For advanced usage of sbom-cve-check, allow users to leverage the internal fetcher (e.g., for downloading annotation databases).
Introduce the SBOM_CVE_CHECK_INTERNAL_FETCHER configuration variable to control this behavior. When set to 1, the do_sbom_cve_check task is granted network access and the task is always run (nostamp = 1). Additionally, allow overriding the default download location for databases fetched by the internal fetcher by introducing the SBOM_CVE_CHECK_DATABASES_DIR Yocto variable. Signed-off-by: Benjamin Robin <[email protected]> --- meta/classes-recipe/sbom-cve-check.bbclass | 26 ++++++++++++++++------ .../sbom-cve-check/sbom-cve-check-config.inc | 15 +++++++++++++ 2 files changed, 34 insertions(+), 7 deletions(-) diff --git a/meta/classes-recipe/sbom-cve-check.bbclass b/meta/classes-recipe/sbom-cve-check.bbclass index 3a23888ed6b4..a5c23142b7df 100644 --- a/meta/classes-recipe/sbom-cve-check.bbclass +++ b/meta/classes-recipe/sbom-cve-check.bbclass @@ -49,7 +49,6 @@ python do_sbom_cve_check() { sbom_path = d.expand("${DEPLOY_DIR_IMAGE}/${IMAGE_LINK_NAME}.spdx.json") vex_manifest_path = d.expand("${DEPLOY_DIR_IMAGE}/${IMAGE_LINK_NAME}.json") - dl_db_dir = d.getVar("SBOM_CVE_CHECK_DEPLOY_DB_DIR") deploy_dir = d.getVar("SBOM_CVE_CHECK_DEPLOYDIR") img_link_name = d.getVar("IMAGE_LINK_NAME") img_name = d.getVar("IMAGE_NAME") @@ -62,16 +61,21 @@ python do_sbom_cve_check() { export_type = d.getVarFlag(export_var, "type") export_files.append((export_type, export_path, export_link)) - cmd_env = os.environ.copy() - cmd_env["SBOM_CVE_CHECK_DATABASES_DIR"] = dl_db_dir - cmd_args = [ d.expand("${STAGING_BINDIR_NATIVE}/sbom-cve-check"), "--sbom-path", sbom_path, - "--disable-auto-updates" ] + cmd_env = os.environ.copy() + if int(d.getVar("SBOM_CVE_CHECK_INTERNAL_FETCHER")): + db_dir = d.getVar("SBOM_CVE_CHECK_DATABASES_DIR") + if db_dir: + cmd_env["SBOM_CVE_CHECK_DATABASES_DIR"] = db_dir + else: + cmd_args.append("--disable-auto-updates") + cmd_env["SBOM_CVE_CHECK_DATABASES_DIR"] = d.getVar("SBOM_CVE_CHECK_DEPLOY_DB_DIR") + # Assume that SPDX_INCLUDE_VEX is set globally to "all", and not only for the # image recipe, which is very unlikely. This is not an issue to include the # VEX manifest even if not needed. @@ -97,6 +101,12 @@ python do_sbom_cve_check() { update_symlinks(export_file[1], export_file[2]) } +python() { + if int(d.getVar("SBOM_CVE_CHECK_INTERNAL_FETCHER")): + d.setVarFlag("do_sbom_cve_check", "network", "1") + d.setVarFlag("do_sbom_cve_check", "nostamp", "1") +} + addtask do_sbom_cve_check after do_create_image_sbom_spdx before do_build SSTATETASKS += "do_sbom_cve_check" @@ -105,8 +115,10 @@ do_sbom_cve_check[sstate-inputdirs] = "${SBOM_CVE_CHECK_DEPLOYDIR}" do_sbom_cve_check[sstate-outputdirs] = "${DEPLOY_DIR_IMAGE}" do_sbom_cve_check[depends] += " \ python3-sbom-cve-check-native:do_populate_sysroot \ - sbom-cve-check-update-cvelist-native:do_unpack \ - sbom-cve-check-update-nvd-native:do_unpack \ + ${@oe.utils.conditional('SBOM_CVE_CHECK_INTERNAL_FETCHER','0',' \ + sbom-cve-check-update-cvelist-native:do_unpack \ + sbom-cve-check-update-nvd-native:do_unpack \ + ','',d)} \ " python do_sbom_cve_check_setscene() { diff --git a/meta/recipes-devtools/sbom-cve-check/sbom-cve-check-config.inc b/meta/recipes-devtools/sbom-cve-check/sbom-cve-check-config.inc index d337cef2355c..dd8fb5db11a1 100644 --- a/meta/recipes-devtools/sbom-cve-check/sbom-cve-check-config.inc +++ b/meta/recipes-devtools/sbom-cve-check/sbom-cve-check-config.inc @@ -3,3 +3,18 @@ SBOM_CVE_CHECK_DEPLOY_DB_DIR ??= "${DEPLOY_DIR}/sbom-cve-check/databases" SBOM_CVE_CHECK_DEPLOY_DB_DIR[doc] = "Path to the directory where the CVE databases, \ fetched by the sbom-cve-check-update-* recipes, are extracted for use." + +SBOM_CVE_CHECK_DATABASES_DIR ??= "" +SBOM_CVE_CHECK_DATABASES_DIR[doc] = "Allows to configure the directory where the \ + CVE databases are extracted for use, if fetched by sbom-cve-check itself. \ + This variable is only used if SBOM_CVE_CHECK_INTERNAL_FETCHER is set to 1. \ +" + +SBOM_CVE_CHECK_INTERNAL_FETCHER ?= "0" +SBOM_CVE_CHECK_INTERNAL_FETCHER[doc] = "Set to 1 to use sbom-cve-check internal fetcher. \ + In this case sbom-cve-check task will have access to network, and the downloaded \ + databases are stored in the default location or in the directory specified by \ + SBOM_CVE_CHECK_DATABASES_DIR if not empty. \ + This is useful, if a user needs network access during execution (e.g., to download \ + annotation databases), they can set `SBOM_CVE_CHECK_ALLOW_NETWORK` to "1". \ +" -- 2.53.0
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#233785): https://lists.openembedded.org/g/openembedded-core/message/233785 Mute This Topic: https://lists.openembedded.org/mt/118480942/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
