[PATCH v6] sbom-cve-check: add CVE analysis tool and class

[PATCH v6] sbom-cve-check: add CVE analysis tool and class

[Benjamin Robin]

This patch series introduces the `sbom-cve-check` tool and its
dependencies. The tool requires `python3-spdx-python-model`, which has
the following build-time dependencies (not required at runtime):
 - `python3-hatch-build-scripts`
 - `python3-shacl2code`

Note: This part was already merged into master.

Additionally, this series includes a post-build CVE analysis class,
similar to the existing `cve-check` functionality, which this v5 try
to provide.

This v5 series requires sbom-cve-check in version 1.2.0 which is
provided by the following patch ("python3-sbom-cve-check: Update to
release 1.2.0") [4].

For context, `sbom-cve-check` is a lightweight SBOM CVE analysis tool,
which supports SBOMs in SPDX 2.2 or SPDX 3.0 formats. The tool is
designed as an efficient replacement for the `cve-check` logic currently
available in Yocto Project. It fetches data from multiple databases,
including NVD and the CVE List, and supports various annotation formats,
such as OpenVEX and the Yocto Project's custom VEX manifest.

For export, `sbom-cve-check` can generate a SPDX 3.0 file, a
`cve-check`-compatible JSON file, and a summary report that lists all
vulnerabilities per component, styled similarly to the output of the
Yocto Project's `cve-check` class.

For more context on the inclusion of `sbom-cve-check` in OpenEmbedded
Core, see the discussion [1].

For detailed documentation about `sbom-cve-check`, visit [2].

[1] https://lists.openembedded.org/g/openembedded-core/topic/117638558
[2] https://sbom-cve-check.readthedocs.io/
[3] https://lists.openembedded.org/g/openembedded-core/message/231519
[4] https://lore.kernel.org/r/20260317-update-sbom-cve-check-recipe-v1-1-49b50bf80bf2@bootlin.com

Signed-off-by: Benjamin Robin <benjamin.robin@bootlin.com>
---
Changes in v6:
- Add missing BB_CONF_FRAGMENT_SUMMARY/BB_CONF_FRAGMENT_DESCRIPTION.
- Link to v5: https://patch.msgid.link/20260319-add-sbom-cve-check-v5-0-e310cce7399d@bootlin.com

Changes in v5:
- Use "cve-tou" license for sbom-cve-check-update-nvd-native.bb
- Use internal Bitbake fetcher to download the git repository.
- Execute sbom-cve-check with --disable-auto-update flag (require 1.2.0).
- Add meta/conf/fragments/yocto/sbom-cve-check.conf config fragment.
- Link to v4: https://patch.msgid.link/20260311-add-sbom-cve-check-v4-0-f4e6c4cee8ca@bootlin.com

Changes in v4:
- Remove the `nostamp` flag from the `do_sbom_cve_check` task.
- Remove the unnecessary "recrdeptask" on `do_create_image_sbom_spdx`.
  The only required dependency is to run after the
  `do_create_image_sbom_spdx` task of the image recipe.
- Add the `do_sbom_cve_check_setscene` task.
- Update the dependency for the two CVE database-fetching recipes: the
  `do_sbom_cve_check` task now runs after their `do_populate_sysroot`.
- In the two CVE database-fetching recipes, include a file in the
  sysroot containing the Git revision of the fetched CVE database. This
  leverages BitBake's checksum computation for sysroot files to
  determine if dependent tasks need re-execution.
- Add missing `HOMEPAGE` links to `sbom-cve-check-update-*-native.bb`.
- Move the code in `sbom-cve-check-update-db.bbclass` to a simple
  include file. Other layers that may want to add a new recipe to
  download another database can still include it using:
  `require recipes-core/meta/sbom-cve-check-update-db.inc`.
- Rename configuration variables for clarity.
- Add `SBOM_CVE_CHECK_DATABASES_DIR` to define the base directory for
  CVE databases, allowing users to configure an alternate storage
  location.
- Improve documentation for all configuration variables.
- By default, the class now generates a JSON file in the `cve-check`
  format in addition to the exported SPDX 3.0 output.
- Link to v3: https://lore.kernel.org/r/20260226-add-sbom-cve-check-v3-0-2e60423f4d35@bootlin.com

Changes in v3:
- Improve first commit message about sorting maintainers.inc.
- Add missing maintainers information for sbom-cve-check-update-*-native
  recipes...
- Link to v2: https://lore.kernel.org/r/20260225-add-sbom-cve-check-v2-0-eeffa285b901@bootlin.com

Changes in v2:
- Sort maintainers.inc list in alphabetical order.
- Add missing maintainers information for new recipes.
- python3-spdx-python-model depends on native shacl2code and
  hatch-build-scripts recipes.
- Link to v1: https://lore.kernel.org/r/20260224-add-sbom-cve-check-v1-0-1c76fbd7f01b@bootlin.com

---
Benjamin Robin (1):
      sbom-cve-check: Add class for post-build CVE analysis

 meta/classes-recipe/sbom-cve-check.bbclass         | 121 +++++++++++++++++++++
 meta/conf/distro/include/maintainers.inc           |   2 +
 meta/conf/fragments/yocto/sbom-cve-check.conf      |  14 +++
 meta/recipes-core/meta/sbom-cve-check-config.inc   |   4 +
 .../meta/sbom-cve-check-update-cvelist-native.bb   |  12 ++
 .../recipes-core/meta/sbom-cve-check-update-db.inc |  28 +++++
 .../meta/sbom-cve-check-update-nvd-native.bb       |  12 ++
 7 files changed, 193 insertions(+)
---
base-commit: 531f87111d83430615f2e20dd41a3dd5fc25c7ab
change-id: 20260223-add-sbom-cve-check-f34614b147dc

Best regards,
--  
Benjamin Robin <benjamin.robin@bootlin.com>

[PATCH v6] sbom-cve-check: Add class for post-build CVE analysis

[Benjamin Robin]

By default, the sbom-cve-check class generates these export files:
 - A JSON in `cve-check` format, named `${IMAGE_NAME}.cve-check.json`
 - An SPDX 3.0 SBOM, named `${IMAGE_NAME}.cve-check.spdx.json`.

A user can add or remove export file formats by using the
`SBOM_CVE_CHECK_EXPORT_VARS` variable.

By default, the CVE databases are downloaded using the following
recipes:
 - sbom-cve-check-update-cvelist-native.bb
 - sbom-cve-check-update-nvd-native.bb

The database fetch and deploy logic is implemented in
sbom-cve-check-update-db.inc. The CVE databases are stored in the
download directory (`DL_DIR`) by default. This can be configured by
the `SBOM_CVE_CHECK_DATABASES_DIR` variable defined in
meta/recipes-core/meta/sbom-cve-check-config.inc.

The CVE git databases are fetched using the Bitbake fetcher. Currently,
Bitbake fetcher does not support a shallow clone that can be updated.
While `BB_GIT_SHALLOW` exists, it creates multiple tarballs in the
download directory, which is inefficient for updates. For now, the git
database is fully fetched.

The `SRCREV` of the git database is set to a fixed version. A user can
override this by specifying any other version, or `AUTOREV` can be
specified.

To simplify the activation and configuration of sbom-cve-check, a
configuration fragment is provided with recommended default values.

`sbom-cve-check` is configured to run without requiring network access.
If a user needs network access during execution (e.g., to download
annotation databases), they can set `SBOM_CVE_CHECK_ALLOW_NETWORK`
to "1".

The CVE analysis runs only if either the original SBOM changes or the
CVE databases are updated. In the two CVE database-fetching recipes, a
file in the sysroot is written, containing the Git revision of the
fetched CVE database.

