This patch series introduces the `sbom-cve-check` tool and its
dependencies. The tool requires `python3-spdx-python-model`, which has
the following build-time dependencies (not required at runtime):
- `python3-hatch-build-scripts`
- `python3-shacl2code`
Additionally, this series includes a post-build CVE analysis class,
similar to the existing `cve-check` functionality.
`sbom-cve-check` is a lightweight SBOM CVE analysis tool, which
supports SBOMs in SPDX 2.2 or SPDX 3.0 formats. The tool is designed as
an efficient replacement for the `cve-check` logic currently available
in Yocto Project. It fetches data from multiple databases, including NVD
and the CVE List, and supports various annotation formats, such as
OpenVEX and the Yocto Project's custom VEX manifest.
For export, `sbom-cve-check` can generate a SPDX 3.0 file, a
`cve-check`-compatible JSON file, and a summary report that lists all
vulnerabilities per component, styled similarly to the output of the
Yocto Project's `cve-check` class.
For more context on the inclusion of `sbom-cve-check` in OpenEmbedded
Core, see the discussion [1].
For detailed documentation about `sbom-cve-check`, visit [2].
After the inclusion of SPDX3 Joshua changes ("Add SPDX 3 Recipe
Information") in OE-Core [3], and after the release of sbom-cve-check
1.2.0, I am going to submit a very small follow-up series.
[1] https://lists.openembedded.org/g/openembedded-core/topic/117638558
[2] https://sbom-cve-check.readthedocs.io/
[3] https://lists.openembedded.org/g/openembedded-core/message/231519
Signed-off-by: Benjamin Robin <[email protected]>
---
Benjamin Robin (5):
python3-shacl2code: add recipe
python3-hatch-build-scripts: add recipe
python3-spdx-python-model: add recipe
sbom-cve-check: add recipe
sbom-cve-check.bbclass: Add class for post-build CVE analysis
.../sbom-cve-check-update-db.bbclass | 87 ++++++++++++++++++++
meta/classes-recipe/sbom-cve-check.bbclass | 96 ++++++++++++++++++++++
.../meta/sbom-cve-check-update-cvelist-native.bb | 7 ++
.../meta/sbom-cve-check-update-nvd-native.bb | 7 ++
.../python/python3-hatch-build-scripts_1.0.0.bb | 12 +++
.../python/python3-sbom-cve-check_1.1.0.bb | 17 ++++
.../python/python3-shacl2code_0.0.24.bb | 17 ++++
...enerate-bindings-allow-to-use-local-files.patch | 58 +++++++++++++
.../python/python3-spdx-python-model_0.0.4.bb | 37 +++++++++
9 files changed, 338 insertions(+)
---
base-commit: b8e48562ba273051bcf8cbc62be742ef42a1e622
change-id: 20260223-add-sbom-cve-check-f34614b147dc
Best regards,
--
Benjamin Robin <[email protected]>
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#231868):
https://lists.openembedded.org/g/openembedded-core/message/231868
Mute This Topic: https://lists.openembedded.org/mt/117977984/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
