On Thu Jun 25, 2026 at 8:23 PM CEST, Hiago De Franco via lists.openembedded.org wrote: > "do_sbom_cve_check_recipe" is only added "after do_create_recipe_sbom" > and is never wired before "do_build", so it does not run as part of a > normal build. Users who build packages directly or run "bitbake world" > without producing an image get no CVE analysis. > > Add SBOM_CVE_CHECK_RECIPE_AUTO variable that, when enabled, hooks > do_sbom_cve_check_recipe into do_build for every recipe. This lets > "bitbake world" run recipe-scoped CVE analysis across the whole package > feed without first building an image. > > The task is only wired for recipes that actually produce a recipe SBOM. > Recipes inheriting "nospdx" delete "do_create_recipe_sbom" and are > skipped, to avoid scanning a non-existent SBOM. > > Signed-off-by: Hiago De Franco <[email protected]>
Hello, Isn't what is meta-world-recipe-sbom for? To do a world CVE check we do: bitbake meta-world-recipe-sbom -R conf/distro/include/cve-extra-exclusions.inc -c sbom_cve_check_recipe See: * https://git.openembedded.org/openembedded-core/tree/meta/recipes-core/meta/meta-world-recipe-sbom.bb * https://git.yoctoproject.org/yocto-autobuilder-helper/tree/scripts/run-cvecheck Regards, > --- > Hello, > > I tested this with Poky Wrynose, running "bitbake world" from an empty > build (from scratch). It worked as do_sbom_cve_check_recipe ran for > every recipe. > > This patch is dependent on the patch I sent earlier, > https://lore.kernel.org/all/[email protected]/. > > Thanks, > Hiago. > --- > meta/classes/sbom-cve-check-common.bbclass | 5 +++++ > meta/classes/sbom-cve-check-recipe.bbclass | 7 +++++++ > 2 files changed, 12 insertions(+) > > diff --git a/meta/classes/sbom-cve-check-common.bbclass > b/meta/classes/sbom-cve-check-common.bbclass > index 32c29a0ec2..236bce8545 100644 > --- a/meta/classes/sbom-cve-check-common.bbclass > +++ b/meta/classes/sbom-cve-check-common.bbclass > @@ -52,6 +52,11 @@ SBOM_CVE_CHECK_SHOW_WARNINGS ?= "1" > SBOM_CVE_CHECK_SHOW_WARNINGS[doc] = "Show warning messages when unpatched > CVEs are found. \ > Requires the SBOM_CVE_CHECK_EXPORT_CVECHECK report type to be enabled" > > +SBOM_CVE_CHECK_RECIPE_AUTO ?= "0" > +SBOM_CVE_CHECK_RECIPE_AUTO[doc] = "If '1', run do_sbom_cve_check_recipe as > part of \ > + the normal build (do_build) for every recipe. This also includes running > CVE \ > + check for all recipes with 'bitbake world'. Default is '0' (disabled)." > + > def show_warnings_from_file(cvecheck_export_file): > import json > > diff --git a/meta/classes/sbom-cve-check-recipe.bbclass > b/meta/classes/sbom-cve-check-recipe.bbclass > index c80b8ac83f..084fcf4946 100644 > --- a/meta/classes/sbom-cve-check-recipe.bbclass > +++ b/meta/classes/sbom-cve-check-recipe.bbclass > @@ -22,6 +22,13 @@ python do_sbom_cve_check_recipe() { > } > > addtask do_sbom_cve_check_recipe after do_create_recipe_sbom > +python() { > + if oe.types.boolean(d.getVar("SBOM_CVE_CHECK_RECIPE_AUTO") or "0"): > + # Recipes that inherit nospdx.bbclass delete do_create_recipe_sbom, > so > + # skip them to avoid running the check against a missing SBOM. > + if d.getVarFlag("do_create_recipe_sbom", "task", False): > + bb.build.addtask("do_sbom_cve_check_recipe", "do_build", None, d) > +} > > SSTATETASKS += "do_sbom_cve_check_recipe" > do_sbom_cve_check_recipe[cleandirs] = "${SBOM_CVE_CHECK_DEPLOYDIR}" -- Yoann Congal Smile ECS
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#239615): https://lists.openembedded.org/g/openembedded-core/message/239615 Mute This Topic: https://lists.openembedded.org/mt/119978497/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