`sbom-cve-check` is executed with the generated VEX manifest only if
enabled and if `SPDX_INCLUDE_VEX` is set to a value other than "all".
When `SPDX_INCLUDE_VEX=all`, the SPDX 3.0 file already contains all the
necessary information for CVE analysis, making the VEX manifest
redundant.

Signed-off-by: Benjamin Robin <benjamin.robin@bootlin.com>
---
 meta/classes-recipe/sbom-cve-check.bbclass         | 121 +++++++++++++++++++++
 meta/conf/distro/include/maintainers.inc           |   2 +
 meta/conf/fragments/yocto/sbom-cve-check.conf      |  14 +++
 meta/recipes-core/meta/sbom-cve-check-config.inc   |   4 +
 .../meta/sbom-cve-check-update-cvelist-native.bb   |  12 ++
 .../recipes-core/meta/sbom-cve-check-update-db.inc |  28 +++++
 .../meta/sbom-cve-check-update-nvd-native.bb       |  12 ++
 7 files changed, 193 insertions(+)

diff --git a/meta/classes-recipe/sbom-cve-check.bbclass b/meta/classes-recipe/sbom-cve-check.bbclass
new file mode 100644
index 000000000000..32f92a0bab29
--- /dev/null
+++ b/meta/classes-recipe/sbom-cve-check.bbclass
@@ -0,0 +1,121 @@
+# SPDX-License-Identifier: MIT
+
+# To enable this class, it is recommended to add this to local.conf
+# OE_FRAGMENTS += "core/yocto/sbom-cve-check"
+
+require recipes-core/meta/sbom-cve-check-config.inc
+
+SBOM_CVE_CHECK_DEPLOYDIR = "${WORKDIR}/sbom_cve_check/image-deploy"
+
+SBOM_CVE_CHECK_EXTRA_ARGS[doc] = "Allow to specify extra arguments to sbom-cve-check. \
+    For example to add export flags for filtering (e.g., only export vulnerable CVEs). \
+"
+SBOM_CVE_CHECK_EXTRA_ARGS ??= ""
+
+SBOM_CVE_CHECK_EXPORT_VARS[doc] = "List of variables that declare export files to generate. \
+    Each variable must have a 'type' and an 'ext' flag set. \
+    The 'type' flag contains the value that is passed to the --export-type command flags. \
+    The 'ext' flag contains the filename extension (suffix). The output filename is going \
+    to be ${IMAGE_NAME}${ext} \
+"
+SBOM_CVE_CHECK_EXPORT_VARS ?= "SBOM_CVE_CHECK_EXPORT_SPDX3 SBOM_CVE_CHECK_EXPORT_CVECHECK"
+
+SBOM_CVE_CHECK_EXPORT_SPDX3[doc] = "Export configuration to generate an SPDX3 SBOM file, \
+    with the following name: ${IMAGE_NAME}.cve-check.spdx.json \
+"
+SBOM_CVE_CHECK_EXPORT_SPDX3[type] ?= "spdx3"
+SBOM_CVE_CHECK_EXPORT_SPDX3[ext] ?= ".cve-check.spdx.json"
+
+SBOM_CVE_CHECK_EXPORT_CVECHECK[doc] = "Export configuration to generate a JSON manifest \
+    in the same format as the cve-check class, with the following name: \
+    ${IMAGE_NAME}.cve-check.json \
+"
+SBOM_CVE_CHECK_EXPORT_CVECHECK[type] ?= "yocto-cve-check-manifest"
+SBOM_CVE_CHECK_EXPORT_CVECHECK[ext] ?= ".cve-check.json"
+
+SBOM_CVE_CHECK_ALLOW_NETWORK[doc] = "Set to 1 to enable network usage."
+SBOM_CVE_CHECK_ALLOW_NETWORK ?= "0"
+
+python do_sbom_cve_check() {
+    """
+    Task: Run sbom-cve-check analysis on SBOM.
+    """
+    import os
+    import bb
+    from oe.cve_check import update_symlinks
+
+    if not bb.data.inherits_class("create-spdx-3.0", d):
+        bb.fatal("Cannot execute sbom-cve-check missing create-spdx-3.0 inherit.")
+
+    sbom_path = d.expand("${DEPLOY_DIR_IMAGE}/${IMAGE_LINK_NAME}.spdx.json")
+    vex_manifest_path = d.expand("${DEPLOY_DIR_IMAGE}/${IMAGE_LINK_NAME}.json")
+    dl_db_dir = d.getVar("SBOM_CVE_CHECK_DATABASES_DIR")
+    deploy_dir = d.getVar("SBOM_CVE_CHECK_DEPLOYDIR")
+    img_link_name = d.getVar("IMAGE_LINK_NAME")
+    img_name = d.getVar("IMAGE_NAME")
+
+    export_files = []
+    for export_var in d.getVar("SBOM_CVE_CHECK_EXPORT_VARS").split():
+        export_ext = d.getVarFlag(export_var, "ext")
+        export_path = f"{deploy_dir}/{img_name}{export_ext}"
+        export_link = f"{deploy_dir}/{img_link_name}{export_ext}"
+        export_type = d.getVarFlag(export_var, "type")
+        export_files.append((export_type, export_path, export_link))
+
+    cmd_env = os.environ.copy()
+    cmd_env["SBOM_CVE_CHECK_DATABASES_DIR"] = dl_db_dir
+
+    cmd_args = [
+        d.expand("${STAGING_BINDIR_NATIVE}/sbom-cve-check"),
+        "--sbom-path",
+        sbom_path,
+    ]
+
+    if not int(d.getVar("SBOM_CVE_CHECK_ALLOW_NETWORK")):
+        cmd_args.append("--disable-auto-updates")
+
+    # Assume that SPDX_INCLUDE_VEX is set globally to "all", and not only for the
+    # image recipe, which is very unlikely. This is not an issue to include the
+    # VEX manifest even if not needed.
+    if bb.data.inherits_class("vex", d) and d.getVar("SPDX_INCLUDE_VEX") != "all":
+        cmd_args.extend(["--yocto-vex-manifest", vex_manifest_path])
+
+    for export_file in export_files:
+        cmd_args.extend(
+            ["--export-type", export_file[0], "--export-path", export_file[1]]
+        )
+
+    cmd_args.extend(d.getVar("SBOM_CVE_CHECK_EXTRA_ARGS").split())
+
+    try:
+        bb.note("Running: {}".format(" ".join(cmd_args)))
+        bb.process.run(cmd_args, env=cmd_env)
+    except bb.process.ExecutionError as e:
+        bb.error(f"sbom-cve-check failed: {e}")
+        return
+
+    for export_file in export_files:
+        bb.note(f"sbom-cve-check exported: {export_file[1]}")
+        update_symlinks(export_file[1], export_file[2])
+}
+
+addtask do_sbom_cve_check after do_create_image_sbom_spdx before do_build
+
+SSTATETASKS += "do_sbom_cve_check"
+do_sbom_cve_check[cleandirs] = "${SBOM_CVE_CHECK_DEPLOYDIR}"
+do_sbom_cve_check[sstate-inputdirs] = "${SBOM_CVE_CHECK_DEPLOYDIR}"
+do_sbom_cve_check[sstate-outputdirs] = "${DEPLOY_DIR_IMAGE}"
+do_sbom_cve_check[depends] += " \
+    python3-sbom-cve-check-native:do_populate_sysroot \
+    ${@oe.utils.conditional('SBOM_CVE_CHECK_ALLOW_NETWORK','0',' \
+        sbom-cve-check-update-cvelist-native:do_populate_sysroot \
