On Fri, Jun 26, 2026 at 10:34:44AM +0200, Yoann Congal wrote: > On Thu Jun 25, 2026 at 8:23 PM CEST, Hiago De Franco via > lists.openembedded.org wrote: > > "do_sbom_cve_check_recipe" is only added "after do_create_recipe_sbom" > > and is never wired before "do_build", so it does not run as part of a > > normal build. Users who build packages directly or run "bitbake world" > > without producing an image get no CVE analysis. > > > > Add SBOM_CVE_CHECK_RECIPE_AUTO variable that, when enabled, hooks > > do_sbom_cve_check_recipe into do_build for every recipe. This lets > > "bitbake world" run recipe-scoped CVE analysis across the whole package > > feed without first building an image. > > > > The task is only wired for recipes that actually produce a recipe SBOM. > > Recipes inheriting "nospdx" delete "do_create_recipe_sbom" and are > > skipped, to avoid scanning a non-existent SBOM. > > > > Signed-off-by: Hiago De Franco <[email protected]> > > Hello, > > Isn't what is meta-world-recipe-sbom for? > > To do a world CVE check we do: > bitbake meta-world-recipe-sbom -R > conf/distro/include/cve-extra-exclusions.inc -c sbom_cve_check_recipe > > See: > * > https://git.openembedded.org/openembedded-core/tree/meta/recipes-core/meta/meta-world-recipe-sbom.bb > * > https://git.yoctoproject.org/yocto-autobuilder-helper/tree/scripts/run-cvecheck
Hi Yoann, Thanks for sharing this with me, I wasn't aware of that. I tested locally and it works fine. So I believe this patch can be ignored, sorry for the noise. Thanks again, Hiago. > > Regards, > > > --- > > Hello, > > > > I tested this with Poky Wrynose, running "bitbake world" from an empty > > build (from scratch). It worked as do_sbom_cve_check_recipe ran for > > every recipe. > > > > This patch is dependent on the patch I sent earlier, > > https://lore.kernel.org/all/[email protected]/. > > > > Thanks, > > Hiago. > > --- > > meta/classes/sbom-cve-check-common.bbclass | 5 +++++ > > meta/classes/sbom-cve-check-recipe.bbclass | 7 +++++++ > > 2 files changed, 12 insertions(+) > > > > diff --git a/meta/classes/sbom-cve-check-common.bbclass > > b/meta/classes/sbom-cve-check-common.bbclass > > index 32c29a0ec2..236bce8545 100644 > > --- a/meta/classes/sbom-cve-check-common.bbclass > > +++ b/meta/classes/sbom-cve-check-common.bbclass > > @@ -52,6 +52,11 @@ SBOM_CVE_CHECK_SHOW_WARNINGS ?= "1" > > SBOM_CVE_CHECK_SHOW_WARNINGS[doc] = "Show warning messages when unpatched > > CVEs are found. \ > > Requires the SBOM_CVE_CHECK_EXPORT_CVECHECK report type to be enabled" > > > > +SBOM_CVE_CHECK_RECIPE_AUTO ?= "0" > > +SBOM_CVE_CHECK_RECIPE_AUTO[doc] = "If '1', run do_sbom_cve_check_recipe as > > part of \ > > + the normal build (do_build) for every recipe. This also includes > > running CVE \ > > + check for all recipes with 'bitbake world'. Default is '0' (disabled)." > > + > > def show_warnings_from_file(cvecheck_export_file): > > import json > > > > diff --git a/meta/classes/sbom-cve-check-recipe.bbclass > > b/meta/classes/sbom-cve-check-recipe.bbclass > > index c80b8ac83f..084fcf4946 100644 > > --- a/meta/classes/sbom-cve-check-recipe.bbclass > > +++ b/meta/classes/sbom-cve-check-recipe.bbclass > > @@ -22,6 +22,13 @@ python do_sbom_cve_check_recipe() { > > } > > > > addtask do_sbom_cve_check_recipe after do_create_recipe_sbom > > +python() { > > + if oe.types.boolean(d.getVar("SBOM_CVE_CHECK_RECIPE_AUTO") or "0"): > > + # Recipes that inherit nospdx.bbclass delete > > do_create_recipe_sbom, so > > + # skip them to avoid running the check against a missing SBOM. > > + if d.getVarFlag("do_create_recipe_sbom", "task", False): > > + bb.build.addtask("do_sbom_cve_check_recipe", "do_build", None, > > d) > > +} > > > > SSTATETASKS += "do_sbom_cve_check_recipe" > > do_sbom_cve_check_recipe[cleandirs] = "${SBOM_CVE_CHECK_DEPLOYDIR}" > > > -- > Yoann Congal > Smile ECS >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#239656): https://lists.openembedded.org/g/openembedded-core/message/239656 Mute This Topic: https://lists.openembedded.org/mt/119978497/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
