[PATCH] sbom-cve-check-common: print warnings on unpatched CVEs

[PATCH] sbom-cve-check-common: print warnings on unpatched CVEs

[Antonin Godard]

The now removed cve-check class used to print warnings when CVEs with
status "Unpatched" were found. Add this feature to the
sbom-cve-check class with the same default value (enabled).

For now it only does so when the cvecheck report type is enabled. It may
be possible to do the same for the SPDX report type.

Sample output:

WARNING: core-image-minimal-1.0-r0 do_sbom_cve_check: busybox-1.37.0: Found unpatched CVEs: CVE-2024-58251
WARNING: core-image-minimal-1.0-r0 do_sbom_cve_check: expat-2.7.5: Found unpatched CVEs: CVE-2025-66382, CVE-2026-41080
WARNING: core-image-minimal-1.0-r0 do_sbom_cve_check: glibc-2.43+git: Found unpatched CVEs: CVE-2010-4756, CVE-2026-4046

Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
---
 meta/classes/sbom-cve-check-common.bbclass | 31 ++++++++++++++++++++++++++++++
 1 file changed, 31 insertions(+)

diff --git a/meta/classes/sbom-cve-check-common.bbclass b/meta/classes/sbom-cve-check-common.bbclass
index 6963ad71c61..d84416c8a50 100644
--- a/meta/classes/sbom-cve-check-common.bbclass
+++ b/meta/classes/sbom-cve-check-common.bbclass
@@ -48,6 +48,33 @@ SBOM_CVE_CHECK_UPDATE_DB_DEPENDENCIES ?= " \
     sbom-cve-check-update-nvd-native:do_patch \
 "
 
+SBOM_CVE_CHECK_SHOW_WARNINGS ?= "1"
+SBOM_CVE_CHECK_SHOW_WARNINGS[doc] = "Show warning messages when unpatched CVEs are found. \
+Requires the SBOM_CVE_CHECK_EXPORT_CVECHECK report type to be enabled"
+
+def show_warnings_from_file(cvecheck_export_file):
+    import json
+    report = {}
+
+    try:
+        with open(cvecheck_export_file, "r") as f:
+            report = json.load(f)
+    except (json.JSONDecodeError, UnicodeDecodeError) as e:
+        bb.error(f"Failed to open JSON report file {f}: {e}")
+        return
+
+    packages = report.get("package", [])
+    for package in packages:
+        unpatched = []
+        cves = package.get("issue", [])
+        for cve in cves:
+            if cve["status"] == "Unpatched":
+                unpatched.append(cve["id"])
+        if unpatched:
+            pname = package["name"]
+            version = package["version"]
+            bb.warn(f"{pname}-{version}: Found unpatched CVEs: {', '.join(unpatched)}")
+
 def run_sbom_cve_check(d, sbom_path, export_base_name, export_link_name=None):
     import os
     import bb
@@ -94,9 +121,13 @@ def run_sbom_cve_check(d, sbom_path, export_base_name, export_link_name=None):
         bb.error(f"sbom-cve-check failed: {e}")
         return
 
+    show_warnings = oe.utils.vartrue("SBOM_CVE_CHECK_SHOW_WARNINGS", True, False, d)
+
     for export_type, export_file, export_link in export_files:
         bb.note(f"sbom-cve-check exported: {export_file}")
         if export_link:
             update_symlinks(export_file, export_link)
+        if show_warnings and export_type == d.getVarFlag("SBOM_CVE_CHECK_EXPORT_CVECHECK", "type"):
+            show_warnings_from_file(export_file)
 
 

---
base-commit: 9a83f0878b6bacbc7b322cfec076b4e79ad7b8fb
change-id: 20260421-sbom-cve-check-warnings-408de9776bc0

Re: [OE-core] [PATCH] sbom-cve-check-common: print warnings on unpatched CVEs

[Paul Barker]

[-- Attachment #1: Type: text/plain, Size: 3454 bytes --]