+        sbom-cve-check-update-nvd-native:do_populate_sysroot \
+    ','',d)} \
+"
+
+do_sbom_cve_check[network] = "${SBOM_CVE_CHECK_ALLOW_NETWORK}"
+
+python do_sbom_cve_check_setscene() {
+    sstate_setscene(d)
+}
+addtask do_sbom_cve_check_setscene
diff --git a/meta/conf/distro/include/maintainers.inc b/meta/conf/distro/include/maintainers.inc
index c7a646a643e6..c8f215188f83 100644
--- a/meta/conf/distro/include/maintainers.inc
+++ b/meta/conf/distro/include/maintainers.inc
@@ -789,6 +789,8 @@ RECIPE_MAINTAINER:pn-sassc = "Simone Weiß <simone.p.weiss@posteo.com>"
 RECIPE_MAINTAINER:pn-sato-icon-theme = "Richard Purdie <richard.purdie@linuxfoundation.org>"
 RECIPE_MAINTAINER:pn-sato-screenshot = "Ross Burton <ross.burton@arm.com>"
 RECIPE_MAINTAINER:pn-sbc = "Unassigned <unassigned@yoctoproject.org>"
+RECIPE_MAINTAINER:pn-sbom-cve-check-update-cvelist-native = "Benjamin Robin <benjamin.robin@bootlin.com>"
+RECIPE_MAINTAINER:pn-sbom-cve-check-update-nvd-native = "Benjamin Robin <benjamin.robin@bootlin.com>"
 RECIPE_MAINTAINER:pn-scdoc = "Alex Kiernan <alex.kiernan@gmail.com>"
 RECIPE_MAINTAINER:pn-screen = "Unassigned <unassigned@yoctoproject.org>"
 RECIPE_MAINTAINER:pn-seatd = "Unassigned <unassigned@yoctoproject.org>"
diff --git a/meta/conf/fragments/yocto/sbom-cve-check.conf b/meta/conf/fragments/yocto/sbom-cve-check.conf
new file mode 100644
index 000000000000..a3f229acf28a
--- /dev/null
+++ b/meta/conf/fragments/yocto/sbom-cve-check.conf
@@ -0,0 +1,14 @@
+BB_CONF_FRAGMENT_SUMMARY = "This fragment enables sbom-cve-check with recommended default options"
+BB_CONF_FRAGMENT_DESCRIPTION = "Enables sbom-cve-check and applies the following configurations: \
+ - Adds the sbom-cve-check class to IMAGE_CLASSES. \
+ - Configures CVE database recipes to fetch the latest git revision using AUTOREV. \
+ - Ensures generated SBOM includes all CVE annotations. \
+ - Configures the Linux kernel recipe to provide compiled sources, \
+   allowing CVEs to be excluded if the source is not compiled. \
+"
+
+IMAGE_CLASSES:append = " sbom-cve-check"
+SRCREV:pn-sbom-cve-check-update-nvd-native = "${AUTOREV}"
+SRCREV:pn-sbom-cve-check-update-cvelist-native = "${AUTOREV}"
+SPDX_INCLUDE_VEX = "all"
+SPDX_INCLUDE_COMPILED_SOURCES:pn-linux-yocto = "1"
diff --git a/meta/recipes-core/meta/sbom-cve-check-config.inc b/meta/recipes-core/meta/sbom-cve-check-config.inc
new file mode 100644
index 000000000000..a1a909e22250
--- /dev/null
+++ b/meta/recipes-core/meta/sbom-cve-check-config.inc
@@ -0,0 +1,4 @@
+# SPDX-License-Identifier: MIT
+
+SBOM_CVE_CHECK_DATABASES_DIR ??= "${DEPLOY_DIR}/sbom_cve_check/databases"
+SBOM_CVE_CHECK_DATABASES_DIR[doc] = "Download directory path where to store the CVE databases"
diff --git a/meta/recipes-core/meta/sbom-cve-check-update-cvelist-native.bb b/meta/recipes-core/meta/sbom-cve-check-update-cvelist-native.bb
new file mode 100644
index 000000000000..ce204db6c51a
--- /dev/null
+++ b/meta/recipes-core/meta/sbom-cve-check-update-cvelist-native.bb
@@ -0,0 +1,12 @@
+SUMMARY = "Updates the CVE List database"
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302"
+
+HOMEPAGE = "https://github.com/CVEProject/cvelistV5"
+SRC_URI = "git://github.com/CVEProject/cvelistV5.git;branch=main;protocol=https"
+SBOM_CVE_CHECK_DB_NAME = "cvelist"
+
+# 2026-03-19_baseline
+SRCREV = "ada54ee3cc8380820aa45e4996910bdc9dcb94e7"
+
+require sbom-cve-check-update-db.inc
diff --git a/meta/recipes-core/meta/sbom-cve-check-update-db.inc b/meta/recipes-core/meta/sbom-cve-check-update-db.inc
new file mode 100644
index 000000000000..5ecb79820247
--- /dev/null
+++ b/meta/recipes-core/meta/sbom-cve-check-update-db.inc
@@ -0,0 +1,28 @@
+# SPDX-License-Identifier: MIT
+
+INHIBIT_DEFAULT_DEPS = "1"
+EXCLUDE_FROM_WORLD = "1"
+
+inherit native
+require sbom-cve-check-config.inc
+
+SBOM_CVE_CHECK_DB_NAME[doc] = "Database name, which is the Git repository directory name. \
+    The git repository will be stored in ${SBOM_CVE_CHECK_DATABASES_DIR)/"
+
+DEPENDS += "rsync-native"
+
+# Leverage BitBake's checksum computation for populated sysroot files to determine
+# whether other recipe tasks dependent on this output need to be re-executed.
+do_compile() {
+    git -C "${S}" rev-parse --verify "HEAD^{object}" > "${WORKDIR}/${SBOM_CVE_CHECK_DB_NAME}.rev"
+}
+
+# In the install task, also deploy directly to ${DEPLOY_DIR} using rsync.
+# This is an hack, we are not using do_deploy to prevent multiple unecessary copy of the CVE database.
+do_install() {
+    install -m 644 -D -t "${D}${datadir}/sbom_cve_check/databases/" "${WORKDIR}/${SBOM_CVE_CHECK_DB_NAME}.rev"
+
+    dst="${SBOM_CVE_CHECK_DATABASES_DIR}/${SBOM_CVE_CHECK_DB_NAME}"
+    mkdir -p "$dst"
+    rsync -aH --delete --link-dest="${S}/" "${S}/" "${dst}/"
+}
diff --git a/meta/recipes-core/meta/sbom-cve-check-update-nvd-native.bb b/meta/recipes-core/meta/sbom-cve-check-update-nvd-native.bb
new file mode 100644
index 000000000000..46c86952a164
--- /dev/null
+++ b/meta/recipes-core/meta/sbom-cve-check-update-nvd-native.bb
@@ -0,0 +1,12 @@
+SUMMARY = "Updates the NVD CVE database"
+LICENSE = "cve-tou"
+LIC_FILES_CHKSUM = "file://LICENSES/cve-tou.md;md5=bc5bbf146f01e20ece63d83c8916d8fb"
+
+HOMEPAGE = "https://github.com/fkie-cad/nvd-json-data-feeds"
+SRC_URI = "git://github.com/fkie-cad/nvd-json-data-feeds.git;branch=main;protocol=https"
+SBOM_CVE_CHECK_DB_NAME = "nvd-fkie"
+
+# v2026.03.19-010002
+SRCREV = "49f8bbe1b0b0884e16bdc37ab68db997085570a7"
+
+require sbom-cve-check-update-db.inc

-- 
2.53.0

Re: [PATCH v6] sbom-cve-check: Add class for post-build CVE analysis

[Marta Rybczynska]

[-- Attachment #1: Type: text/plain, Size: 3020 bytes --]

On Thu, Mar 19, 2026 at 4:42 PM Benjamin Robin <benjamin.robin@bootlin.com>
wrote:

