[PATCH 0/5] sbom-cve-check: add CVE analysis tool and class

[PATCH 0/5] sbom-cve-check: add CVE analysis tool and class

[Benjamin Robin]

This patch series introduces the `sbom-cve-check` tool and its
dependencies. The tool requires `python3-spdx-python-model`, which has
the following build-time dependencies (not required at runtime):
- `python3-hatch-build-scripts`
- `python3-shacl2code`

Additionally, this series includes a post-build CVE analysis class,
similar to the existing `cve-check` functionality.

`sbom-cve-check` is a lightweight SBOM CVE analysis tool, which
supports SBOMs in SPDX 2.2 or SPDX 3.0 formats. The tool is designed as
an efficient replacement for the `cve-check` logic currently available
in Yocto Project. It fetches data from multiple databases, including NVD
and the CVE List, and supports various annotation formats, such as
OpenVEX and the Yocto Project's custom VEX manifest.

For export, `sbom-cve-check` can generate a SPDX 3.0 file, a
`cve-check`-compatible JSON file, and a summary report that lists all
vulnerabilities per component, styled similarly to the output of the
Yocto Project's `cve-check` class.

For more context on the inclusion of `sbom-cve-check` in OpenEmbedded
Core, see the discussion [1].

For detailed documentation about `sbom-cve-check`, visit [2].

After the inclusion of SPDX3 Joshua changes ("Add SPDX 3 Recipe
Information") in OE-Core [3], and after the release of sbom-cve-check
1.2.0, I am going to submit a very small follow-up series.

[1] https://lists.openembedded.org/g/openembedded-core/topic/117638558
[2] https://sbom-cve-check.readthedocs.io/
[3] https://lists.openembedded.org/g/openembedded-core/message/231519

Signed-off-by: Benjamin Robin <benjamin.robin@bootlin.com>
---
Benjamin Robin (5):
      python3-shacl2code: add recipe
      python3-hatch-build-scripts: add recipe
      python3-spdx-python-model: add recipe
      sbom-cve-check: add recipe
      sbom-cve-check.bbclass: Add class for post-build CVE analysis

 .../sbom-cve-check-update-db.bbclass               | 87 ++++++++++++++++++++
 meta/classes-recipe/sbom-cve-check.bbclass         | 96 ++++++++++++++++++++++
 .../meta/sbom-cve-check-update-cvelist-native.bb   |  7 ++
 .../meta/sbom-cve-check-update-nvd-native.bb       |  7 ++
 .../python/python3-hatch-build-scripts_1.0.0.bb    | 12 +++
 .../python/python3-sbom-cve-check_1.1.0.bb         | 17 ++++
 .../python/python3-shacl2code_0.0.24.bb            | 17 ++++
 ...enerate-bindings-allow-to-use-local-files.patch | 58 +++++++++++++
 .../python/python3-spdx-python-model_0.0.4.bb      | 37 +++++++++
 9 files changed, 338 insertions(+)
---
base-commit: b8e48562ba273051bcf8cbc62be742ef42a1e622
change-id: 20260223-add-sbom-cve-check-f34614b147dc

Best regards,
-- 
Benjamin Robin <benjamin.robin@bootlin.com>

[PATCH 1/5] python3-shacl2code: add recipe

[Benjamin Robin]

 - Build dependency of python3-spdx-python-model.
 - Part of the dependency chain for sbom-cve-check

Signed-off-by: Benjamin Robin <benjamin.robin@bootlin.com>
---
 .../python/python3-shacl2code_0.0.24.bb                 | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/meta/recipes-devtools/python/python3-shacl2code_0.0.24.bb b/meta/recipes-devtools/python/python3-shacl2code_0.0.24.bb
new file mode 100644
index 000000000000..93ed9a253040
--- /dev/null
+++ b/meta/recipes-devtools/python/python3-shacl2code_0.0.24.bb
@@ -0,0 +1,17 @@
+SUMMARY = "Convert SHACL model to code bindings"
+HOMEPAGE = "https://pypi.org/project/shacl2code/"
+SECTION = "devel/python"
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=0582f358628f299f29c23bf5fb2f73c9"
+
+PYPI_PACKAGE = "shacl2code"
+SRC_URI[sha256sum] = "d8b511054ca564b4514b9186ece7f5eb8048cfc5daa6625def1a3adba13c4f66"
+
+inherit pypi python_hatchling
+
+RDEPENDS:${PN} += " \
+    python3-jinja2 \
+    python3-rdflib \
+"
+
+BBCLASSEXTEND = "native nativesdk"