On Tue, 2026-04-21 at 11:15 +0200, Antonin Godard via
lists.openembedded.org wrote:
> The now removed cve-check class used to print warnings when CVEs with
> status "Unpatched" were found. Add this feature to the
> sbom-cve-check class with the same default value (enabled).
> 
> For now it only does so when the cvecheck report type is enabled. It may
> be possible to do the same for the SPDX report type.
> 
> Sample output:
> 
> WARNING: core-image-minimal-1.0-r0 do_sbom_cve_check: busybox-1.37.0: Found unpatched CVEs: CVE-2024-58251
> WARNING: core-image-minimal-1.0-r0 do_sbom_cve_check: expat-2.7.5: Found unpatched CVEs: CVE-2025-66382, CVE-2026-41080
> WARNING: core-image-minimal-1.0-r0 do_sbom_cve_check: glibc-2.43+git: Found unpatched CVEs: CVE-2010-4756, CVE-2026-4046
> 
> Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
> ---
>  meta/classes/sbom-cve-check-common.bbclass | 31 ++++++++++++++++++++++++++++++
>  1 file changed, 31 insertions(+)
> 
> diff --git a/meta/classes/sbom-cve-check-common.bbclass b/meta/classes/sbom-cve-check-common.bbclass
> index 6963ad71c61..d84416c8a50 100644
> --- a/meta/classes/sbom-cve-check-common.bbclass
> +++ b/meta/classes/sbom-cve-check-common.bbclass
> @@ -48,6 +48,33 @@ SBOM_CVE_CHECK_UPDATE_DB_DEPENDENCIES ?= " \
>      sbom-cve-check-update-nvd-native:do_patch \
>  "
>  
> +SBOM_CVE_CHECK_SHOW_WARNINGS ?= "1"
> +SBOM_CVE_CHECK_SHOW_WARNINGS[doc] = "Show warning messages when unpatched CVEs are found. \
> +Requires the SBOM_CVE_CHECK_EXPORT_CVECHECK report type to be enabled"
> +
> +def show_warnings_from_file(cvecheck_export_file):
> +    import json
> +    report = {}

We shouldn't need to initialise report here as it is always set if we
get past the try block below.

> +
> +    try:
> +        with open(cvecheck_export_file, "r") as f:
> +            report = json.load(f)
> +    except (json.JSONDecodeError, UnicodeDecodeError) as e:
> +        bb.error(f"Failed to open JSON report file {f}: {e}")
> +        return
> +
> +    packages = report.get("package", [])
> +    for package in packages:
> +        unpatched = []
> +        cves = package.get("issue", [])
> +        for cve in cves:
> +            if cve["status"] == "Unpatched":
> +                unpatched.append(cve["id"])
> +        if unpatched:
> +            pname = package["name"]
> +            version = package["version"]
> +            bb.warn(f"{pname}-{version}: Found unpatched CVEs: {', '.join(unpatched)}")
> +
>  def run_sbom_cve_check(d, sbom_path, export_base_name, export_link_name=None):
>      import os
>      import bb
> @@ -94,9 +121,13 @@ def run_sbom_cve_check(d, sbom_path, export_base_name, export_link_name=None):
>          bb.error(f"sbom-cve-check failed: {e}")
>          return
>  
> +    show_warnings = oe.utils.vartrue("SBOM_CVE_CHECK_SHOW_WARNINGS", True, False, d)

I think this can be:

    show_warnings = bb.utils.to_boolean(d.getVar("SBOM_CVE_CHECK_SHOW_WARNINGS"))

> +
>      for export_type, export_file, export_link in export_files:
>          bb.note(f"sbom-cve-check exported: {export_file}")
>          if export_link:
>              update_symlinks(export_file, export_link)
> +        if show_warnings and export_type == d.getVarFlag("SBOM_CVE_CHECK_EXPORT_CVECHECK", "type"):
> +            show_warnings_from_file(export_file)

Best regards,

-- 
Paul Barker


[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 252 bytes --]

Re: [OE-core] [PATCH] sbom-cve-check-common: print warnings on unpatched CVEs

[Antonin Godard]

Hi Paul,

On Tue Apr 21, 2026 at 1:08 PM CEST, Paul Barker wrote:
[...]
>> +SBOM_CVE_CHECK_SHOW_WARNINGS ?= "1"
>> +SBOM_CVE_CHECK_SHOW_WARNINGS[doc] = "Show warning messages when unpatched CVEs are found. \
>> +Requires the SBOM_CVE_CHECK_EXPORT_CVECHECK report type to be enabled"
>> +
>> +def show_warnings_from_file(cvecheck_export_file):
>> +    import json
>> +    report = {}
>
> We shouldn't need to initialise report here as it is always set if we
> get past the try block below.

Yes indeed

[...]
>
> I think this can be:
>
>     show_warnings = bb.utils.to_boolean(d.getVar("SBOM_CVE_CHECK_SHOW_WARNINGS"))

And yes this works too and is slightly shorter. I'll send a v2

Thanks!
Antonin