Re: [OE-core] [PATCH v3 6/6] sbom-cve-check.bbclass: Add class for post-build CVE analysis

Thu, 05 Mar 2026 05:50:28 -0800 

On Thu, 2026-02-26 at 18:01 +0100, Benjamin Robin via
lists.openembedded.org wrote:
> By default, the CVE databases are downloaded using the following
> recipes:
>  - sbom-cve-check-update-cvelist-native.bb
>  - sbom-cve-check-update-nvd-native.bb
> 
> The database download logic is implemented in
> sbom-cve-check-update-db.bbclass. The CVE databases are stored in the
> download directory (`DL_DIR`). Access to the database is managed using
> an exclusive file lock (`flock`) on the directory. During CVE analysis,
> sbom-cve-check acquires a shared lock, allowing multiple analyses to
> run in parallel. However, if the database is being updated, any
> ongoing CVE analysis is temporarily paused.
> 
> This design ensures that, under normal circumstances, sbom-cve-check
> can run without requiring network access. If a user needs network
> access during execution (e.g., to download annotation databases),
> they can set `SBOM_CVE_CHECK_ALLOW_NETWORK` to "1".
> 
> Signed-off-by: Benjamin Robin <[email protected]>

Hi Benjamin,

Patches 1-5 of this series were accepted, but we had some concerns with
this one.

We would prefer not to override do_fetch for sbom-cve-check-update-*.bb.
We should be able to use the standard git fetcher here, with a hardcoded
SRCREV to allow offline parsing to succeed. A config fragment should
then be defined which enables the sbom-cve-check bbclass and sets the
srcrevs for the update recipes to ${AUTOREV}.

Running sbom-cve-check offline should be supported, but manual config
may be needed to set an appropriate srcrev. We should provide an example
of this in the docs.

We should also be able to avoid setting do_sbom_cve_check[nostamp]. With
dependencies set correctly, this should only re-run if the image changes
or the cve database has been updated.

Best regards,

-- 
Paul Barker

Attachment: signature.asc
Description: This is a digitally signed message part

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#232491): 
https://lists.openembedded.org/g/openembedded-core/message/232491
Mute This Topic: https://lists.openembedded.org/mt/118015491/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to