[PATCH v2 0/2] sbom-cve-check-update-db: Fix various failures

[PATCH v2 0/2] sbom-cve-check-update-db: Fix various failures

[Benjamin Robin]

This series addresses 2 failures that were not discovered before:
 - The `do_populate_lic` task was failing.
 - The `do_unpack` may fail or remove other CVE databases.

Signed-off-by: Benjamin Robin <benjamin.robin@bootlin.com>
---
Changes in v2:
- Add another fix related to unpacking the databases
- Link to v1: https://patch.msgid.link/20260401-fix-lic-sbom-cve-check-v1-1-29f854d1837f@bootlin.com

---
Benjamin Robin (2):
      sbom-cve-check-update-db: Fix do_populate_lic failure
      sbom-cve-check-update-db: Fix unpack removing other databases

 meta/classes-recipe/sbom-cve-check.bbclass                            | 4 ++--
 .../sbom-cve-check/sbom-cve-check-update-cvelist-native.bb            | 2 +-
 meta/recipes-devtools/sbom-cve-check/sbom-cve-check-update-db.inc     | 4 +---
 .../sbom-cve-check/sbom-cve-check-update-nvd-native.bb                | 4 ++--
 4 files changed, 6 insertions(+), 8 deletions(-)
---
base-commit: e954a94b5b528b2430e8da331107d7d58287f89b
change-id: 20260401-fix-lic-sbom-cve-check-69d64ad949b4

Best regards,
--  
Benjamin Robin <benjamin.robin@bootlin.com>

[PATCH v2 1/2] sbom-cve-check-update-db: Fix do_populate_lic failure

[Benjamin Robin]

The `do_populate_lic` task was failing because it runs after `do_patch`,
but the indirect dependency on `do_unpack` was lost when the `do_patch`
task was deleted.

It is safe, and even preferable, to retain the `do_patch` task, as this
allows users to apply patches to their CVE databases.

Follow-up to commit 8ef22ad9e302f86b2da4fa81541a464e95b9ef3c
("sbom-cve-check: Add class for post-build CVE analysis").

Signed-off-by: Benjamin Robin <benjamin.robin@bootlin.com>
---
 meta/classes-recipe/sbom-cve-check.bbclass                        | 4 ++--
 meta/recipes-devtools/sbom-cve-check/sbom-cve-check-update-db.inc | 1 -
 2 files changed, 2 insertions(+), 3 deletions(-)

diff --git a/meta/classes-recipe/sbom-cve-check.bbclass b/meta/classes-recipe/sbom-cve-check.bbclass
index 6c62a5119dea..4abc427c58f2 100644
--- a/meta/classes-recipe/sbom-cve-check.bbclass
+++ b/meta/classes-recipe/sbom-cve-check.bbclass
@@ -106,8 +106,8 @@ do_sbom_cve_check[sstate-inputdirs] = "${SBOM_CVE_CHECK_DEPLOYDIR}"
 do_sbom_cve_check[sstate-outputdirs] = "${DEPLOY_DIR_IMAGE}"
 do_sbom_cve_check[depends] += " \
     python3-sbom-cve-check-native:do_populate_sysroot \
-    sbom-cve-check-update-cvelist-native:do_unpack \
-    sbom-cve-check-update-nvd-native:do_unpack \
+    sbom-cve-check-update-cvelist-native:do_patch \
+    sbom-cve-check-update-nvd-native:do_patch \
 "
 
 python do_sbom_cve_check_setscene() {
diff --git a/meta/recipes-devtools/sbom-cve-check/sbom-cve-check-update-db.inc b/meta/recipes-devtools/sbom-cve-check/sbom-cve-check-update-db.inc
index 4e9cef96e8ea..a318e2c40ea9 100644
--- a/meta/recipes-devtools/sbom-cve-check/sbom-cve-check-update-db.inc
+++ b/meta/recipes-devtools/sbom-cve-check/sbom-cve-check-update-db.inc
@@ -9,7 +9,6 @@ require sbom-cve-check-config.inc
 SBOM_CVE_CHECK_DB_NAME[doc] = "Database name, which is the Git repository directory name. \
     The git repository will be stored in ${SBOM_CVE_CHECK_DEPLOY_DB_DIR)/"
 
-deltask do_patch
 deltask do_configure
 deltask do_compile
 deltask do_install

-- 
2.53.0

[PATCH v2 2/2] sbom-cve-check-update-db: Fix unpack removing other databases

[Benjamin Robin]

Previously, `UNPACKDIR` was set to `${SBOM_CVE_CHECK_DEPLOY_DB_DIR}`,
which points to the `./databases/` directory and may contain multiple
databases. Since `do_unpack` cleans the `${UNPACKDIR}` directory,
`UNPACKDIR` must only contain a single database.

To address this, set `UNPACKDIR` to
`${SBOM_CVE_CHECK_DEPLOY_DB_DIR}/${SBOM_CVE_CHECK_DB_NAME}` and
configure `destsuffix` to an empty string. However, it is currently not
possible to set `BB_GIT_DEFAULT_DESTSUFFIX` to an empty string, so
`destsuffix` is configured through the SRC_URI instead.