-- 
2.53.0

[PATCH 2/5] python3-hatch-build-scripts: add recipe

[Benjamin Robin]

 - Build dependency of python3-spdx-python-model.
 - Part of the dependency chain for sbom-cve-check

Signed-off-by: Benjamin Robin <benjamin.robin@bootlin.com>
---
 .../python/python3-hatch-build-scripts_1.0.0.bb              | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/meta/recipes-devtools/python/python3-hatch-build-scripts_1.0.0.bb b/meta/recipes-devtools/python/python3-hatch-build-scripts_1.0.0.bb
new file mode 100644
index 000000000000..ba7d8b40ffc5
--- /dev/null
+++ b/meta/recipes-devtools/python/python3-hatch-build-scripts_1.0.0.bb
@@ -0,0 +1,12 @@
+SUMMARY = "A plugin for Hatch that runs build scripts and saves their artifacts"
+HOMEPAGE = "https://pypi.org/project/hatch_build_scripts/"
+SECTION = "devel/python"
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=9ad584cda56221c7eaf48c23a5874a2a"
+
+PYPI_PACKAGE = "hatch_build_scripts"
+SRC_URI[sha256sum] = "563735e2f265c9e1b92dece6f762309114505ffaf6e5d51d462eb6a3b4f14640"
+
+inherit pypi python_hatchling
+
+BBCLASSEXTEND = "native nativesdk"

-- 
2.53.0

[PATCH 3/5] python3-spdx-python-model: add recipe

[Benjamin Robin]

 - Part of the dependency chain for sbom-cve-check

Signed-off-by: Benjamin Robin <benjamin.robin@bootlin.com>
---
 ...enerate-bindings-allow-to-use-local-files.patch | 58 ++++++++++++++++++++++
 .../python/python3-spdx-python-model_0.0.4.bb      | 37 ++++++++++++++
 2 files changed, 95 insertions(+)

