From: "Antonin Godard" <antonin.godard@bootlin.com>
To: "Benjamin Robin" <benjamin.robin@bootlin.com>,
<openembedded-core@lists.openembedded.org>
Cc: <richard.purdie@linuxfoundation.org>, <rybczynska@gmail.com>,
<ross.burton@arm.com>, <peter.marko@siemens.com>,
<jpewhacker@gmail.com>, <olivier.benjamin@bootlin.com>,
<mathieu.dubois-briand@bootlin.com>,
<thomas.petazzoni@bootlin.com>
Subject: Re: [PATCH v7 1/2] sbom-cve-check: Add class for post-build CVE analysis
Date: Tue, 24 Mar 2026 10:21:49 +0100 [thread overview]
Message-ID: <DHAWHQYPBPQA.6MRY3SGOMM9Z@bootlin.com> (raw)
In-Reply-To: <20260323-add-sbom-cve-check-v7-1-870eb8e145ad@bootlin.com>
Hi,
Thanks for the new version. I'll suggest a simplification to how the databases
are unpacked, since I understand this is a costly operation.
This gets rid of the do_install() task, and rsync-native dependency. What this
does is let the BitBake fetcher handle the unpacking/checkout of the databases
directly in the DEPLOYDIR. This simplifies the recipe and removes one copy
operation, I think.
I've successfully generated the two json output files with this (with the class
added for the core-image-minimal build).
diff --git a/meta/classes-recipe/sbom-cve-check.bbclass b/meta/classes-recipe/sbom-cve-check.bbclass
index c51ea45759..a5c23142b7 100644
--- a/meta/classes-recipe/sbom-cve-check.bbclass
+++ b/meta/classes-recipe/sbom-cve-check.bbclass
@@ -116,8 +116,8 @@ do_sbom_cve_check[sstate-outputdirs] = "${DEPLOY_DIR_IMAGE}"
do_sbom_cve_check[depends] += " \
python3-sbom-cve-check-native:do_populate_sysroot \
${@oe.utils.conditional('SBOM_CVE_CHECK_INTERNAL_FETCHER','0',' \
- sbom-cve-check-update-cvelist-native:do_install \
- sbom-cve-check-update-nvd-native:do_install \
+ sbom-cve-check-update-cvelist-native:do_unpack \
+ sbom-cve-check-update-nvd-native:do_unpack \
','',d)} \
"
diff --git a/meta/recipes-devtools/sbom-cve-check/sbom-cve-check-update-db.inc b/meta/recipes-devtools/sbom-cve-check/sbom-cve-check-update-db
.inc
index 5d7a07001c..6a968e941c 100644
--- a/meta/recipes-devtools/sbom-cve-check/sbom-cve-check-update-db.inc
+++ b/meta/recipes-devtools/sbom-cve-check/sbom-cve-check-update-db.inc
@@ -9,13 +9,12 @@ require sbom-cve-check-config.inc
SBOM_CVE_CHECK_DB_NAME[doc] = "Database name, which is the Git repository directory name. \
The git repository will be stored in ${SBOM_CVE_CHECK_DEPLOY_DB_DIR)/"
-DEPENDS += "rsync-native"
-ALLOW_EMPTY:${PN} = "1"
+deltask do_patch
+deltask do_configure
+deltask do_compile
+deltask do_install
+deltask do_populate_sysroot
-# In the install task, also deploy directly to ${DEPLOY_DIR} using rsync.
-# This is an hack, we are not using do_deploy to prevent multiple unnecessary copy of the CVE database.
-do_install() {
- dst="${SBOM_CVE_CHECK_DEPLOY_DB_DIR}/${SBOM_CVE_CHECK_DB_NAME}"
- mkdir -p "$dst"
- rsync -aH --delete --link-dest="${S}/" "${S}/" "${dst}/"
-}
+UNPACKDIR = "${SBOM_CVE_CHECK_DEPLOY_DB_DIR}"
+S = "${UNPACKDIR}"
+BB_GIT_DEFAULT_DESTSUFFIX = "${SBOM_CVE_CHECK_DB_NAME}"
diff --git a/meta/recipes-devtools/sbom-cve-check/sbom-cve-check-update-nvd-native.bb b/meta/recipes-devtools/sbom-cve-check/sbom-cve-check-up
date-nvd-native.bb
index 46c86952a1..30c7868b2a 100644
--- a/meta/recipes-devtools/sbom-cve-check/sbom-cve-check-update-nvd-native.bb
+++ b/meta/recipes-devtools/sbom-cve-check/sbom-cve-check-update-nvd-native.bb
@@ -1,6 +1,6 @@
SUMMARY = "Updates the NVD CVE database"
LICENSE = "cve-tou"
-LIC_FILES_CHKSUM = "file://LICENSES/cve-tou.md;md5=bc5bbf146f01e20ece63d83c8916d8fb"
+LIC_FILES_CHKSUM = "file://${SBOM_CVE_CHECK_DB_NAME}/LICENSES/cve-tou.md;md5=bc5bbf146f01e20ece63d83c8916d8fb"
HOMEPAGE = "https://github.com/fkie-cad/nvd-json-data-feeds"
SRC_URI = "git://github.com/fkie-cad/nvd-json-data-feeds.git;branch=main;protocol=https"
Antonin
next prev parent reply other threads:[~2026-03-24 9:22 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-23 16:12 [PATCH v7 0/2] sbom-cve-check: add CVE analysis tool and class Benjamin Robin
2026-03-23 16:12 ` [PATCH v7 1/2] sbom-cve-check: Add class for post-build CVE analysis Benjamin Robin
2026-03-24 9:21 ` Antonin Godard [this message]
2026-03-24 10:12 ` Benjamin Robin
2026-03-23 16:12 ` [PATCH v7 2/2] sbom-cve-check: allows to use network and internal fetcher Benjamin Robin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=DHAWHQYPBPQA.6MRY3SGOMM9Z@bootlin.com \
--to=antonin.godard@bootlin.com \
--cc=benjamin.robin@bootlin.com \
--cc=jpewhacker@gmail.com \
--cc=mathieu.dubois-briand@bootlin.com \
--cc=olivier.benjamin@bootlin.com \
--cc=openembedded-core@lists.openembedded.org \
--cc=peter.marko@siemens.com \
--cc=richard.purdie@linuxfoundation.org \
--cc=ross.burton@arm.com \
--cc=rybczynska@gmail.com \
--cc=thomas.petazzoni@bootlin.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox