[RFC PATCH 1/3] sbom-cve-check: refactor do_sbom_cve_check

[RFC PATCH 1/3] sbom-cve-check: refactor do_sbom_cve_check

[Ross Burton]

Extract the bulk of the logic to a separate function, so the task just
has to pass a few variables.

Signed-off-by: Ross Burton <ross.burton@arm.com>
---
 meta/classes-recipe/sbom-cve-check.bbclass | 29 +++++++++++++---------
 1 file changed, 17 insertions(+), 12 deletions(-)

diff --git a/meta/classes-recipe/sbom-cve-check.bbclass b/meta/classes-recipe/sbom-cve-check.bbclass
index 4abc427c58..fef6f0c2aa 100644
--- a/meta/classes-recipe/sbom-cve-check.bbclass
+++ b/meta/classes-recipe/sbom-cve-check.bbclass
@@ -43,28 +43,24 @@ SBOM_CVE_CHECK_EXPORT_SUMMARY[doc] = "Export configuration to generate a human-r
 SBOM_CVE_CHECK_EXPORT_SUMMARY[type] ?= "summary"
 SBOM_CVE_CHECK_EXPORT_SUMMARY[ext] ?= ".cve.txt"
 
-python do_sbom_cve_check() {
-    """
-    Task: Run sbom-cve-check analysis on SBOM.
-    """
+
+def run_sbom_cve_check(d, recipe_name, link_name=None):
     import os
     import bb
-    from oe.cve_check import update_symlinks
 
     if not bb.data.inherits_class("create-spdx-3.0", d):
-        bb.fatal("Cannot execute sbom-cve-check missing create-spdx-3.0 inherit.")
+        bb.fatal("Cannot execute sbom-cve-check: missing create-spdx-3.0 inherit.")
 
-    sbom_path = d.expand("${DEPLOY_DIR_IMAGE}/${IMAGE_LINK_NAME}.spdx.json")
+    image_deploy_dir = d.getVar("DEPLOY_DIR_IMAGE")
+    sbom_path = d.expand(f"{image_deploy_dir}/{recipe_name}.spdx.json")
     dl_db_dir = d.getVar("SBOM_CVE_CHECK_DEPLOY_DB_DIR")
-    deploy_dir = d.getVar("SBOM_CVE_CHECK_DEPLOYDIR")
-    img_link_name = d.getVar("IMAGE_LINK_NAME")
-    img_name = d.getVar("IMAGE_NAME")
+    out_deploy_dir = d.getVar("SBOM_CVE_CHECK_DEPLOYDIR")
 
     export_files = []
     for export_var in d.getVar("SBOM_CVE_CHECK_EXPORT_VARS").split():
         export_ext = d.getVarFlag(export_var, "ext")
-        export_path = f"{deploy_dir}/{img_name}{export_ext}"
-        export_link = f"{deploy_dir}/{img_link_name}{export_ext}"
+        export_path = f"{out_deploy_dir}/{recipe_name}{export_ext}"
+        export_link = f"{out_deploy_dir}/{link_name}{export_ext}" if link_name else None
         export_type = d.getVarFlag(export_var, "type")
         export_files.append((export_type, export_path, export_link))
 
@@ -96,6 +92,15 @@ python do_sbom_cve_check() {
         bb.note(f"sbom-cve-check exported: {export_file}")
         if export_link:
             update_symlinks(export_file, export_link)
+
+
+python do_sbom_cve_check() {
+    """
+    Task: Run sbom-cve-check analysis on SBOM.
+    """
+    image_name = d.getVar("IMAGE_NAME")
+    link_name = d.getVar("IMAGE_LINK_NAME")
+    run_sbom_cve_check(d, image_name, link_name, sbom_path)
 }
 
 addtask do_sbom_cve_check after do_create_image_sbom_spdx before do_build
-- 
2.47.1

[RFC PATCH 2/3] sbom-cve-check: move to classes from classes-recipe

[Ross Burton]

