On Thu Jun 25, 2026 at 8:23 PM CEST, Hiago De Franco via lists.openembedded.org 
wrote:
> "do_sbom_cve_check_recipe" is only added "after do_create_recipe_sbom"
> and is never wired before "do_build", so it does not run as part of a
> normal build. Users who build packages directly or run "bitbake world"
> without producing an image get no CVE analysis.
>
> Add SBOM_CVE_CHECK_RECIPE_AUTO variable that, when enabled, hooks
> do_sbom_cve_check_recipe into do_build for every recipe. This lets
> "bitbake world" run recipe-scoped CVE analysis across the whole package
> feed without first building an image.
>
> The task is only wired for recipes that actually produce a recipe SBOM.
> Recipes inheriting "nospdx" delete "do_create_recipe_sbom" and are
> skipped, to avoid scanning a non-existent SBOM.
>
> Signed-off-by: Hiago De Franco <[email protected]>

Hello,

Isn't what is meta-world-recipe-sbom for?

To do a world CVE check we do:
bitbake meta-world-recipe-sbom -R conf/distro/include/cve-extra-exclusions.inc 
-c sbom_cve_check_recipe

See:
* 
https://git.openembedded.org/openembedded-core/tree/meta/recipes-core/meta/meta-world-recipe-sbom.bb
* 
https://git.yoctoproject.org/yocto-autobuilder-helper/tree/scripts/run-cvecheck

Regards,

> ---
> Hello,
>
> I tested this with Poky Wrynose, running "bitbake world" from an empty
> build (from scratch). It worked as do_sbom_cve_check_recipe ran for
> every recipe.
>
> This patch is dependent on the patch I sent earlier,
> https://lore.kernel.org/all/[email protected]/.
>
> Thanks,
> Hiago.
> ---
>  meta/classes/sbom-cve-check-common.bbclass | 5 +++++
>  meta/classes/sbom-cve-check-recipe.bbclass | 7 +++++++
>  2 files changed, 12 insertions(+)
>
> diff --git a/meta/classes/sbom-cve-check-common.bbclass 
> b/meta/classes/sbom-cve-check-common.bbclass
> index 32c29a0ec2..236bce8545 100644
> --- a/meta/classes/sbom-cve-check-common.bbclass
> +++ b/meta/classes/sbom-cve-check-common.bbclass
> @@ -52,6 +52,11 @@ SBOM_CVE_CHECK_SHOW_WARNINGS ?= "1"
>  SBOM_CVE_CHECK_SHOW_WARNINGS[doc] = "Show warning messages when unpatched 
> CVEs are found. \
>  Requires the SBOM_CVE_CHECK_EXPORT_CVECHECK report type to be enabled"
>  
> +SBOM_CVE_CHECK_RECIPE_AUTO ?= "0"
> +SBOM_CVE_CHECK_RECIPE_AUTO[doc] = "If '1', run do_sbom_cve_check_recipe as 
> part of \
> +    the normal build (do_build) for every recipe. This also includes running 
> CVE \
> +    check for all recipes with 'bitbake world'. Default is '0' (disabled)."
> +
>  def show_warnings_from_file(cvecheck_export_file):
>      import json
>  
> diff --git a/meta/classes/sbom-cve-check-recipe.bbclass 
> b/meta/classes/sbom-cve-check-recipe.bbclass
> index c80b8ac83f..084fcf4946 100644
> --- a/meta/classes/sbom-cve-check-recipe.bbclass
> +++ b/meta/classes/sbom-cve-check-recipe.bbclass
> @@ -22,6 +22,13 @@ python do_sbom_cve_check_recipe() {
>  }
>  
>  addtask do_sbom_cve_check_recipe after do_create_recipe_sbom
> +python() {
> +    if oe.types.boolean(d.getVar("SBOM_CVE_CHECK_RECIPE_AUTO") or "0"):
> +        # Recipes that inherit nospdx.bbclass delete do_create_recipe_sbom, 
> so
> +        # skip them to avoid running the check against a missing SBOM.
> +        if d.getVarFlag("do_create_recipe_sbom", "task", False):
> +            bb.build.addtask("do_sbom_cve_check_recipe", "do_build", None, d)
> +}
>  
>  SSTATETASKS += "do_sbom_cve_check_recipe"
>  do_sbom_cve_check_recipe[cleandirs] = "${SBOM_CVE_CHECK_DEPLOYDIR}"


-- 
Yoann Congal
Smile ECS

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#239615): 
https://lists.openembedded.org/g/openembedded-core/message/239615
Mute This Topic: https://lists.openembedded.org/mt/119978497/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to