diff --git a/meta/recipes-devtools/python/python3-spdx-python-model/0001-generate-bindings-allow-to-use-local-files.patch b/meta/recipes-devtools/python/python3-spdx-python-model/0001-generate-bindings-allow-to-use-local-files.patch
new file mode 100644
index 000000000000..ec24d7beb3c5
--- /dev/null
+++ b/meta/recipes-devtools/python/python3-spdx-python-model/0001-generate-bindings-allow-to-use-local-files.patch
@@ -0,0 +1,58 @@
+From 9fb565a0a70c6985fa1efde13cfe7fb4851588ce Mon Sep 17 00:00:00 2001
+From: Benjamin Robin <benjamin.robin@bootlin.com>
+Date: Tue, 24 Feb 2026 10:59:25 +0100
+Subject: [PATCH] generate-bindings: allow to use local files
+
+shacl2code needs to download the following URLs during build time:
+ - https://spdx.org/rdf/3.0.1/spdx-model.ttl
+ - https://spdx.org/rdf/3.0.1/spdx-json-serialize-annotations.ttl
+ - https://spdx.org/rdf/3.0.1/spdx-context.jsonld
+
+There are a lot of package build tools that do not allow to download
+a file during the build. So provide a way to use local file:
+If the environment variable SHACL2CODE_SPDX_DIR is defined, load
+the SPDX model and SPDX context from the directory specified by this
+environment variable.
+
+Upstream-Status: Submitted [https://github.com/spdx/spdx-python-model/pull/19]
+
+Signed-off-by: Benjamin Robin <benjamin.robin@bootlin.com>
+---
+ gen/generate-bindings | 22 ++++++++++++++++------
+ 1 file changed, 16 insertions(+), 6 deletions(-)
+
+diff --git a/gen/generate-bindings b/gen/generate-bindings
+index b963c55a3bc9..bc7041ee3bb9 100755
+--- a/gen/generate-bindings
++++ b/gen/generate-bindings
+@@ -14,12 +14,22 @@ echo "# Import all versions" > __init__.py
+ for v in $SPDX_VERSIONS; do
+     MODNAME="v$(echo "$v" | sed 's/[^a-zA-Z0-9_]/_/g')"
+
+-    shacl2code generate --input https://spdx.org/rdf/$v/spdx-model.ttl \
+-        --input https://spdx.org/rdf/$v/spdx-json-serialize-annotations.ttl \
+-        --context https://spdx.org/rdf/$v/spdx-context.jsonld \
+-        --license Apache-2.0 \
+-        python \
+-        -o "$MODNAME.py"
++    if [ -n "${SHACL2CODE_SPDX_DIR}" ] && [ -d "${SHACL2CODE_SPDX_DIR}/$v" ]
++    then
++        shacl2code generate --input "file://${SHACL2CODE_SPDX_DIR}/$v/spdx-model.ttl" \
++            --input "file://${SHACL2CODE_SPDX_DIR}/$v/spdx-json-serialize-annotations.ttl" \
++            --context-url "file://${SHACL2CODE_SPDX_DIR}/$v/spdx-context.jsonld" https://spdx.org/rdf/$v/spdx-context.jsonld  \
++            --license Apache-2.0 \
++            python \
++            -o "$MODNAME.py"
++    else
++        shacl2code generate --input https://spdx.org/rdf/$v/spdx-model.ttl \
++            --input https://spdx.org/rdf/$v/spdx-json-serialize-annotations.ttl \
++            --context https://spdx.org/rdf/$v/spdx-context.jsonld \
++            --license Apache-2.0 \
++            python \
++            -o "$MODNAME.py"
++    fi
+
+     echo "from . import $MODNAME" >> __init__.py
+ done
+--
+2.53.0
diff --git a/meta/recipes-devtools/python/python3-spdx-python-model_0.0.4.bb b/meta/recipes-devtools/python/python3-spdx-python-model_0.0.4.bb
new file mode 100644
index 000000000000..5901caa3c1c8
--- /dev/null
+++ b/meta/recipes-devtools/python/python3-spdx-python-model_0.0.4.bb
@@ -0,0 +1,37 @@
+SUMMARY = "Generated Python code for SPDX Spec version 3"
+HOMEPAGE = "https://pypi.org/project/spdx-python-model/"
+SECTION = "devel/python"
+LICENSE = "Apache-2.0"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=86d3f3a95c324c9479bd8986968f4327"
+
+PYPI_PACKAGE = "spdx_python_model"
+SRC_URI[sha256sum] = "bdec725398babcbdd4bcb7c16cf23497d06a48d0ef3ea1edb19a3b0d431ab8c1"
+
+SRC_URI += " \
+    https://spdx.org/rdf/3.0.1/spdx-context.jsonld;name=spdx1 \
+    https://spdx.org/rdf/3.0.1/spdx-json-serialize-annotations.ttl;name=spdx2 \
+    https://spdx.org/rdf/3.0.1/spdx-model.ttl;name=spdx3 \
+    file://0001-generate-bindings-allow-to-use-local-files.patch \
+"
+
+SRC_URI[spdx1.sha256sum] = "c72b0928f094c83e5c127784edb1ebca2af74a104fcacc007c332b23cbc788bd"
+SRC_URI[spdx2.sha256sum] = "c6a54b51230eb2bf3b31302546af201f303e0b7931c1db404d7f5b72b6f863e6"
+SRC_URI[spdx3.sha256sum] = "30ebb4af2d70a9809044ef46f44cc3dc5125226d70f818a50ed2e1d5f404c593"
+
+inherit pypi python_hatchling
+
+export SHACL2CODE_SPDX_DIR = "${S}/spdx"
+
+do_configure:append() {
+    mkdir -p "${SHACL2CODE_SPDX_DIR}/3.0.1/"
+    cp ${UNPACKDIR}/spdx-context.jsonld "${SHACL2CODE_SPDX_DIR}/3.0.1/"
+    cp ${UNPACKDIR}/spdx-json-serialize-annotations.ttl "${SHACL2CODE_SPDX_DIR}/3.0.1/"
+    cp ${UNPACKDIR}/spdx-model.ttl "${SHACL2CODE_SPDX_DIR}/3.0.1/"
+}
+
+DEPENDS += " \
+    python3-shacl2code \
+    python3-hatch-build-scripts \
+"
+
+BBCLASSEXTEND = "native nativesdk"

-- 
2.53.0

Re: [PATCH 3/5] python3-spdx-python-model: add recipe

[Mathieu Dubois-Briand]

