"do_sbom_cve_check_recipe" is only added "after do_create_recipe_sbom"
and is never wired before "do_build", so it does not run as part of a
normal build. Users who build packages directly or run "bitbake world"
without producing an image get no CVE analysis.

Add SBOM_CVE_CHECK_RECIPE_AUTO variable that, when enabled, hooks
do_sbom_cve_check_recipe into do_build for every recipe. This lets
"bitbake world" run recipe-scoped CVE analysis across the whole package
feed without first building an image.

The task is only wired for recipes that actually produce a recipe SBOM.
Recipes inheriting "nospdx" delete "do_create_recipe_sbom" and are
skipped, to avoid scanning a non-existent SBOM.

Signed-off-by: Hiago De Franco <[email protected]>
---
Hello,

I tested this with Poky Wrynose, running "bitbake world" from an empty
build (from scratch). It worked as do_sbom_cve_check_recipe ran for
every recipe.

This patch is dependent on the patch I sent earlier,
https://lore.kernel.org/all/[email protected]/.

Thanks,
Hiago.
---
 meta/classes/sbom-cve-check-common.bbclass | 5 +++++
 meta/classes/sbom-cve-check-recipe.bbclass | 7 +++++++
 2 files changed, 12 insertions(+)

diff --git a/meta/classes/sbom-cve-check-common.bbclass 
b/meta/classes/sbom-cve-check-common.bbclass
index 32c29a0ec2..236bce8545 100644
--- a/meta/classes/sbom-cve-check-common.bbclass
+++ b/meta/classes/sbom-cve-check-common.bbclass
@@ -52,6 +52,11 @@ SBOM_CVE_CHECK_SHOW_WARNINGS ?= "1"
 SBOM_CVE_CHECK_SHOW_WARNINGS[doc] = "Show warning messages when unpatched CVEs 
are found. \
 Requires the SBOM_CVE_CHECK_EXPORT_CVECHECK report type to be enabled"
 
+SBOM_CVE_CHECK_RECIPE_AUTO ?= "0"
+SBOM_CVE_CHECK_RECIPE_AUTO[doc] = "If '1', run do_sbom_cve_check_recipe as 
part of \
+    the normal build (do_build) for every recipe. This also includes running 
CVE \
+    check for all recipes with 'bitbake world'. Default is '0' (disabled)."
+
 def show_warnings_from_file(cvecheck_export_file):
     import json
 
diff --git a/meta/classes/sbom-cve-check-recipe.bbclass 
b/meta/classes/sbom-cve-check-recipe.bbclass
index c80b8ac83f..084fcf4946 100644
--- a/meta/classes/sbom-cve-check-recipe.bbclass
+++ b/meta/classes/sbom-cve-check-recipe.bbclass
@@ -22,6 +22,13 @@ python do_sbom_cve_check_recipe() {
 }
 
 addtask do_sbom_cve_check_recipe after do_create_recipe_sbom
+python() {
+    if oe.types.boolean(d.getVar("SBOM_CVE_CHECK_RECIPE_AUTO") or "0"):
+        # Recipes that inherit nospdx.bbclass delete do_create_recipe_sbom, so
+        # skip them to avoid running the check against a missing SBOM.
+        if d.getVarFlag("do_create_recipe_sbom", "task", False):
+            bb.build.addtask("do_sbom_cve_check_recipe", "do_build", None, d)
+}
 
 SSTATETASKS += "do_sbom_cve_check_recipe"
 do_sbom_cve_check_recipe[cleandirs] = "${SBOM_CVE_CHECK_DEPLOYDIR}"
-- 
2.53.0

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#239589): 
https://lists.openembedded.org/g/openembedded-core/message/239589
Mute This Topic: https://lists.openembedded.org/mt/119978497/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to