> By default, the sbom-cve-check class generates these export files:
>  - A JSON in `cve-check` format, named `${IMAGE_NAME}.cve-check.json`
>  - An SPDX 3.0 SBOM, named `${IMAGE_NAME}.cve-check.spdx.json`.
>
> A user can add or remove export file formats by using the
> `SBOM_CVE_CHECK_EXPORT_VARS` variable.
>
> By default, the CVE databases are downloaded using the following
> recipes:
>  - sbom-cve-check-update-cvelist-native.bb
>  - sbom-cve-check-update-nvd-native.bb
>
> The database fetch and deploy logic is implemented in
> sbom-cve-check-update-db.inc. The CVE databases are stored in the
> download directory (`DL_DIR`) by default. This can be configured by
> the `SBOM_CVE_CHECK_DATABASES_DIR` variable defined in
> meta/recipes-core/meta/sbom-cve-check-config.inc.
>
> The CVE git databases are fetched using the Bitbake fetcher. Currently,
> Bitbake fetcher does not support a shallow clone that can be updated.
> While `BB_GIT_SHALLOW` exists, it creates multiple tarballs in the
> download directory, which is inefficient for updates. For now, the git
> database is fully fetched.
>
> The `SRCREV` of the git database is set to a fixed version. A user can
> override this by specifying any other version, or `AUTOREV` can be
> specified.
>
> To simplify the activation and configuration of sbom-cve-check, a
> configuration fragment is provided with recommended default values.
>
> `sbom-cve-check` is configured to run without requiring network access.
> If a user needs network access during execution (e.g., to download
> annotation databases), they can set `SBOM_CVE_CHECK_ALLOW_NETWORK`
> to "1".
>
> The CVE analysis runs only if either the original SBOM changes or the
> CVE databases are updated. In the two CVE database-fetching recipes, a
> file in the sysroot is written, containing the Git revision of the
> fetched CVE database.
>
> `sbom-cve-check` is executed with the generated VEX manifest only if
> enabled and if `SPDX_INCLUDE_VEX` is set to a value other than "all".
> When `SPDX_INCLUDE_VEX=all`, the SPDX 3.0 file already contains all the
> necessary information for CVE analysis, making the VEX manifest
> redundant.
>
> Signed-off-by: Benjamin Robin <benjamin.robin@bootlin.com>
> ---
>  meta/classes-recipe/sbom-cve-check.bbclass         | 121
> +++++++++++++++++++++
>  meta/conf/distro/include/maintainers.inc           |   2 +
>  meta/conf/fragments/yocto/sbom-cve-check.conf      |  14 +++
>  meta/recipes-core/meta/sbom-cve-check-config.inc   |   4 +
>  .../meta/sbom-cve-check-update-cvelist-native.bb   |  12 ++
>  .../recipes-core/meta/sbom-cve-check-update-db.inc |  28 +++++
>  .../meta/sbom-cve-check-update-nvd-native.bb       |  12 ++
>  7 files changed, 193 insertions(+)
>
>
Hello,
That looks cleaner than the previous version. How long does the intiial
build take with
this fetcher?

Kind regards,
Marta

[-- Attachment #2: Type: text/html, Size: 4043 bytes --]

Re: [PATCH v6] sbom-cve-check: Add class for post-build CVE analysis

[Benjamin Robin]

Hello Marta,

On Friday, March 20, 2026 at 4:54 PM, Marta Rybczynska wrote:
> > ---
> >  meta/classes-recipe/sbom-cve-check.bbclass         | 121
> > +++++++++++++++++++++
> >  meta/conf/distro/include/maintainers.inc           |   2 +
> >  meta/conf/fragments/yocto/sbom-cve-check.conf      |  14 +++
> >  meta/recipes-core/meta/sbom-cve-check-config.inc   |   4 +
> >  .../meta/sbom-cve-check-update-cvelist-native.bb   |  12 ++
> >  .../recipes-core/meta/sbom-cve-check-update-db.inc |  28 +++++
> >  .../meta/sbom-cve-check-update-nvd-native.bb       |  12 ++
> >  7 files changed, 193 insertions(+)
> >
> >
> Hello,
> That looks cleaner than the previous version. How long does the intiial
> build take with
> this fetcher?
> 
> Kind regards,
> Marta

I am not sure to understand the question.

With this fetcher, the duration of the initial clone is a "bit" slower,
since we are not doing a shallow clone. If the download directory is
not deleted, the initial fetch is done only once.

The fetch can be realized in parallel with the build of the packages,
and it really depends of your internet connection and of the build
machine.

But if I run:

$ bitbake -c cleanall sbom-cve-check-update-cvelist-native \
   sbom-cve-check-update-nvd-native

Followed by:

$ time bitbake sbom-cve-check-update-cvelist-native \
   sbom-cve-check-update-nvd-native

The time elapsed is 5m10.211s
I hope this answer your question.

-- 
Benjamin Robin, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

Re: [PATCH v6] sbom-cve-check: Add class for post-build CVE analysis

[Antonin Godard]

Hi,

Some suggestions and questions I picked while reviewing this patch.

On Thu Mar 19, 2026 at 4:42 PM CET, Benjamin Robin wrote:
> By default, the sbom-cve-check class generates these export files:
>  - A JSON in `cve-check` format, named `${IMAGE_NAME}.cve-check.json`
>  - An SPDX 3.0 SBOM, named `${IMAGE_NAME}.cve-check.spdx.json`.
>
> A user can add or remove export file formats by using the
> `SBOM_CVE_CHECK_EXPORT_VARS` variable.
>
> By default, the CVE databases are downloaded using the following
> recipes:
>  - sbom-cve-check-update-cvelist-native.bb
>  - sbom-cve-check-update-nvd-native.bb
>
> The database fetch and deploy logic is implemented in
> sbom-cve-check-update-db.inc. The CVE databases are stored in the
> download directory (`DL_DIR`) by default. This can be configured by
> the `SBOM_CVE_CHECK_DATABASES_DIR` variable defined in
> meta/recipes-core/meta/sbom-cve-check-config.inc.

Yet the default definition is:

SBOM_CVE_CHECK_DATABASES_DIR ??= "${DEPLOY_DIR}/sbom_cve_check/databases"

Which does not point to the DL_DIR? The commit message seems a bit misleading.

> The CVE git databases are fetched using the Bitbake fetcher. Currently,
> Bitbake fetcher does not support a shallow clone that can be updated.
> While `BB_GIT_SHALLOW` exists, it creates multiple tarballs in the
> download directory, which is inefficient for updates. For now, the git
> database is fully fetched.
>
> The `SRCREV` of the git database is set to a fixed version. A user can
> override this by specifying any other version, or `AUTOREV` can be
> specified.
>
> To simplify the activation and configuration of sbom-cve-check, a
> configuration fragment is provided with recommended default values.
>
> `sbom-cve-check` is configured to run without requiring network access.
> If a user needs network access during execution (e.g., to download
> annotation databases), they can set `SBOM_CVE_CHECK_ALLOW_NETWORK`
> to "1".
>
> The CVE analysis runs only if either the original SBOM changes or the
> CVE databases are updated. In the two CVE database-fetching recipes, a
> file in the sysroot is written, containing the Git revision of the
> fetched CVE database.
>
> `sbom-cve-check` is executed with the generated VEX manifest only if
> enabled and if `SPDX_INCLUDE_VEX` is set to a value other than "all".
> When `SPDX_INCLUDE_VEX=all`, the SPDX 3.0 file already contains all the
> necessary information for CVE analysis, making the VEX manifest
> redundant.
>
> Signed-off-by: Benjamin Robin <benjamin.robin@bootlin.com>
> ---
>  meta/classes-recipe/sbom-cve-check.bbclass         | 121 +++++++++++++++++++++
>  meta/conf/distro/include/maintainers.inc           |   2 +
>  meta/conf/fragments/yocto/sbom-cve-check.conf      |  14 +++
>  meta/recipes-core/meta/sbom-cve-check-config.inc   |   4 +
>  .../meta/sbom-cve-check-update-cvelist-native.bb   |  12 ++
>  .../recipes-core/meta/sbom-cve-check-update-db.inc |  28 +++++
>  .../meta/sbom-cve-check-update-nvd-native.bb       |  12 ++
>  7 files changed, 193 insertions(+)
>
> diff --git a/meta/classes-recipe/sbom-cve-check.bbclass b/meta/classes-recipe/sbom-cve-check.bbclass
> new file mode 100644
> index 000000000000..32f92a0bab29
> --- /dev/null
> +++ b/meta/classes-recipe/sbom-cve-check.bbclass
> @@ -0,0 +1,121 @@
> +# SPDX-License-Identifier: MIT
> +
> +# To enable this class, it is recommended to add this to local.conf
> +# OE_FRAGMENTS += "core/yocto/sbom-cve-check"