On Tue Feb 24, 2026 at 4:53 PM CET, Benjamin Robin wrote:
>  - Part of the dependency chain for sbom-cve-check
>
> Signed-off-by: Benjamin Robin <benjamin.robin@bootlin.com>
> ---
>  ...enerate-bindings-allow-to-use-local-files.patch | 58 ++++++++++++++++++++++
>  .../python/python3-spdx-python-model_0.0.4.bb      | 37 ++++++++++++++
>  2 files changed, 95 insertions(+)
>
> diff --git a/meta/recipes-devtools/python/python3-spdx-python-model/0001-generate-bindings-allow-to-use-local-files.patch b/meta/recipes-devtools/python/python3-spdx-python-model/0001-generate-bindings-allow-to-use-local-files.patch
> new file mode 100644
> index 000000000000..ec24d7beb3c5
> --- /dev/null
> +++ b/meta/recipes-devtools/python/python3-spdx-python-model/0001-generate-bindings-allow-to-use-local-files.patch
> @@ -0,0 +1,58 @@
> +From 9fb565a0a70c6985fa1efde13cfe7fb4851588ce Mon Sep 17 00:00:00 2001
> +From: Benjamin Robin <benjamin.robin@bootlin.com>
> +Date: Tue, 24 Feb 2026 10:59:25 +0100
> +Subject: [PATCH] generate-bindings: allow to use local files
> +
> +shacl2code needs to download the following URLs during build time:
> + - https://spdx.org/rdf/3.0.1/spdx-model.ttl
> + - https://spdx.org/rdf/3.0.1/spdx-json-serialize-annotations.ttl
> + - https://spdx.org/rdf/3.0.1/spdx-context.jsonld
> +
> +There are a lot of package build tools that do not allow to download
> +a file during the build. So provide a way to use local file:
> +If the environment variable SHACL2CODE_SPDX_DIR is defined, load
> +the SPDX model and SPDX context from the directory specified by this
> +environment variable.
> +
> +Upstream-Status: Submitted [https://github.com/spdx/spdx-python-model/pull/19]
> +
> +Signed-off-by: Benjamin Robin <benjamin.robin@bootlin.com>
> +---

Hi Benjamin,

Thanks for your patch.

It looks like there is some dependency issue with this recipe. We get
the following error on the autobuilder:

ERROR: python3-spdx-python-model-0.0.4-r0 do_compile: Execution of '/srv/pokybuild/yocto-worker/qemux86-world/build/build/tmp/work/x86-64-v3-poky-linux/python3-spdx-python-model/0.0.4/temp/run.do_compile.2119994' failed with exit code 1
...
Log data follows:
| DEBUG: Executing shell function do_compile
| * Getting build dependencies for wheel...
|
| ERROR Missing dependencies:
| 	shacl2code==0.0.24
| 	hatch-build-scripts
| WARNING: exit code 1 from a shell command.
NOTE: recipe lib32-python3-spdx-python-model-0.0.4-r0: task do_compile: Failed

https://autobuilder.yoctoproject.org/valkyrie/#/builders/59/builds/3246
https://autobuilder.yoctoproject.org/valkyrie/#/builders/17/builds/3078
https://autobuilder.yoctoproject.org/valkyrie/#/builders/3/builds/3299

Can you have a look at the issue?

Thanks,
Mathieu

-- 
Mathieu Dubois-Briand, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

[PATCH 4/5] sbom-cve-check: add recipe

[Benjamin Robin]

Provide sbom-cve-check (native) executable.

Signed-off-by: Benjamin Robin <benjamin.robin@bootlin.com>
---
 .../python/python3-sbom-cve-check_1.1.0.bb              | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/meta/recipes-devtools/python/python3-sbom-cve-check_1.1.0.bb b/meta/recipes-devtools/python/python3-sbom-cve-check_1.1.0.bb
new file mode 100644
index 000000000000..3d1c581e9f86
--- /dev/null
+++ b/meta/recipes-devtools/python/python3-sbom-cve-check_1.1.0.bb
@@ -0,0 +1,17 @@
+SUMMARY = "Lightweight SBOM CVE analysis tool"
+HOMEPAGE = "https://github.com/bootlin/sbom-cve-check"
+SECTION = "devel/python"
+LICENSE = "GPL-2.0-only"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=570a9b3749dd0463a1778803b12a6dce"
+
+PYPI_PACKAGE = "sbom_cve_check"
+SRC_URI[sha256sum] = "953256ac99851ba59bc8649b8023303007ff2981edbc4ee395011bd91c118095"
+
+inherit pypi python_hatchling
+
+RDEPENDS:${PN} += " \
+    python3-spdx-python-model \
+    python3-pyyaml \
+"
+
+BBCLASSEXTEND = "native nativesdk"

