Hello Paul,
On Thursday, March 5, 2026 at 2:47 PM, Paul Barker wrote:
> Hi Benjamin,
>
> Patches 1-5 of this series were accepted, but we had some concerns with
> this one.
Thanks!
> We would prefer not to override do_fetch for sbom-cve-check-update-*.bb.
> We should be able to use the standard git fetcher here, with a hardcoded
> SRCREV to allow offline parsing to succeed. A config fragment should
> then be defined which enables the sbom-cve-check bbclass and sets the
> srcrevs for the update recipes to ${AUTOREV}.
Honestly, I've been considering the best approach for fetching the CVE
databases. While using the Yocto internal fetcher is indeed cleaner, it
raises a few questions:
- Is it possible to implement updates at fixed intervals (e.g., every X
hours)? If so, how could this be done?
If this isn't feasible, it's not a major concern, having the latest
updates is more important than performance.
- Would there be any objections to updating the `RM_WORK_EXCLUDE`
variable within the database update recipes to exclude the recipe
itself? Unpacking the CVE database is quite slow, especially given its
size (~3GB).
- By retaining the unpacked databases, we could store the database index
in the `$workdir`. This would avoid the need to recompute the database
index each time, which is something we'd prefer to avoid.
- However, it feels questionable to use an extracted Git repository from
another recipe: My whole (new) idea on how to fix this looks wrong.
I checked how `cve-update-nvd2-native.bb` handles this, the database
is moved to the download directory. But if we do this, the database
will still be unpacked for every analysis, which we try to avoid.
My primary aim is to avoid extracting the database repeatedly for every
build, and to be able to keep the database index somewhere.
> Running sbom-cve-check offline should be supported, but manual config
> may be needed to set an appropriate srcrev. We should provide an example
> of this in the docs.
I plan to write documentation (in yocto-docs) as soon as this series is
merged :)
> We should also be able to avoid setting do_sbom_cve_check[nostamp]. With
> dependencies set correctly, this should only re-run if the image changes
> or the cve database has been updated.
I am going to fix that (at least try, see discussion above)!
Best regards,
--
Benjamin Robin, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#232500):
https://lists.openembedded.org/g/openembedded-core/message/232500
Mute This Topic: https://lists.openembedded.org/mt/118015491/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
