* [OE-core][question] sbom-cve-check: question about ${DEPLOY_DIR_IMAGE}
@ 2026-04-20 1:43 Ruoqin Zheng (Fujitsu)
2026-04-20 7:38 ` Benjamin Robin
2026-04-20 15:25 ` Ross Burton
0 siblings, 2 replies; 5+ messages in thread
From: Ruoqin Zheng (Fujitsu) @ 2026-04-20 1:43 UTC (permalink / raw)
To: openembedded-core@lists.openembedded.org
[-- Attachment #1: Type: text/plain, Size: 1319 bytes --]
Hi All
I tryed to use sbom-cve-check-recipe and found that the sbom file will copy to ${DEPLOY_DIR_IMAGE}.
It will cause a lot of sbom files in ${DEPLOY_DIR_IMAGE} dir and hard to find the rootfs/kernel which user want to find.
./deploy/images/qemux86-64/
......
zlib-native-recipe-sbom.sbom-cve-check.spdx.json
zlib-native-recipe-sbom.sbom-cve-check.yocto.json
zlib-native-recipe-sbom.spdx.json
zlib-recipe-sbom.sbom-cve-check.spdx.json
zlib-recipe-sbom.sbom-cve-check.yocto.json
zlib-recipe-sbom.spdx.json
......
First, I want to ask the design goals of this output dir.
Then I found it was defined in sbom-cve-check-recipe.bbclass and I tryed to change it to other dir in local.conf but it can't work.
do_sbom_cve_check_recipe[sstate-outputdirs] = "${DEPLOY_DIR_IMAGE}"
Does any one know the way to change it outside of sbom-cve-check-recipe.bbclass?
[-- Attachment #2: Type: text/html, Size: 5924 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [OE-core][question] sbom-cve-check: question about ${DEPLOY_DIR_IMAGE}
2026-04-20 1:43 [OE-core][question] sbom-cve-check: question about ${DEPLOY_DIR_IMAGE} Ruoqin Zheng (Fujitsu)
@ 2026-04-20 7:38 ` Benjamin Robin
2026-04-20 15:25 ` Ross Burton
1 sibling, 0 replies; 5+ messages in thread
From: Benjamin Robin @ 2026-04-20 7:38 UTC (permalink / raw)
To: openembedded-core@lists.openembedded.org, Ruoqin Zheng (Fujitsu)
Cc: Ross Burton
Hello,
On Monday, April 20, 2026 at 3:43 AM, Ruoqin Zheng (Fujitsu) wrote:
> Hi All
>
> I tryed to use sbom-cve-check-recipe and found that the sbom file will copy to ${DEPLOY_DIR_IMAGE}.
>
> It will cause a lot of sbom files in ${DEPLOY_DIR_IMAGE} dir and hard to find the rootfs/kernel which user want to find.
>
> ./deploy/images/qemux86-64/
> ......
> zlib-native-recipe-sbom.sbom-cve-check.spdx.json
> zlib-native-recipe-sbom.sbom-cve-check.yocto.json
> zlib-native-recipe-sbom.spdx.json
> zlib-recipe-sbom.sbom-cve-check.spdx.json
> zlib-recipe-sbom.sbom-cve-check.yocto.json
> zlib-recipe-sbom.spdx.json
> ......
>
> First, I want to ask the design goals of this output dir.
>
> Then I found it was defined in sbom-cve-check-recipe.bbclass and I tryed to change it to other dir in local.conf but it can't work.
> do_sbom_cve_check_recipe[sstate-outputdirs] = "${DEPLOY_DIR_IMAGE}"
>
> Does any one know the way to change it outside of sbom-cve-check-recipe.bbclass?
Currently as designed, without modifying the bbclass, it is not possible to
modify the output directory.
We could create a variable, which is by default set to "${DEPLOY_DIR_IMAGE}"
and use this new variable to configure sstate-outputdirs.
Or we could simply replace the line by:
do_sbom_cve_check_recipe[sstate-outputdirs] ?= "${DEPLOY_DIR_IMAGE}"
--
Benjamin Robin, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [OE-core][question] sbom-cve-check: question about ${DEPLOY_DIR_IMAGE}
2026-04-20 1:43 [OE-core][question] sbom-cve-check: question about ${DEPLOY_DIR_IMAGE} Ruoqin Zheng (Fujitsu)
2026-04-20 7:38 ` Benjamin Robin
@ 2026-04-20 15:25 ` Ross Burton
2026-04-21 7:31 ` Ruoqin Zheng (Fujitsu)
1 sibling, 1 reply; 5+ messages in thread
From: Ross Burton @ 2026-04-20 15:25 UTC (permalink / raw)
To: zhengrq.fnst@fujitsu.com; +Cc: openembedded-core@lists.openembedded.org
On 20 Apr 2026, at 02:43, zhengruoqin via lists.openembedded.org <zhengrq.fnst=fujitsu.com@lists.openembedded.org> wrote:
>
> Hi All
> I tryed to use sbom-cve-check-recipe and found that the sbom file will copy to ${DEPLOY_DIR_IMAGE}.