-- 
2.53.0

[PATCH 5/5] sbom-cve-check.bbclass: Add class for post-build CVE analysis

[Benjamin Robin]

By default, the CVE databases are downloaded using the following
recipes:
 - sbom-cve-check-update-cvelist-native.bb
 - sbom-cve-check-update-nvd-native.bb

The database download logic is implemented in
sbom-cve-check-update-db.bbclass. The CVE databases are stored in the
download directory (`DL_DIR`). Access to the database is managed using
an exclusive file lock (`flock`) on the directory. During CVE analysis,
sbom-cve-check acquires a shared lock, allowing multiple analyses to
run in parallel. However, if the database is being updated, any
ongoing CVE analysis is temporarily paused.

This design ensures that, under normal circumstances, sbom-cve-check
can run without requiring network access. If a user needs network
access during execution (e.g., to download annotation databases),
they can set `SBOM_CVE_CHECK_ALLOW_NETWORK` to "1".

Signed-off-by: Benjamin Robin <benjamin.robin@bootlin.com>
---
 .../sbom-cve-check-update-db.bbclass               | 87 ++++++++++++++++++++
 meta/classes-recipe/sbom-cve-check.bbclass         | 96 ++++++++++++++++++++++
 .../meta/sbom-cve-check-update-cvelist-native.bb   |  7 ++
 .../meta/sbom-cve-check-update-nvd-native.bb       |  7 ++
 4 files changed, 197 insertions(+)