I'd rather recommend the tool normally used to manage fragments, which modifies
toolcfg.conf, made for this purpose.

```
# It is recommended to enable this class through the sbom-cve-check fragment:
# bitbake-config-build enable-fragment sbom-cve-check
```

> +
> +require recipes-core/meta/sbom-cve-check-config.inc
> +
> +SBOM_CVE_CHECK_DEPLOYDIR = "${WORKDIR}/sbom_cve_check/image-deploy"

Nitpick, but why use underscore for "sbom_cve_check"? Here, and in the other
places in this patch. Using "sbom-cve-check" everywhere would perhaps be more
coherent?

> +
> +SBOM_CVE_CHECK_EXTRA_ARGS[doc] = "Allow to specify extra arguments to sbom-cve-check. \
> +    For example to add export flags for filtering (e.g., only export vulnerable CVEs). \
> +"
> +SBOM_CVE_CHECK_EXTRA_ARGS ??= ""
> +
> +SBOM_CVE_CHECK_EXPORT_VARS[doc] = "List of variables that declare export files to generate. \
> +    Each variable must have a 'type' and an 'ext' flag set. \
> +    The 'type' flag contains the value that is passed to the --export-type command flags. \
> +    The 'ext' flag contains the filename extension (suffix). The output filename is going \
> +    to be ${IMAGE_NAME}${ext} \
> +"
> +SBOM_CVE_CHECK_EXPORT_VARS ?= "SBOM_CVE_CHECK_EXPORT_SPDX3 SBOM_CVE_CHECK_EXPORT_CVECHECK"
> +
> +SBOM_CVE_CHECK_EXPORT_SPDX3[doc] = "Export configuration to generate an SPDX3 SBOM file, \
> +    with the following name: ${IMAGE_NAME}.cve-check.spdx.json \
> +"
> +SBOM_CVE_CHECK_EXPORT_SPDX3[type] ?= "spdx3"
> +SBOM_CVE_CHECK_EXPORT_SPDX3[ext] ?= ".cve-check.spdx.json"
> +
> +SBOM_CVE_CHECK_EXPORT_CVECHECK[doc] = "Export configuration to generate a JSON manifest \
> +    in the same format as the cve-check class, with the following name: \
> +    ${IMAGE_NAME}.cve-check.json \
> +"
> +SBOM_CVE_CHECK_EXPORT_CVECHECK[type] ?= "yocto-cve-check-manifest"
> +SBOM_CVE_CHECK_EXPORT_CVECHECK[ext] ?= ".cve-check.json"

As I understand it, these represent the different kinds of outputs of
sbom-cve-check. Wouldn't these make more sense as:

SBOM_CVE_CHECK_EXPORT_SPDX3[ext] ?= ".sbom-cve-check.spdx.json"
SBOM_CVE_CHECK_EXPORT_CVECHECK[ext] ?= ".sbom-cve-check.yocto.json"

first item indicates that this is an sbom-cve-check generated file,
second item denotes the format of the file : either spdx3, or the yocto specific
one.

> +
> +SBOM_CVE_CHECK_ALLOW_NETWORK[doc] = "Set to 1 to enable network usage."
> +SBOM_CVE_CHECK_ALLOW_NETWORK ?= "0"
> +
> +python do_sbom_cve_check() {
> +    """
> +    Task: Run sbom-cve-check analysis on SBOM.
> +    """
> +    import os
> +    import bb
> +    from oe.cve_check import update_symlinks
> +
> +    if not bb.data.inherits_class("create-spdx-3.0", d):
> +        bb.fatal("Cannot execute sbom-cve-check missing create-spdx-3.0 inherit.")
> +
> +    sbom_path = d.expand("${DEPLOY_DIR_IMAGE}/${IMAGE_LINK_NAME}.spdx.json")
> +    vex_manifest_path = d.expand("${DEPLOY_DIR_IMAGE}/${IMAGE_LINK_NAME}.json")
> +    dl_db_dir = d.getVar("SBOM_CVE_CHECK_DATABASES_DIR")
> +    deploy_dir = d.getVar("SBOM_CVE_CHECK_DEPLOYDIR")
> +    img_link_name = d.getVar("IMAGE_LINK_NAME")
> +    img_name = d.getVar("IMAGE_NAME")
> +
> +    export_files = []
> +    for export_var in d.getVar("SBOM_CVE_CHECK_EXPORT_VARS").split():
> +        export_ext = d.getVarFlag(export_var, "ext")
> +        export_path = f"{deploy_dir}/{img_name}{export_ext}"
> +        export_link = f"{deploy_dir}/{img_link_name}{export_ext}"
> +        export_type = d.getVarFlag(export_var, "type")
> +        export_files.append((export_type, export_path, export_link))
> +
> +    cmd_env = os.environ.copy()
> +    cmd_env["SBOM_CVE_CHECK_DATABASES_DIR"] = dl_db_dir
> +
> +    cmd_args = [
> +        d.expand("${STAGING_BINDIR_NATIVE}/sbom-cve-check"),
> +        "--sbom-path",
> +        sbom_path,
> +    ]
> +
> +    if not int(d.getVar("SBOM_CVE_CHECK_ALLOW_NETWORK")):
> +        cmd_args.append("--disable-auto-updates")
> +
> +    # Assume that SPDX_INCLUDE_VEX is set globally to "all", and not only for the
> +    # image recipe, which is very unlikely. This is not an issue to include the
> +    # VEX manifest even if not needed.
> +    if bb.data.inherits_class("vex", d) and d.getVar("SPDX_INCLUDE_VEX") != "all":
> +        cmd_args.extend(["--yocto-vex-manifest", vex_manifest_path])
> +
> +    for export_file in export_files:
> +        cmd_args.extend(
> +            ["--export-type", export_file[0], "--export-path", export_file[1]]
> +        )
> +
> +    cmd_args.extend(d.getVar("SBOM_CVE_CHECK_EXTRA_ARGS").split())
> +
> +    try:
> +        bb.note("Running: {}".format(" ".join(cmd_args)))
> +        bb.process.run(cmd_args, env=cmd_env)
> +    except bb.process.ExecutionError as e:
> +        bb.error(f"sbom-cve-check failed: {e}")
> +        return
> +
> +    for export_file in export_files:
> +        bb.note(f"sbom-cve-check exported: {export_file[1]}")
> +        update_symlinks(export_file[1], export_file[2])
> +}
> +
> +addtask do_sbom_cve_check after do_create_image_sbom_spdx before do_build
> +
> +SSTATETASKS += "do_sbom_cve_check"
> +do_sbom_cve_check[cleandirs] = "${SBOM_CVE_CHECK_DEPLOYDIR}"
> +do_sbom_cve_check[sstate-inputdirs] = "${SBOM_CVE_CHECK_DEPLOYDIR}"
> +do_sbom_cve_check[sstate-outputdirs] = "${DEPLOY_DIR_IMAGE}"
> +do_sbom_cve_check[depends] += " \
> +    python3-sbom-cve-check-native:do_populate_sysroot \
> +    ${@oe.utils.conditional('SBOM_CVE_CHECK_ALLOW_NETWORK','0',' \
> +        sbom-cve-check-update-cvelist-native:do_populate_sysroot \
> +        sbom-cve-check-update-nvd-native:do_populate_sysroot \
> +    ','',d)} \
> +"
> +
> +do_sbom_cve_check[network] = "${SBOM_CVE_CHECK_ALLOW_NETWORK}"
> +
> +python do_sbom_cve_check_setscene() {
> +    sstate_setscene(d)
> +}
> +addtask do_sbom_cve_check_setscene
> diff --git a/meta/conf/distro/include/maintainers.inc b/meta/conf/distro/include/maintainers.inc
> index c7a646a643e6..c8f215188f83 100644
> --- a/meta/conf/distro/include/maintainers.inc
> +++ b/meta/conf/distro/include/maintainers.inc
> @@ -789,6 +789,8 @@ RECIPE_MAINTAINER:pn-sassc = "Simone Weiß <simone.p.weiss@posteo.com>"
>  RECIPE_MAINTAINER:pn-sato-icon-theme = "Richard Purdie <richard.purdie@linuxfoundation.org>"
>  RECIPE_MAINTAINER:pn-sato-screenshot = "Ross Burton <ross.burton@arm.com>"
>  RECIPE_MAINTAINER:pn-sbc = "Unassigned <unassigned@yoctoproject.org>"
> +RECIPE_MAINTAINER:pn-sbom-cve-check-update-cvelist-native = "Benjamin Robin <benjamin.robin@bootlin.com>"
> +RECIPE_MAINTAINER:pn-sbom-cve-check-update-nvd-native = "Benjamin Robin <benjamin.robin@bootlin.com>"
>  RECIPE_MAINTAINER:pn-scdoc = "Alex Kiernan <alex.kiernan@gmail.com>"
>  RECIPE_MAINTAINER:pn-screen = "Unassigned <unassigned@yoctoproject.org>"
>  RECIPE_MAINTAINER:pn-seatd = "Unassigned <unassigned@yoctoproject.org>"
> diff --git a/meta/conf/fragments/yocto/sbom-cve-check.conf b/meta/conf/fragments/yocto/sbom-cve-check.conf
> new file mode 100644
> index 000000000000..a3f229acf28a
> --- /dev/null
> +++ b/meta/conf/fragments/yocto/sbom-cve-check.conf
> @@ -0,0 +1,14 @@
> +BB_CONF_FRAGMENT_SUMMARY = "This fragment enables sbom-cve-check with recommended default options"
> +BB_CONF_FRAGMENT_DESCRIPTION = "Enables sbom-cve-check and applies the following configurations: \
> + - Adds the sbom-cve-check class to IMAGE_CLASSES. \
> + - Configures CVE database recipes to fetch the latest git revision using AUTOREV. \
> + - Ensures generated SBOM includes all CVE annotations. \
> + - Configures the Linux kernel recipe to provide compiled sources, \
> +   allowing CVEs to be excluded if the source is not compiled. \
> +"
> +
> +IMAGE_CLASSES:append = " sbom-cve-check"
> +SRCREV:pn-sbom-cve-check-update-nvd-native = "${AUTOREV}"
> +SRCREV:pn-sbom-cve-check-update-cvelist-native = "${AUTOREV}"
> +SPDX_INCLUDE_VEX = "all"
> +SPDX_INCLUDE_COMPILED_SOURCES:pn-linux-yocto = "1"

