On Fri, Jun 26, 2026 at 10:34:44AM +0200, Yoann Congal wrote:
> On Thu Jun 25, 2026 at 8:23 PM CEST, Hiago De Franco via 
> lists.openembedded.org wrote:
> > "do_sbom_cve_check_recipe" is only added "after do_create_recipe_sbom"
> > and is never wired before "do_build", so it does not run as part of a
> > normal build. Users who build packages directly or run "bitbake world"
> > without producing an image get no CVE analysis.
> >
> > Add SBOM_CVE_CHECK_RECIPE_AUTO variable that, when enabled, hooks
> > do_sbom_cve_check_recipe into do_build for every recipe. This lets
> > "bitbake world" run recipe-scoped CVE analysis across the whole package
> > feed without first building an image.
> >
> > The task is only wired for recipes that actually produce a recipe SBOM.
> > Recipes inheriting "nospdx" delete "do_create_recipe_sbom" and are
> > skipped, to avoid scanning a non-existent SBOM.
> >
> > Signed-off-by: Hiago De Franco <[email protected]>
> 
> Hello,
> 
> Isn't what is meta-world-recipe-sbom for?
> 
> To do a world CVE check we do:
> bitbake meta-world-recipe-sbom -R 
> conf/distro/include/cve-extra-exclusions.inc -c sbom_cve_check_recipe
> 
> See:
> * 
> https://git.openembedded.org/openembedded-core/tree/meta/recipes-core/meta/meta-world-recipe-sbom.bb
> * 
> https://git.yoctoproject.org/yocto-autobuilder-helper/tree/scripts/run-cvecheck

Hi Yoann, 

Thanks for sharing this with me, I wasn't aware of that. I tested
locally and it works fine. So I believe this patch can be ignored, sorry
for the noise.

Thanks again,
Hiago.
> 
> Regards,
> 
> > ---
> > Hello,
> >
> > I tested this with Poky Wrynose, running "bitbake world" from an empty
> > build (from scratch). It worked as do_sbom_cve_check_recipe ran for
> > every recipe.
> >
> > This patch is dependent on the patch I sent earlier,
> > https://lore.kernel.org/all/[email protected]/.
> >
> > Thanks,
> > Hiago.
> > ---
> >  meta/classes/sbom-cve-check-common.bbclass | 5 +++++
> >  meta/classes/sbom-cve-check-recipe.bbclass | 7 +++++++
> >  2 files changed, 12 insertions(+)
> >
> > diff --git a/meta/classes/sbom-cve-check-common.bbclass 
> > b/meta/classes/sbom-cve-check-common.bbclass
> > index 32c29a0ec2..236bce8545 100644
> > --- a/meta/classes/sbom-cve-check-common.bbclass
> > +++ b/meta/classes/sbom-cve-check-common.bbclass
> > @@ -52,6 +52,11 @@ SBOM_CVE_CHECK_SHOW_WARNINGS ?= "1"
> >  SBOM_CVE_CHECK_SHOW_WARNINGS[doc] = "Show warning messages when unpatched 
> > CVEs are found. \
> >  Requires the SBOM_CVE_CHECK_EXPORT_CVECHECK report type to be enabled"
> >  
> > +SBOM_CVE_CHECK_RECIPE_AUTO ?= "0"
> > +SBOM_CVE_CHECK_RECIPE_AUTO[doc] = "If '1', run do_sbom_cve_check_recipe as 
> > part of \
> > +    the normal build (do_build) for every recipe. This also includes 
> > running CVE \
> > +    check for all recipes with 'bitbake world'. Default is '0' (disabled)."
> > +
> >  def show_warnings_from_file(cvecheck_export_file):
> >      import json
> >  
> > diff --git a/meta/classes/sbom-cve-check-recipe.bbclass 
> > b/meta/classes/sbom-cve-check-recipe.bbclass
> > index c80b8ac83f..084fcf4946 100644
> > --- a/meta/classes/sbom-cve-check-recipe.bbclass
> > +++ b/meta/classes/sbom-cve-check-recipe.bbclass
> > @@ -22,6 +22,13 @@ python do_sbom_cve_check_recipe() {
> >  }
> >  
> >  addtask do_sbom_cve_check_recipe after do_create_recipe_sbom
> > +python() {
> > +    if oe.types.boolean(d.getVar("SBOM_CVE_CHECK_RECIPE_AUTO") or "0"):
> > +        # Recipes that inherit nospdx.bbclass delete 
> > do_create_recipe_sbom, so
> > +        # skip them to avoid running the check against a missing SBOM.
> > +        if d.getVarFlag("do_create_recipe_sbom", "task", False):
> > +            bb.build.addtask("do_sbom_cve_check_recipe", "do_build", None, 
> > d)
> > +}
> >  
> >  SSTATETASKS += "do_sbom_cve_check_recipe"
> >  do_sbom_cve_check_recipe[cleandirs] = "${SBOM_CVE_CHECK_DEPLOYDIR}"
> 
> 
> -- 
> Yoann Congal
> Smile ECS
> 
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#239656): 
https://lists.openembedded.org/g/openembedded-core/message/239656
Mute This Topic: https://lists.openembedded.org/mt/119978497/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to