Signed-off-by: Ross Burton <ross.burton@arm.com>
---
 meta/{classes-recipe => classes}/sbom-cve-check.bbclass | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename meta/{classes-recipe => classes}/sbom-cve-check.bbclass (100%)

diff --git a/meta/classes-recipe/sbom-cve-check.bbclass b/meta/classes/sbom-cve-check.bbclass
similarity index 100%
rename from meta/classes-recipe/sbom-cve-check.bbclass
rename to meta/classes/sbom-cve-check.bbclass
-- 
2.47.1

[RFC PATCH 3/3] sbom-cve-check: add prototype recipe scanning task

[Ross Burton]

Add a new task, sbom_cve_check_recipe, that will do a CVE scan of the
SPDX for the specified recipe.

This is mainly useful for top-level or aggregration packages (e.g.
meta-world-recipe-sbom) as it follows dependencies, so running it on a
single package (e.g. curl) will also show CVEs for its dependencies
(e.g. zlib).

Signed-off-by: Ross Burton <ross.burton@arm.com>
---
 meta/classes/sbom-cve-check.bbclass | 29 +++++++++++++++++++++++++++++
 1 file changed, 29 insertions(+)

diff --git a/meta/classes/sbom-cve-check.bbclass b/meta/classes/sbom-cve-check.bbclass
index fef6f0c2aa..fc89ab9799 100644
--- a/meta/classes/sbom-cve-check.bbclass
+++ b/meta/classes/sbom-cve-check.bbclass
@@ -94,6 +94,9 @@ def run_sbom_cve_check(d, recipe_name, link_name=None):
             update_symlinks(export_file, export_link)
 
 
+#
+# Scan the SBOM of an image.
+#
 python do_sbom_cve_check() {
     """
     Task: Run sbom-cve-check analysis on SBOM.
@@ -119,3 +122,29 @@ python do_sbom_cve_check_setscene() {
     sstate_setscene(d)
 }
 addtask do_sbom_cve_check_setscene
+
+
+#
+# Scan the SBOM of a recipe.
+#
+
+python do_sbom_cve_check_recipe() {
+    recipe = d.getVar("SPDX_RECIPE_SBOM_NAME")
+    run_sbom_cve_check(d, recipe)
+}
+
+addtask do_sbom_cve_check_recipe after do_create_recipe_sbom
+
+SSTATETASKS += "do_sbom_cve_check_recipe"
+do_sbom_cve_check_recipe[cleandirs] = "${SBOM_CVE_CHECK_DEPLOYDIR}"
+do_sbom_cve_check_recipe[sstate-inputdirs] = "${SBOM_CVE_CHECK_DEPLOYDIR}"
+do_sbom_cve_check_recipe[sstate-outputdirs] = "${DEPLOY_DIR_IMAGE}"
+do_sbom_cve_check_recipe[depends] += " \
+    python3-sbom-cve-check-native:do_populate_sysroot \
+    sbom-cve-check-update-cvelist-native:do_unpack \
+    sbom-cve-check-update-nvd-native:do_unpack \
+"
+python do_sbom_cve_check_recipe_setscene() {
+    sstate_setscene(d)
+}
+addtask do_sbom_cve_check_recipe_setscene
-- 
2.47.1

Patchtest results for [RFC PATCH 2/3] sbom-cve-check: move to classes from classes-recipe

[patchtest]

[-- Attachment #1: Type: text/plain, Size: 2210 bytes --]

Thank you for your submission. Patchtest identified one
or more issues with the patch. Please see the log below for
more information:

---
Testing patch /home/patchtest/share/mboxes/RFC-2-3-sbom-cve-check-move-to-classes-from-classes-recipe.patch

FAIL: test commit message presence: Please include a commit message on your patch explaining the change (test_mbox.TestMbox.test_commit_message_presence)