diff --git a/meta/classes-recipe/sbom-cve-check-update-db.bbclass b/meta/classes-recipe/sbom-cve-check-update-db.bbclass
new file mode 100644
index 000000000000..4f62c831eb72
--- /dev/null
+++ b/meta/classes-recipe/sbom-cve-check-update-db.bbclass
@@ -0,0 +1,87 @@
+# SPDX-License-Identifier: MIT
+
+INHIBIT_DEFAULT_DEPS = "1"
+EXCLUDE_FROM_WORLD = "1"
+
+inherit native
+
+deltask do_patch
+deltask do_configure
+deltask do_compile
+deltask do_install
+deltask do_populate_sysroot
+
+SBOM_CVE_CHECK_FETCH_PATH[doc] = "Path to the Git repository to be downloaded. \
+    Should be prefixed by {DL_DIR}/sbom_cve_check/databases/"
+
+SBOM_CVE_CHECK_FETCH_URL[doc] = "Git clone URL of the CVE database"
+
+SBOM_CVE_CHECK_FETCH_INTERVAL ?= "57600"
+SBOM_CVE_CHECK_FETCH_INTERVAL[doc] = "\
+    CVE database update interval, in seconds. By default every 16 hours. \
+    Use 0 to force the update. Use a negative value to skip the update. \
+"
+
+python do_fetch() {
+    from datetime import datetime, timezone, timedelta
+    import fcntl
+    import os
+    import pathlib
+    import subprocess
+
+    bb.utils.export_proxies(d)
+
+    fetch_interval = int(d.get("SBOM_CVE_CHECK_FETCH_INTERVAL"))
+    git_url = d.getVar("SBOM_CVE_CHECK_FETCH_URL")
+    git_dir = pathlib.Path(d.getVar("SBOM_CVE_CHECK_FETCH_PATH"))
+    git_dir.mkdir(parents=True, exist_ok=True)
+
+    def _exec_git_cmd(args):
+        cmd = ["git"]
+        cmd.extend(args)
+        return subprocess.run(
+            cmd,
+            input="",
+            capture_output=True,
+            check=True,
+            cwd=git_dir,
+            encoding="utf-8",
+        )
+
+    # Lock the git directory: take an exclusive lock
+    lock_fd = os.open(git_dir, os.O_RDONLY | os.O_NOCTTY)
+    try:
+        fcntl.flock(lock_fd, fcntl.LOCK_EX)
+
+        # Clone the git repository if it does not exist
+        if not git_dir.joinpath(".git", "HEAD").is_file():
+            _exec_git_cmd(["clone", "--depth", "1", "--single-branch", git_url, "."])
+            return
+
+        # Check if an updated is necessary
+        if fetch_interval < 0:
+            return
+
+        if fetch_interval > 0:
+            # Get date of last commit
+            r = _exec_git_cmd(["show", "-s", "--format=%ct", "HEAD"])
+            commit_date = datetime.fromtimestamp(int(r.stdout.strip()), tz=timezone.utc)
+            delta_last_commit = datetime.now(timezone.utc) - commit_date
+            if delta_last_commit < timedelta(seconds=fetch_interval):
+                return
+
+        _exec_git_cmd(["pull"])
+    except subprocess.SubprocessError as e:
+        bb.error(f"{e.cmd} failed:\n{e.stdout}\n---\n{e.stderr}\n")
+    finally:
+        # Release the exclusive lock
+        os.close(lock_fd)
+}
+
+do_fetch[file-checksums] = ""
+do_fetch[vardeps] = " \
+    SBOM_CVE_CHECK_FETCH_PATH \
+    SBOM_CVE_CHECK_FETCH_URL \
+    SBOM_CVE_CHECK_FETCH_INTERVAL \
+"
+do_fetch[nostamp] = "1"
diff --git a/meta/classes-recipe/sbom-cve-check.bbclass b/meta/classes-recipe/sbom-cve-check.bbclass
new file mode 100644
index 000000000000..86e06bdf7c23
--- /dev/null
+++ b/meta/classes-recipe/sbom-cve-check.bbclass
@@ -0,0 +1,96 @@
+# SPDX-License-Identifier: MIT
+
+SBOM_CVE_CHECK_WORKDIR ??= "${WORKDIR}/sbom_cve_check"
+SBOM_CVE_CHECK_DEPLOYDIR = "${SBOM_CVE_CHECK_WORKDIR}/image-deploy"
+
+SBOM_CVE_CHECK_EXTRA_ARGS[doc] = "Allow to specify extra arguments to sbom-cve-check. For example to add filtering"
+SBOM_CVE_CHECK_EXTRA_ARGS ?= ""
+
+SBOM_CVE_CHECK_EXPORT_VARS[doc] = "List of variables that declare export files to generate. Each variable must have a 'type' and an 'ext' flag set"
+SBOM_CVE_CHECK_EXPORT_VARS ?= "SBOM_CVE_CHECK_EXPORT_FILE"
+
+SBOM_CVE_CHECK_EXPORT_FILE[doc] = "Default configuration of generated export file"
+SBOM_CVE_CHECK_EXPORT_FILE[type] ?= "spdx3"
+SBOM_CVE_CHECK_EXPORT_FILE[ext] ?= ".cve-check.spdx.json"
+
+SBOM_CVE_CHECK_ALLOW_NETWORK[doc] = "Set to 1 to enable network usage."
+SBOM_CVE_CHECK_ALLOW_NETWORK ?= "0"
+
+python do_sbom_cve_check() {