Signed-off-by: Benjamin Robin <benjamin.robin@bootlin.com>
---
 .../sbom-cve-check/sbom-cve-check-update-cvelist-native.bb            | 2 +-
 meta/recipes-devtools/sbom-cve-check/sbom-cve-check-update-db.inc     | 3 +--
 .../sbom-cve-check/sbom-cve-check-update-nvd-native.bb                | 4 ++--
 3 files changed, 4 insertions(+), 5 deletions(-)

diff --git a/meta/recipes-devtools/sbom-cve-check/sbom-cve-check-update-cvelist-native.bb b/meta/recipes-devtools/sbom-cve-check/sbom-cve-check-update-cvelist-native.bb
index ce204db6c51a..338712216590 100644
--- a/meta/recipes-devtools/sbom-cve-check/sbom-cve-check-update-cvelist-native.bb
+++ b/meta/recipes-devtools/sbom-cve-check/sbom-cve-check-update-cvelist-native.bb
@@ -3,7 +3,7 @@ LICENSE = "MIT"
 LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302"
 
 HOMEPAGE = "https://github.com/CVEProject/cvelistV5"
-SRC_URI = "git://github.com/CVEProject/cvelistV5.git;branch=main;protocol=https"
+SRC_URI = "git://github.com/CVEProject/cvelistV5.git;branch=main;protocol=https;destsuffix="
 SBOM_CVE_CHECK_DB_NAME = "cvelist"
 
 # 2026-03-19_baseline
diff --git a/meta/recipes-devtools/sbom-cve-check/sbom-cve-check-update-db.inc b/meta/recipes-devtools/sbom-cve-check/sbom-cve-check-update-db.inc
index a318e2c40ea9..7ada67363d17 100644
--- a/meta/recipes-devtools/sbom-cve-check/sbom-cve-check-update-db.inc
+++ b/meta/recipes-devtools/sbom-cve-check/sbom-cve-check-update-db.inc
@@ -15,6 +15,5 @@ deltask do_install
 deltask do_populate_sysroot
 
 # Directly unpack the fetched CVE database to the deploy directory.
-UNPACKDIR = "${SBOM_CVE_CHECK_DEPLOY_DB_DIR}"
+UNPACKDIR = "${SBOM_CVE_CHECK_DEPLOY_DB_DIR}/${SBOM_CVE_CHECK_DB_NAME}"
 S = "${UNPACKDIR}"
-BB_GIT_DEFAULT_DESTSUFFIX = "${SBOM_CVE_CHECK_DB_NAME}"
diff --git a/meta/recipes-devtools/sbom-cve-check/sbom-cve-check-update-nvd-native.bb b/meta/recipes-devtools/sbom-cve-check/sbom-cve-check-update-nvd-native.bb
index 30c7868b2ae7..c868ba09c18d 100644
--- a/meta/recipes-devtools/sbom-cve-check/sbom-cve-check-update-nvd-native.bb
+++ b/meta/recipes-devtools/sbom-cve-check/sbom-cve-check-update-nvd-native.bb
@@ -1,9 +1,9 @@
 SUMMARY = "Updates the NVD CVE database"
 LICENSE = "cve-tou"
-LIC_FILES_CHKSUM = "file://${SBOM_CVE_CHECK_DB_NAME}/LICENSES/cve-tou.md;md5=bc5bbf146f01e20ece63d83c8916d8fb"
+LIC_FILES_CHKSUM = "file://LICENSES/cve-tou.md;md5=bc5bbf146f01e20ece63d83c8916d8fb"
 
 HOMEPAGE = "https://github.com/fkie-cad/nvd-json-data-feeds"
-SRC_URI = "git://github.com/fkie-cad/nvd-json-data-feeds.git;branch=main;protocol=https"
+SRC_URI = "git://github.com/fkie-cad/nvd-json-data-feeds.git;branch=main;protocol=https;destsuffix="
 SBOM_CVE_CHECK_DB_NAME = "nvd-fkie"
 
 # v2026.03.19-010002

-- 
2.53.0

Re: [PATCH v2 2/2] sbom-cve-check-update-db: Fix unpack removing other databases

[Antonin Godard]

Hi,

On Tue Apr 7, 2026 at 5:01 PM CEST, Benjamin Robin wrote:
> Previously, `UNPACKDIR` was set to `${SBOM_CVE_CHECK_DEPLOY_DB_DIR}`,
> which points to the `./databases/` directory and may contain multiple
> databases. Since `do_unpack` cleans the `${UNPACKDIR}` directory,
> `UNPACKDIR` must only contain a single database.
>
> To address this, set `UNPACKDIR` to
> `${SBOM_CVE_CHECK_DEPLOY_DB_DIR}/${SBOM_CVE_CHECK_DB_NAME}` and
> configure `destsuffix` to an empty string. However, it is currently not
> possible to set `BB_GIT_DEFAULT_DESTSUFFIX` to an empty string, so
> `destsuffix` is configured through the SRC_URI instead.

I've tested this the following way, first by unpacking the databases with:

SRCREV:pn-sbom-cve-check-update-nvd-native = "ba5e43861ba2ca0f7968597c27c6a412c1bfa8c2"
SRCREV:pn-sbom-cve-check-update-cvelist-native = "6740b38b3e0692bb9c96eb226371ae9e1217c1fd"

Then created a random file in the nvd database checkout:

touch tmp/deploy/sbom-cve-check/databases/nvd-fkie/file.txt

Then I updated the sha for cvelist only:

SRCREV:pn-sbom-cve-check-update-nvd-native = "ba5e43861ba2ca0f7968597c27c6a412c1bfa8c2"
SRCREV:pn-sbom-cve-check-update-cvelist-native = "42e75c927b155335cb1119df9d9b85a58732ad1e"

Ran the unpack again, and file.txt is still there.

Doing the same without this patch, you'd get:

$ ls -l tmp/deploy/sbom-cve-check/databases/nvd-fkie
"tmp/deploy/sbom-cve-check/databases/nvd-fkie": No such file or directory (os error 2)

This fixes the issue for me too, so feel free to add:

Tested-by: Antonin Godard <antonin.godard@bootlin.com>

Antonin