PASS: test Signed-off-by presence (test_mbox.TestMbox.test_signed_off_by_presence)
PASS: test author valid (test_mbox.TestMbox.test_author_valid)
PASS: test commit message user tags (test_mbox.TestMbox.test_commit_message_user_tags)
PASS: test mbox format (test_mbox.TestMbox.test_mbox_format)
PASS: test non-AUH upgrade (test_mbox.TestMbox.test_non_auh_upgrade)
PASS: test shortlog format (test_mbox.TestMbox.test_shortlog_format)
PASS: test shortlog length (test_mbox.TestMbox.test_shortlog_length)
PASS: test target mailing list (test_mbox.TestMbox.test_target_mailing_list)

SKIP: pretest pylint: No python related patches, skipping test (test_python_pylint.PyLint.pretest_pylint)
SKIP: test CVE tag format: No new CVE patches introduced (test_patch.TestPatch.test_cve_tag_format)
SKIP: test Signed-off-by presence: No new CVE patches introduced (test_patch.TestPatch.test_signed_off_by_presence)
SKIP: test Upstream-Status presence: No new CVE patches introduced (test_patch.TestPatch.test_upstream_status_presence_format)
SKIP: test bugzilla entry format: No bug ID found (test_mbox.TestMbox.test_bugzilla_entry_format)
SKIP: test pylint: No python related patches, skipping test (test_python_pylint.PyLint.test_pylint)
SKIP: test series merge on head: Merge test is disabled for now (test_mbox.TestMbox.test_series_merge_on_head)

---

Please address the issues identified and
submit a new revision of the patch, or alternatively, reply to this
email with an explanation of why the patch should be accepted. If you
believe these results are due to an error in patchtest, please submit a
bug at https://bugzilla.yoctoproject.org/ (use the 'Patchtest' category
under 'Yocto Project Subprojects'). For more information on specific
failures, see: https://wiki.yoctoproject.org/wiki/Patchtest. Thank
you!

Re: [RFC PATCH 1/3] sbom-cve-check: refactor do_sbom_cve_check

[Benjamin Robin]

Hello Ross,

I have seen that you have made various previous improvement to the
sbom-cve-check class. Thank you!
Don't hesitate to always add me in CC. Sometime I am quite busy, and I
may miss the exchange in the mailing list.

For this RFC, I am overall OK with it. There are few thing that needs
to be fixed/improved.

On Thursday, April 2, 2026 at 6:25 PM, Ross Burton wrote:
> Extract the bulk of the logic to a separate function, so the task just
> has to pass a few variables.
> 
> Signed-off-by: Ross Burton <ross.burton@arm.com>
> ---
>  meta/classes-recipe/sbom-cve-check.bbclass | 29 +++++++++++++---------
>  1 file changed, 17 insertions(+), 12 deletions(-)
> 
> diff --git a/meta/classes-recipe/sbom-cve-check.bbclass b/meta/classes-recipe/sbom-cve-check.bbclass
> index 4abc427c58..fef6f0c2aa 100644
> --- a/meta/classes-recipe/sbom-cve-check.bbclass
> +++ b/meta/classes-recipe/sbom-cve-check.bbclass
> @@ -43,28 +43,24 @@ SBOM_CVE_CHECK_EXPORT_SUMMARY[doc] = "Export configuration to generate a human-r
>  SBOM_CVE_CHECK_EXPORT_SUMMARY[type] ?= "summary"
>  SBOM_CVE_CHECK_EXPORT_SUMMARY[ext] ?= ".cve.txt"
>  
> -python do_sbom_cve_check() {
> -    """
> -    Task: Run sbom-cve-check analysis on SBOM.
> -    """
> +
> +def run_sbom_cve_check(d, recipe_name, link_name=None):

Maybe rename the parameters to: export_base_name and export_link_name?
Another parameter is needed (I guess), the path to the SPDX3 SBOM that needs
to be analyzed.