> It will cause a lot of sbom files in ${DEPLOY_DIR_IMAGE} dir and hard to find the rootfs/kernel which user want to find.
> ./deploy/images/qemux86-64/
As I said in the commit that introduced this class, it has very limited use outside of a few recipes. You absolutely would not call the task on every recipe in a build, because each SBOM will include all of the dependencies of each recipe.
If you want to scan a build then the image sbom is what you’re after. If you want to scan “world” then meta-world-recipe-sbom is a specialised target for that purpose.
Ross
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [OE-core][question] sbom-cve-check: question about ${DEPLOY_DIR_IMAGE}
2026-04-20 15:25 ` Ross Burton
@ 2026-04-21 7:31 ` Ruoqin Zheng (Fujitsu)
2026-04-21 10:20 ` Ross Burton
0 siblings, 1 reply; 5+ messages in thread
From: Ruoqin Zheng (Fujitsu) @ 2026-04-21 7:31 UTC (permalink / raw)
To: Ross Burton; +Cc: openembedded-core@lists.openembedded.org
[-- Attachment #1: Type: text/plain, Size: 1608 bytes --]
Hi Ross
Thank you for your answer.
Now I want to generate cve info for each recipe in image.
Now "bitbake image-name" only generate cve info for image, and as I understand,
without "bitbake recipe-name -c sbom_cve_check_recipe", there is noway to do that.
As old cve-check.bbclass has been removed, I want to know that if there is a way to generate cve info for each recipe in image?
________________________________
From: Ross Burton <Ross.Burton@arm.com>
Sent: Monday, April 20, 2026 23:25
To: Zheng, Ruoqin/郑 若钦 <zhengrq.fnst@fujitsu.com>
Cc: openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org>
Subject: Re: [OE-core][question] sbom-cve-check: question about ${DEPLOY_DIR_IMAGE}
On 20 Apr 2026, at 02:43, zhengruoqin via lists.openembedded.org <zhengrq.fnst=fujitsu.com@lists.openembedded.org> wrote:
>
> Hi All
> I tryed to use sbom-cve-check-recipe and found that the sbom file will copy to ${DEPLOY_DIR_IMAGE}.
> It will cause a lot of sbom files in ${DEPLOY_DIR_IMAGE} dir and hard to find the rootfs/kernel which user want to find.
> ./deploy/images/qemux86-64/
As I said in the commit that introduced this class, it has very limited use outside of a few recipes. You absolutely would not call the task on every recipe in a build, because each SBOM will include all of the dependencies of each recipe.
If you want to scan a build then the image sbom is what you’re after. If you want to scan “world” then meta-world-recipe-sbom is a specialised target for that purpose.
Ross
[-- Attachment #2: Type: text/html, Size: 4550 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [OE-core][question] sbom-cve-check: question about ${DEPLOY_DIR_IMAGE}
2026-04-21 7:31 ` Ruoqin Zheng (Fujitsu)
@ 2026-04-21 10:20 ` Ross Burton
0 siblings, 0 replies; 5+ messages in thread
From: Ross Burton @ 2026-04-21 10:20 UTC (permalink / raw)
To: Ruoqin Zheng (Fujitsu); +Cc: openembedded-core@lists.openembedded.org
On 21 Apr 2026, at 08:31, Ruoqin Zheng (Fujitsu) <zhengrq.fnst@fujitsu.com> wrote:
>
> Hi Ross
> Thank you for your answer.
> Now I want to generate cve info for each recipe in image.
> Now "bitbake image-name" only generate cve info for image, and as I understand,
> without "bitbake recipe-name -c sbom_cve_check_recipe", there is noway to do that.
>
> As old cve-check.bbclass has been removed, I want to know that if there is a way to generate cve info for each recipe in image?
The do_sbom_cve_check task will report CVEs for all *packages* that are in the image, which is probably what you want: a list of known issues in the code that you’re deploying.
If you care about more than just what you’re deploying then I suggest meta-world-recipe-sbom.
Ross
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2026-04-21 10:22 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-04-20 1:43 [OE-core][question] sbom-cve-check: question about ${DEPLOY_DIR_IMAGE} Ruoqin Zheng (Fujitsu)
2026-04-20 7:38 ` Benjamin Robin
2026-04-20 15:25 ` Ross Burton
2026-04-21 7:31 ` Ruoqin Zheng (Fujitsu)
2026-04-21 10:20 ` Ross Burton
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox