Hi Davide, On Fri, Apr 29, 2022 at 4:22 AM Davide Gardenal <davidegarde2...@gmail.com> wrote: > > My idea was to convert cve_check_write_rootfs_manifest to a handler listening > for BuildCompleted but then if someone builds more than one image the output > is broken.
Actually that is already the case, if one builds multiple images, the cve manifests tend to include "extra" packages, from recipes built as part of another image. This tripped me up when I was trying to see what CVE changed between builds. Another complication is that ordering of the manifest is not entirely deterministic. At one point, worked around this by using 'bitbake -g' to generate pn-buildlist, and then manually assemble the cve manifest using the recipe names from pn-buildlist, and the files in tmp/deploy/cve. While this worked, it was not particular elegant, and I eventually abandoned it. Now I just run bitbake several times, once per image, and I collect the cve manifest between runs. Then some additional post-processing to sort and compare between runs. It would be nice to fix the tool if possible. But I have not really looked into it. Ralph
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#165017): https://lists.openembedded.org/g/openembedded-core/message/165017 Mute This Topic: https://lists.openembedded.org/mt/90771986/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