>      import os
>      import bb
> -    from oe.cve_check import update_symlinks

Do you know why you did remove this import?
It is not necessary? Who import it globally (it this is the case)?

>  
>      if not bb.data.inherits_class("create-spdx-3.0", d):
> -        bb.fatal("Cannot execute sbom-cve-check missing create-spdx-3.0 inherit.")
> +        bb.fatal("Cannot execute sbom-cve-check: missing create-spdx-3.0 inherit.")
>  
> -    sbom_path = d.expand("${DEPLOY_DIR_IMAGE}/${IMAGE_LINK_NAME}.spdx.json")
> +    image_deploy_dir = d.getVar("DEPLOY_DIR_IMAGE")
> +    sbom_path = d.expand(f"{image_deploy_dir}/{recipe_name}.spdx.json")
>      dl_db_dir = d.getVar("SBOM_CVE_CHECK_DEPLOY_DB_DIR")
> -    deploy_dir = d.getVar("SBOM_CVE_CHECK_DEPLOYDIR")
> -    img_link_name = d.getVar("IMAGE_LINK_NAME")
> -    img_name = d.getVar("IMAGE_NAME")
> +    out_deploy_dir = d.getVar("SBOM_CVE_CHECK_DEPLOYDIR")
>  
>      export_files = []
>      for export_var in d.getVar("SBOM_CVE_CHECK_EXPORT_VARS").split():
>          export_ext = d.getVarFlag(export_var, "ext")
> -        export_path = f"{deploy_dir}/{img_name}{export_ext}"
> -        export_link = f"{deploy_dir}/{img_link_name}{export_ext}"
> +        export_path = f"{out_deploy_dir}/{recipe_name}{export_ext}"
> +        export_link = f"{out_deploy_dir}/{link_name}{export_ext}" if link_name else None
>          export_type = d.getVarFlag(export_var, "type")
>          export_files.append((export_type, export_path, export_link))
>  
> @@ -96,6 +92,15 @@ python do_sbom_cve_check() {
>          bb.note(f"sbom-cve-check exported: {export_file}")
>          if export_link:
>              update_symlinks(export_file, export_link)
> +
> +
> +python do_sbom_cve_check() {
> +    """
> +    Task: Run sbom-cve-check analysis on SBOM.
> +    """
> +    image_name = d.getVar("IMAGE_NAME")
> +    link_name = d.getVar("IMAGE_LINK_NAME")
> +    run_sbom_cve_check(d, image_name, link_name, sbom_path)

Here you pass the path to the SBOM, which is (I think) a good idea,
but the variable sbom_path is not declared here.

>  }
>  
>  addtask do_sbom_cve_check after do_create_image_sbom_spdx before do_build
> 


-- 
Benjamin Robin, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

Re: [RFC PATCH 3/3] sbom-cve-check: add prototype recipe scanning task

[Benjamin Robin]

On Thursday, April 2, 2026 at 6:25 PM, Ross Burton wrote:
> Add a new task, sbom_cve_check_recipe, that will do a CVE scan of the
> SPDX for the specified recipe.
> 
> This is mainly useful for top-level or aggregration packages (e.g.
> meta-world-recipe-sbom) as it follows dependencies, so running it on a
> single package (e.g. curl) will also show CVEs for its dependencies
> (e.g. zlib).
> 
> Signed-off-by: Ross Burton <ross.burton@arm.com>
> ---
>  meta/classes/sbom-cve-check.bbclass | 29 +++++++++++++++++++++++++++++
>  1 file changed, 29 insertions(+)
> 
> diff --git a/meta/classes/sbom-cve-check.bbclass b/meta/classes/sbom-cve-check.bbclass
> index fef6f0c2aa..fc89ab9799 100644
> --- a/meta/classes/sbom-cve-check.bbclass
> +++ b/meta/classes/sbom-cve-check.bbclass
> @@ -94,6 +94,9 @@ def run_sbom_cve_check(d, recipe_name, link_name=None):
>              update_symlinks(export_file, export_link)
>  
>  
> +#
> +# Scan the SBOM of an image.
> +#
>  python do_sbom_cve_check() {
>      """
>      Task: Run sbom-cve-check analysis on SBOM.
> @@ -119,3 +122,29 @@ python do_sbom_cve_check_setscene() {
>      sstate_setscene(d)
>  }
>  addtask do_sbom_cve_check_setscene
> +
> +
> +#
> +# Scan the SBOM of a recipe.
> +#
> +
> +python do_sbom_cve_check_recipe() {
> +    recipe = d.getVar("SPDX_RECIPE_SBOM_NAME")
> +    run_sbom_cve_check(d, recipe)