Could we also set SBOM_CVE_CHECK_ALLOW_NETWORK to 1 here? Since we already
require network with AUTOREV anyway.

> diff --git a/meta/recipes-core/meta/sbom-cve-check-config.inc b/meta/recipes-core/meta/sbom-cve-check-config.inc
> new file mode 100644
> index 000000000000..a1a909e22250
> --- /dev/null
> +++ b/meta/recipes-core/meta/sbom-cve-check-config.inc

This file and others could be in a more appropriate directory, such are
recipes-devtools/sbom-cve-check/? I think in a patch review call we said that
this directory was wrongly used for the previous cve-check-related recipes (you
weren't in this call IIRC).

> @@ -0,0 +1,4 @@
> +# SPDX-License-Identifier: MIT
> +
> +SBOM_CVE_CHECK_DATABASES_DIR ??= "${DEPLOY_DIR}/sbom_cve_check/databases"

I think there is already "${DEPLOY_DIR}/cve" used by cve-check and vex, maybe
you could re-use this path as:

SBOM_CVE_CHECK_DATABASES_DIR ??= "${DEPLOY_DIR}/cve/sbom_cve_check/databases"

to avoid creating a new directory in DEPLOY_DIR?

> +SBOM_CVE_CHECK_DATABASES_DIR[doc] = "Download directory path where to store the CVE databases"
> diff --git a/meta/recipes-core/meta/sbom-cve-check-update-cvelist-native.bb b/meta/recipes-core/meta/sbom-cve-check-update-cvelist-native.bb
> new file mode 100644
> index 000000000000..ce204db6c51a
> --- /dev/null
> +++ b/meta/recipes-core/meta/sbom-cve-check-update-cvelist-native.bb
> @@ -0,0 +1,12 @@
> +SUMMARY = "Updates the CVE List database"
> +LICENSE = "MIT"
> +LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302"
> +
> +HOMEPAGE = "https://github.com/CVEProject/cvelistV5"
> +SRC_URI = "git://github.com/CVEProject/cvelistV5.git;branch=main;protocol=https"
> +SBOM_CVE_CHECK_DB_NAME = "cvelist"
> +
> +# 2026-03-19_baseline
> +SRCREV = "ada54ee3cc8380820aa45e4996910bdc9dcb94e7"
> +
> +require sbom-cve-check-update-db.inc
> diff --git a/meta/recipes-core/meta/sbom-cve-check-update-db.inc b/meta/recipes-core/meta/sbom-cve-check-update-db.inc
> new file mode 100644
> index 000000000000..5ecb79820247
> --- /dev/null
> +++ b/meta/recipes-core/meta/sbom-cve-check-update-db.inc
> @@ -0,0 +1,28 @@
> +# SPDX-License-Identifier: MIT
> +
> +INHIBIT_DEFAULT_DEPS = "1"
> +EXCLUDE_FROM_WORLD = "1"
> +
> +inherit native
> +require sbom-cve-check-config.inc
> +
> +SBOM_CVE_CHECK_DB_NAME[doc] = "Database name, which is the Git repository directory name. \
> +    The git repository will be stored in ${SBOM_CVE_CHECK_DATABASES_DIR)/"
> +
> +DEPENDS += "rsync-native"
> +
> +# Leverage BitBake's checksum computation for populated sysroot files to determine
> +# whether other recipe tasks dependent on this output need to be re-executed.
> +do_compile() {
> +    git -C "${S}" rev-parse --verify "HEAD^{object}" > "${WORKDIR}/${SBOM_CVE_CHECK_DB_NAME}.rev"

We're in do_compile(), so you can store the output file in ${B}?

git -C "${S}" rev-parse --verify "HEAD^{object}" > "${B}/${SBOM_CVE_CHECK_DB_NAME}.rev"

> +}
> +
> +# In the install task, also deploy directly to ${DEPLOY_DIR} using rsync.
> +# This is an hack, we are not using do_deploy to prevent multiple unecessary copy of the CVE database.
> +do_install() {
> +    install -m 644 -D -t "${D}${datadir}/sbom_cve_check/databases/" "${WORKDIR}/${SBOM_CVE_CHECK_DB_NAME}.rev"
> +
> +    dst="${SBOM_CVE_CHECK_DATABASES_DIR}/${SBOM_CVE_CHECK_DB_NAME}"
> +    mkdir -p "$dst"
> +    rsync -aH --delete --link-dest="${S}/" "${S}/" "${dst}/"
> +}

Why do we need this in both ${datadir} and the deploy dir? Isn't
sbom-cve-check only using the one in the deploy dir? Was this done to create a
package out of these recipes? If we don't really need one we could use
ALLOW_EMPTY:${PN} = "1" instead?

