_CVECHECK report type to be enabled" > + > +def show_warnings_from_file(cvecheck_export_file): > + import json > + report = {} We shouldn't need to initialise report here as it is always set if we get past the try block below. > + > + try: > + with open(cvecheck_export_file, "r") as f: > + report = json.load(f) > + except (json.JSONDecodeError, UnicodeDecodeError) as e: > + bb.error(f"Failed to open JSON report file {f}: {e}") > + return > + > + packages = report.get("package", []) > + for package in packages: > + unpatched = [] > + cves = package.get("issue", []) > + for cve in cves: > + if cve["status"] == "Unpatched": > + unpatched.append(cve["id"]) > + if unpatched: > + pname = package["name"] > + version = package["version"] > + bb.warn(f"{pname}-{version}: Found unpatched CVEs: {', '.join(unpatched)}") > + > def run_sbom_cve_check(d, sbom_path, export_base_name, export_link_name=None): > import os > import bb > @@ -94,9 +121,13 @@ def run_sbom_cve_check(d, sbom_path, export_base_name, export_link_name=None): > bb.error(f"sbom-cve-check failed: {e}") > return > > + show_warnings = oe.utils.vartrue("SBOM_CVE_CHECK_SHOW_WARNINGS", True, False, d) I think this can be: show_warnings = bb.utils.to_boolean(d.getVar("SBOM_CVE_CHECK_SHOW_WARNINGS")) > + > for export_type, export_file, export_link in export_files: > bb.note(f"sbom-cve-check exported: {export_file}") > if export_link: > update_symlinks(export_file, export_link) > + if show_warnings and export_type == d.getVarFlag("SBOM_CVE_CHECK_EXPORT_CVECHECK", "type"): > + show_warnings_from_file(export_file) Best regards, -- Paul Barker