Call run_sbom_cve_check() with the path of the SPDX3 SBOM file that needs
to be analyzed.

> +}
> +
> +addtask do_sbom_cve_check_recipe after do_create_recipe_sbom
> +
> +SSTATETASKS += "do_sbom_cve_check_recipe"
> +do_sbom_cve_check_recipe[cleandirs] = "${SBOM_CVE_CHECK_DEPLOYDIR}"
> +do_sbom_cve_check_recipe[sstate-inputdirs] = "${SBOM_CVE_CHECK_DEPLOYDIR}"
> +do_sbom_cve_check_recipe[sstate-outputdirs] = "${DEPLOY_DIR_IMAGE}"
> +do_sbom_cve_check_recipe[depends] += " \
> +    python3-sbom-cve-check-native:do_populate_sysroot \
> +    sbom-cve-check-update-cvelist-native:do_unpack \
> +    sbom-cve-check-update-nvd-native:do_unpack \

Maybe we should create a variable that contains the list of
sbom-cve-check-update-* database recipes dependencies. This way if an user
want to add a database, it could do it easily, and it does not need to
duplicate the configuration.

So I am proposing something like that:

SBOM_CVE_CHECK_UPDATE_DB_DEPENDENCIES ?= " \
   sbom-cve-check-update-cvelist-native:do_unpack \
   sbom-cve-check-update-nvd-native:do_unpack \
"

do_sbom_cve_check_recipe[depends] += " \
   python3-sbom-cve-check-native:do_populate_sysroot \
   ${SBOM_CVE_CHECK_UPDATE_DB_DEPENDENCIES} \
"


> +"
> +python do_sbom_cve_check_recipe_setscene() {
> +    sstate_setscene(d)
> +}
> +addtask do_sbom_cve_check_recipe_setscene
> 


-- 
Benjamin Robin, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

Re: [OE-core] [RFC PATCH 1/3] sbom-cve-check: refactor do_sbom_cve_check

[Antonin Godard]

Hi,

On Thu Apr 2, 2026 at 6:25 PM CEST, Ross Burton via lists.openembedded.org wrote:
[...]
> +
> +
> +python do_sbom_cve_check() {

I'd suggest renaming it to do_sbom_cve_check_image so you'll have
do_sbom_cve_check_image and do_sbom_cve_check_recipe in the third patch and
there's less confusion?

Antonin

Re: [OE-core] [RFC PATCH 1/3] sbom-cve-check: refactor do_sbom_cve_check

[Benjamin Robin]

On Friday, April 3, 2026 at 10:26 AM, Antonin Godard wrote:
> Hi,
> 
> On Thu Apr 2, 2026 at 6:25 PM CEST, Ross Burton via lists.openembedded.org wrote:
> [...]
> > +
> > +
> > +python do_sbom_cve_check() {
> 
> I'd suggest renaming it to do_sbom_cve_check_image so you'll have
> do_sbom_cve_check_image and do_sbom_cve_check_recipe in the third patch and
> there's less confusion?
> 
> Antonin
> 

I fully agree with this proposal.
And we should do this change as soon as possible, since we are renaming
a "public" interface.

-- 
Benjamin Robin, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com