This series is an RFC and a follow-up to patch 6/6 ("Add class for
post-build CVE analysis"), which was previously discussed [1].
I have prepared two RFC series, this one and another, each exploring
different approaches to handling the download of CVE databases.I explored using BitBake's internal fetcher instead of direct Git calls for fetching CVE databases. However, I encountered two major issues: - No proper shallow clone support: I wanted to clone the repository without downloading the entire history (which is very large). While `BB_GIT_SHALLOW` exists, it creates multiple tarballs in the download directory, which is inefficient for updates. In this series, we are going to do a full clone of the git repository, so this point is not going to be fixed. - Performance overhead for CVE databases deployment: The recipes downloading CVE databases must copy them to the sysroot or to the deploy directory. This requires copying the extracted databases multiple times, even with hard links, which is slow due to the combined size (~6 GB, ~672,000 small files). In this series, we are using a custom deploy task that is going to copy the git repository using rsync directly in the final deploy directory, by-passing all the Bitbake logic. Additionally, there's no built-in way to control the interval between CVE database fetches: In this series, we are going to use AUTOREV, which imply to query the git repositories for each build, to check if there is a new git revision. Moreover, this series ensures that the CVE analysis runs only when the original SBOM changes or when the CVE databases are updated. Upon revisiting the class and its associated recipes, I identified several areas for improvement, which were fixed in the first commit. This series also includes a second commit making the VEX class optional rather than mandatory. [1] https://lore.kernel.org/all/[email protected]/ Signed-off-by: Benjamin Robin <[email protected]> --- Benjamin Robin (2): sbom-cve-check: Download CVE DB using BitBake fetcher sbom-cve-check: VEX class is no longer mandatory .../sbom-cve-check-update-db.bbclass | 87 ---------------------- meta/classes-recipe/sbom-cve-check.bbclass | 63 ++++++++++------ meta/recipes-core/meta/sbom-cve-check-config.inc | 4 + .../meta/sbom-cve-check-update-cvelist-native.bb | 11 ++- .../recipes-core/meta/sbom-cve-check-update-db.inc | 28 +++++++ .../meta/sbom-cve-check-update-nvd-native.bb | 11 ++- 6 files changed, 89 insertions(+), 115 deletions(-) --- base-commit: ac13c78c0b1a73aa3f21a506a8709ecebfd98faf change-id: 20260308-add-sbom-cve-check-p2b-f3d30694d3a5 Best regards, -- Benjamin Robin <[email protected]>
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#232699): https://lists.openembedded.org/g/openembedded-core/message/232699 Mute This Topic: https://lists.openembedded.org/mt/118219723/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