> diff --git a/meta/recipes-core/meta/sbom-cve-check-update-nvd-native.bb b/meta/recipes-core/meta/sbom-cve-check-update-nvd-native.bb
> new file mode 100644
> index 000000000000..46c86952a164
> --- /dev/null
> +++ b/meta/recipes-core/meta/sbom-cve-check-update-nvd-native.bb
> @@ -0,0 +1,12 @@
> +SUMMARY = "Updates the NVD CVE database"
> +LICENSE = "cve-tou"
> +LIC_FILES_CHKSUM = "file://LICENSES/cve-tou.md;md5=bc5bbf146f01e20ece63d83c8916d8fb"
> +
> +HOMEPAGE = "https://github.com/fkie-cad/nvd-json-data-feeds"
> +SRC_URI = "git://github.com/fkie-cad/nvd-json-data-feeds.git;branch=main;protocol=https"
> +SBOM_CVE_CHECK_DB_NAME = "nvd-fkie"
> +
> +# v2026.03.19-010002
> +SRCREV = "49f8bbe1b0b0884e16bdc37ab68db997085570a7"
> +
> +require sbom-cve-check-update-db.inc

Thanks,
Antonin

Re: [PATCH v6] sbom-cve-check: Add class for post-build CVE analysis

[Benjamin Robin]

Hello Antonin,

Thank you for the review.

On Monday, March 23, 2026 at 9:28 AM, Antonin Godard wrote:
> Hi,
> 
> Some suggestions and questions I picked while reviewing this patch.
> 
> On Thu Mar 19, 2026 at 4:42 PM CET, Benjamin Robin wrote:
> > By default, the sbom-cve-check class generates these export files:
> >  - A JSON in `cve-check` format, named `${IMAGE_NAME}.cve-check.json`
> >  - An SPDX 3.0 SBOM, named `${IMAGE_NAME}.cve-check.spdx.json`.
> >
> > A user can add or remove export file formats by using the
> > `SBOM_CVE_CHECK_EXPORT_VARS` variable.
> >
> > By default, the CVE databases are downloaded using the following
> > recipes:
> >  - sbom-cve-check-update-cvelist-native.bb
> >  - sbom-cve-check-update-nvd-native.bb
> >
> > The database fetch and deploy logic is implemented in
> > sbom-cve-check-update-db.inc. The CVE databases are stored in the
> > download directory (`DL_DIR`) by default. This can be configured by
> > the `SBOM_CVE_CHECK_DATABASES_DIR` variable defined in
> > meta/recipes-core/meta/sbom-cve-check-config.inc.
> 
> Yet the default definition is:
> 
> SBOM_CVE_CHECK_DATABASES_DIR ??= "${DEPLOY_DIR}/sbom_cve_check/databases"
> 
> Which does not point to the DL_DIR? The commit message seems a bit misleading.

In the v7 this is going to be fixed.
 
> > diff --git a/meta/classes-recipe/sbom-cve-check.bbclass b/meta/classes-recipe/sbom-cve-check.bbclass
> > new file mode 100644
> > index 000000000000..32f92a0bab29
> > --- /dev/null
> > +++ b/meta/classes-recipe/sbom-cve-check.bbclass
> > @@ -0,0 +1,121 @@
> > +# SPDX-License-Identifier: MIT
> > +
> > +# To enable this class, it is recommended to add this to local.conf
> > +# OE_FRAGMENTS += "core/yocto/sbom-cve-check"
> 
> I'd rather recommend the tool normally used to manage fragments, which modifies
> toolcfg.conf, made for this purpose.
> 
> ```
> # It is recommended to enable this class through the sbom-cve-check fragment:
> # bitbake-config-build enable-fragment sbom-cve-check
> ```

I improved the comment, but I kept the original explanation.
For example this could be useful for writing KAS configuration.


> > +
> > +require recipes-core/meta/sbom-cve-check-config.inc
> > +
> > +SBOM_CVE_CHECK_DEPLOYDIR = "${WORKDIR}/sbom_cve_check/image-deploy"
> 
> Nitpick, but why use underscore for "sbom_cve_check"? Here, and in the other
> places in this patch. Using "sbom-cve-check" everywhere would perhaps be more
> coherent?

I standardized all directory names, it should be named with dash now.

> > +SBOM_CVE_CHECK_EXTRA_ARGS[doc] = "Allow to specify extra arguments to sbom-cve-check. \
> > +    For example to add export flags for filtering (e.g., only export vulnerable CVEs). \
> > +"
> > +SBOM_CVE_CHECK_EXTRA_ARGS ??= ""
> > +
> > +SBOM_CVE_CHECK_EXPORT_VARS[doc] = "List of variables that declare export files to generate. \
> > +    Each variable must have a 'type' and an 'ext' flag set. \
> > +    The 'type' flag contains the value that is passed to the --export-type command flags. \
> > +    The 'ext' flag contains the filename extension (suffix). The output filename is going \
> > +    to be ${IMAGE_NAME}${ext} \
> > +"
> > +SBOM_CVE_CHECK_EXPORT_VARS ?= "SBOM_CVE_CHECK_EXPORT_SPDX3 SBOM_CVE_CHECK_EXPORT_CVECHECK"
> > +
> > +SBOM_CVE_CHECK_EXPORT_SPDX3[doc] = "Export configuration to generate an SPDX3 SBOM file, \
> > +    with the following name: ${IMAGE_NAME}.cve-check.spdx.json \
> > +"
> > +SBOM_CVE_CHECK_EXPORT_SPDX3[type] ?= "spdx3"
> > +SBOM_CVE_CHECK_EXPORT_SPDX3[ext] ?= ".cve-check.spdx.json"
> > +
> > +SBOM_CVE_CHECK_EXPORT_CVECHECK[doc] = "Export configuration to generate a JSON manifest \
> > +    in the same format as the cve-check class, with the following name: \
> > +    ${IMAGE_NAME}.cve-check.json \
> > +"
> > +SBOM_CVE_CHECK_EXPORT_CVECHECK[type] ?= "yocto-cve-check-manifest"
> > +SBOM_CVE_CHECK_EXPORT_CVECHECK[ext] ?= ".cve-check.json"
> 
> As I understand it, these represent the different kinds of outputs of
> sbom-cve-check. Wouldn't these make more sense as:
> 
> SBOM_CVE_CHECK_EXPORT_SPDX3[ext] ?= ".sbom-cve-check.spdx.json"
> SBOM_CVE_CHECK_EXPORT_CVECHECK[ext] ?= ".sbom-cve-check.yocto.json"
> 
> first item indicates that this is an sbom-cve-check generated file,
> second item denotes the format of the file : either spdx3, or the yocto specific
> one.

Yeah you are write, it is clearer this way, despite the fact that is it
a bit longer.

