"do_sbom_cve_check_recipe" is only added "after do_create_recipe_sbom" and is never wired before "do_build", so it does not run as part of a normal build. Users who build packages directly or run "bitbake world" without producing an image get no CVE analysis.
Add SBOM_CVE_CHECK_RECIPE_AUTO variable that, when enabled, hooks do_sbom_cve_check_recipe into do_build for every recipe. This lets "bitbake world" run recipe-scoped CVE analysis across the whole package feed without first building an image. The task is only wired for recipes that actually produce a recipe SBOM. Recipes inheriting "nospdx" delete "do_create_recipe_sbom" and are skipped, to avoid scanning a non-existent SBOM. Signed-off-by: Hiago De Franco <[email protected]> --- Hello, I tested this with Poky Wrynose, running "bitbake world" from an empty build (from scratch). It worked as do_sbom_cve_check_recipe ran for every recipe. This patch is dependent on the patch I sent earlier, https://lore.kernel.org/all/[email protected]/. Thanks, Hiago. --- meta/classes/sbom-cve-check-common.bbclass | 5 +++++ meta/classes/sbom-cve-check-recipe.bbclass | 7 +++++++ 2 files changed, 12 insertions(+) diff --git a/meta/classes/sbom-cve-check-common.bbclass b/meta/classes/sbom-cve-check-common.bbclass index 32c29a0ec2..236bce8545 100644 --- a/meta/classes/sbom-cve-check-common.bbclass +++ b/meta/classes/sbom-cve-check-common.bbclass @@ -52,6 +52,11 @@ SBOM_CVE_CHECK_SHOW_WARNINGS ?= "1" SBOM_CVE_CHECK_SHOW_WARNINGS[doc] = "Show warning messages when unpatched CVEs are found. \ Requires the SBOM_CVE_CHECK_EXPORT_CVECHECK report type to be enabled" +SBOM_CVE_CHECK_RECIPE_AUTO ?= "0" +SBOM_CVE_CHECK_RECIPE_AUTO[doc] = "If '1', run do_sbom_cve_check_recipe as part of \ + the normal build (do_build) for every recipe. This also includes running CVE \ + check for all recipes with 'bitbake world'. Default is '0' (disabled)." + def show_warnings_from_file(cvecheck_export_file): import json diff --git a/meta/classes/sbom-cve-check-recipe.bbclass b/meta/classes/sbom-cve-check-recipe.bbclass index c80b8ac83f..084fcf4946 100644 --- a/meta/classes/sbom-cve-check-recipe.bbclass +++ b/meta/classes/sbom-cve-check-recipe.bbclass @@ -22,6 +22,13 @@ python do_sbom_cve_check_recipe() { } addtask do_sbom_cve_check_recipe after do_create_recipe_sbom +python() { + if oe.types.boolean(d.getVar("SBOM_CVE_CHECK_RECIPE_AUTO") or "0"): + # Recipes that inherit nospdx.bbclass delete do_create_recipe_sbom, so + # skip them to avoid running the check against a missing SBOM. + if d.getVarFlag("do_create_recipe_sbom", "task", False): + bb.build.addtask("do_sbom_cve_check_recipe", "do_build", None, d) +} SSTATETASKS += "do_sbom_cve_check_recipe" do_sbom_cve_check_recipe[cleandirs] = "${SBOM_CVE_CHECK_DEPLOYDIR}" -- 2.53.0
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#239589): https://lists.openembedded.org/g/openembedded-core/message/239589 Mute This Topic: https://lists.openembedded.org/mt/119978497/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