+    """
+    Task: Run sbom-cve-check analysis on SBOM.
+    """
+    import os
+    import bb
+    from oe.cve_check import update_symlinks
+
+    if not bb.data.inherits_class("vex", d):
+        bb.fatal("Cannot execute sbom-cve-check missing vex inherit.")
+    if not bb.data.inherits_class("create-spdx-3.0", d):
+        bb.fatal("Cannot execute sbom-cve-check missing create-spdx-3.0 inherit.")
+
+    sbom_path = d.expand("${DEPLOY_DIR_IMAGE}/${IMAGE_LINK_NAME}.spdx.json")
+    vex_manifest_path = d.expand("${DEPLOY_DIR_IMAGE}/${IMAGE_LINK_NAME}.json")
+    dl_db_dir = d.expand("${DL_DIR}/sbom_cve_check/databases")
+    deploy_dir = d.getVar("SBOM_CVE_CHECK_DEPLOYDIR")
+    img_link_name = d.getVar("IMAGE_LINK_NAME")
+    img_name = d.getVar("IMAGE_NAME")
+
+    export_files = []
+    for export_var in d.getVar("SBOM_CVE_CHECK_EXPORT_VARS").split():
+        export_ext = d.getVarFlag(export_var, "ext")
+        export_path = f"{deploy_dir}/{img_name}{export_ext}"
+        export_link = f"{deploy_dir}/{img_link_name}{export_ext}"
+        export_type = d.getVarFlag(export_var, "type")
+        export_files.append((export_type, export_path, export_link))
+
+    cmd_env = os.environ.copy()
+    cmd_env["SBOM_CVE_CHECK_DATABASES_DIR"] = dl_db_dir
+
+    cmd_args = [
+        d.expand("${STAGING_BINDIR_NATIVE}/sbom-cve-check"),
+        "--sbom-path",
+        sbom_path,
+        "--yocto-vex-manifest",
+        vex_manifest_path,
+    ]
+
+    for export_file in export_files:
+        cmd_args.extend(
+            ["--export-type", export_file[0], "--export-path", export_file[1]]
+        )
+
+    cmd_args.extend(d.getVar("SBOM_CVE_CHECK_EXTRA_ARGS").split())
+
+    try:
+        bb.note("Running: {}".format(" ".join(cmd_args)))
+        bb.process.run(cmd_args, env=cmd_env)
+    except bb.process.ExecutionError as e:
+        bb.fatal(
+            f"sbom-cve-check failed with exit code {e.exitcode}\n{e.stdout}\n{e.stderr}"
+        )
+        return
+
+    for export_file in export_files:
+        bb.note(f"sbom-cve-check exported: {export_file[1]}")
+        update_symlinks(export_file[1], export_file[2])
+}
+
+addtask do_sbom_cve_check after do_create_image_sbom_spdx before do_build
+
+SSTATETASKS += "do_sbom_cve_check"
+SSTATE_SKIP_CREATION:task-sbom-cve-check = "1"
+do_sbom_cve_check[cleandirs] = "${SBOM_CVE_CHECK_DEPLOYDIR}"
+do_sbom_cve_check[sstate-inputdirs] = "${SBOM_CVE_CHECK_DEPLOYDIR}"
+do_sbom_cve_check[sstate-outputdirs] = "${DEPLOY_DIR_IMAGE}"
+do_sbom_cve_check[recrdeptask] += "do_create_image_sbom_spdx"
+do_sbom_cve_check[depends] += " \
+    python3-sbom-cve-check-native:do_populate_sysroot \
+    ${@oe.utils.conditional('SBOM_CVE_CHECK_ALLOW_NETWORK','0',' \
+        sbom-cve-check-update-cvelist-native:do_fetch \
+        sbom-cve-check-update-nvd-native:do_fetch \
+    ','',d)} \
+"
+
+do_sbom_cve_check[network] = "${SBOM_CVE_CHECK_ALLOW_NETWORK}"
+do_sbom_cve_check[nostamp] = "1"
diff --git a/meta/recipes-core/meta/sbom-cve-check-update-cvelist-native.bb b/meta/recipes-core/meta/sbom-cve-check-update-cvelist-native.bb
new file mode 100644
index 000000000000..cd5ed680b4dd
--- /dev/null
+++ b/meta/recipes-core/meta/sbom-cve-check-update-cvelist-native.bb
@@ -0,0 +1,7 @@
+SUMMARY = "Updates the CVE List database"
+LICENSE = "MIT"
+
+SBOM_CVE_CHECK_FETCH_PATH = "${DL_DIR}/sbom_cve_check/databases/cvelist"
+SBOM_CVE_CHECK_FETCH_URL = "https://github.com/CVEProject/cvelistV5.git"
+
+inherit sbom-cve-check-update-db
diff --git a/meta/recipes-core/meta/sbom-cve-check-update-nvd-native.bb b/meta/recipes-core/meta/sbom-cve-check-update-nvd-native.bb
new file mode 100644
index 000000000000..7add8e6bfba5
--- /dev/null
+++ b/meta/recipes-core/meta/sbom-cve-check-update-nvd-native.bb
@@ -0,0 +1,7 @@
+SUMMARY = "Updates the NVD CVE database"
+LICENSE = "MIT"
+
+SBOM_CVE_CHECK_FETCH_PATH = "${DL_DIR}/sbom_cve_check/databases/nvd-fkie"
+SBOM_CVE_CHECK_FETCH_URL = "https://github.com/fkie-cad/nvd-json-data-feeds.git"
+
+inherit sbom-cve-check-update-db

-- 
2.53.0