> > diff --git a/meta/conf/fragments/yocto/sbom-cve-check.conf b/meta/conf/fragments/yocto/sbom-cve-check.conf
> > new file mode 100644
> > index 000000000000..a3f229acf28a
> > --- /dev/null
> > +++ b/meta/conf/fragments/yocto/sbom-cve-check.conf
> > @@ -0,0 +1,14 @@
> > +BB_CONF_FRAGMENT_SUMMARY = "This fragment enables sbom-cve-check with recommended default options"
> > +BB_CONF_FRAGMENT_DESCRIPTION = "Enables sbom-cve-check and applies the following configurations: \
> > + - Adds the sbom-cve-check class to IMAGE_CLASSES. \
> > + - Configures CVE database recipes to fetch the latest git revision using AUTOREV. \
> > + - Ensures generated SBOM includes all CVE annotations. \
> > + - Configures the Linux kernel recipe to provide compiled sources, \
> > +   allowing CVEs to be excluded if the source is not compiled. \
> > +"
> > +
> > +IMAGE_CLASSES:append = " sbom-cve-check"
> > +SRCREV:pn-sbom-cve-check-update-nvd-native = "${AUTOREV}"
> > +SRCREV:pn-sbom-cve-check-update-cvelist-native = "${AUTOREV}"
> > +SPDX_INCLUDE_VEX = "all"
> > +SPDX_INCLUDE_COMPILED_SOURCES:pn-linux-yocto = "1"
> 
> Could we also set SBOM_CVE_CHECK_ALLOW_NETWORK to 1 here? Since we already
> require network with AUTOREV anyway.

The do_sbom_cve_check task does not need network by default.
It is only needed if the user want to fetch additional databases, for
example annotation databases.

> > diff --git a/meta/recipes-core/meta/sbom-cve-check-config.inc b/meta/recipes-core/meta/sbom-cve-check-config.inc
> > new file mode 100644
> > index 000000000000..a1a909e22250
> > --- /dev/null
> > +++ b/meta/recipes-core/meta/sbom-cve-check-config.inc
> 
> This file and others could be in a more appropriate directory, such are
> recipes-devtools/sbom-cve-check/? I think in a patch review call we said that
> this directory was wrongly used for the previous cve-check-related recipes (you
> weren't in this call IIRC).

This is going to be fixed in the v7 series: The recipes are moved to
recipes-devtools/sbom-cve-check/.

> > @@ -0,0 +1,4 @@
> > +# SPDX-License-Identifier: MIT
> > +
> > +SBOM_CVE_CHECK_DATABASES_DIR ??= "${DEPLOY_DIR}/sbom_cve_check/databases"
> 
> I think there is already "${DEPLOY_DIR}/cve" used by cve-check and vex, maybe
> you could re-use this path as:
> 
> SBOM_CVE_CHECK_DATABASES_DIR ??= "${DEPLOY_DIR}/cve/sbom_cve_check/databases"
> 
> to avoid creating a new directory in DEPLOY_DIR?

I really think this is a bad idea. The ${DEPLOY_DIR}/cve/ directory contains
a lot of json file at the root of this directory. I really do not want to
break existing VEX and/or cve-check tasks.

> > +SBOM_CVE_CHECK_DATABASES_DIR[doc] = "Download directory path where to store the CVE databases"
> > diff --git a/meta/recipes-core/meta/sbom-cve-check-update-cvelist-native.bb b/meta/recipes-core/meta/sbom-cve-check-update-cvelist-native.bb
> > new file mode 100644
> > index 000000000000..ce204db6c51a
> > --- /dev/null
> > +++ b/meta/recipes-core/meta/sbom-cve-check-update-cvelist-native.bb
> > @@ -0,0 +1,12 @@
> > +SUMMARY = "Updates the CVE List database"
> > +LICENSE = "MIT"
> > +LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302"
> > +
> > +HOMEPAGE = "https://github.com/CVEProject/cvelistV5"
> > +SRC_URI = "git://github.com/CVEProject/cvelistV5.git;branch=main;protocol=https"
> > +SBOM_CVE_CHECK_DB_NAME = "cvelist"
> > +
> > +# 2026-03-19_baseline
> > +SRCREV = "ada54ee3cc8380820aa45e4996910bdc9dcb94e7"
> > +
> > +require sbom-cve-check-update-db.inc
> > diff --git a/meta/recipes-core/meta/sbom-cve-check-update-db.inc b/meta/recipes-core/meta/sbom-cve-check-update-db.inc
> > new file mode 100644
> > index 000000000000..5ecb79820247
> > --- /dev/null
> > +++ b/meta/recipes-core/meta/sbom-cve-check-update-db.inc
> > @@ -0,0 +1,28 @@
> > +# SPDX-License-Identifier: MIT
> > +
> > +INHIBIT_DEFAULT_DEPS = "1"
> > +EXCLUDE_FROM_WORLD = "1"
> > +
> > +inherit native
> > +require sbom-cve-check-config.inc
> > +
> > +SBOM_CVE_CHECK_DB_NAME[doc] = "Database name, which is the Git repository directory name. \
> > +    The git repository will be stored in ${SBOM_CVE_CHECK_DATABASES_DIR)/"
> > +
> > +DEPENDS += "rsync-native"
> > +
> > +# Leverage BitBake's checksum computation for populated sysroot files to determine
> > +# whether other recipe tasks dependent on this output need to be re-executed.
> > +do_compile() {
> > +    git -C "${S}" rev-parse --verify "HEAD^{object}" > "${WORKDIR}/${SBOM_CVE_CHECK_DB_NAME}.rev"
> 
> We're in do_compile(), so you can store the output file in ${B}?
> 
> git -C "${S}" rev-parse --verify "HEAD^{object}" > "${B}/${SBOM_CVE_CHECK_DB_NAME}.rev"

This part is going to be removed since it is no longer necessary.

> > +}
> > +
> > +# In the install task, also deploy directly to ${DEPLOY_DIR} using rsync.
> > +# This is an hack, we are not using do_deploy to prevent multiple unecessary copy of the CVE database.
> > +do_install() {
> > +    install -m 644 -D -t "${D}${datadir}/sbom_cve_check/databases/" "${WORKDIR}/${SBOM_CVE_CHECK_DB_NAME}.rev"
> > +
> > +    dst="${SBOM_CVE_CHECK_DATABASES_DIR}/${SBOM_CVE_CHECK_DB_NAME}"
> > +    mkdir -p "$dst"
> > +    rsync -aH --delete --link-dest="${S}/" "${S}/" "${dst}/"
> > +}
> 
> Why do we need this in both ${datadir} and the deploy dir? Isn't
> sbom-cve-check only using the one in the deploy dir? Was this done to create a
> package out of these recipes? If we don't really need one we could use
> ALLOW_EMPTY:${PN} = "1" instead?

Indeed, we could do that, and in this case the do_sbom_cve_check task should
depend on the do_install task. I am going to use ALLOW_EMPTY on this v7
series.

> > diff --git a/meta/recipes-core/meta/sbom-cve-check-update-nvd-native.bb b/meta/recipes-core/meta/sbom-cve-check-update-nvd-native.bb
> > new file mode 100644
> > index 000000000000..46c86952a164
> > --- /dev/null
> > +++ b/meta/recipes-core/meta/sbom-cve-check-update-nvd-native.bb
> > @@ -0,0 +1,12 @@
> > +SUMMARY = "Updates the NVD CVE database"
> > +LICENSE = "cve-tou"
> > +LIC_FILES_CHKSUM = "file://LICENSES/cve-tou.md;md5=bc5bbf146f01e20ece63d83c8916d8fb"
> > +
> > +HOMEPAGE = "https://github.com/fkie-cad/nvd-json-data-feeds"
> > +SRC_URI = "git://github.com/fkie-cad/nvd-json-data-feeds.git;branch=main;protocol=https"
> > +SBOM_CVE_CHECK_DB_NAME = "nvd-fkie"
> > +
> > +# v2026.03.19-010002
> > +SRCREV = "49f8bbe1b0b0884e16bdc37ab68db997085570a7"
> > +
> > +require sbom-cve-check-update-db.inc

Thanks,
-- 
Benjamin Robin, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com