Using ${IMAGE_NAME} to construct the sbom_path causes the do_sbom_cve_check
task to fail in subsequent builds when the image generation is restored from
the sstate cache.
${IMAGE_NAME} utilizes the DATETIME variable via ${IMAGE_VERSION_SUFFIX},
which is re-evaluated during the current execution.
This results in a timestamp mismatch with the actually deployed cached
SPDX artifact.

Switching the path construction to use ${IMAGE_LINK_NAME} ensures the task
reliably targets the stable symlink in the deploy directory,
restoring cache determinism and preventing "No such file or directory"
errors on rebuilds.

Signed-off-by: Anna-Lena Marx <[email protected]>
---
 meta/classes-recipe/sbom-cve-check.bbclass | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/classes-recipe/sbom-cve-check.bbclass 
b/meta/classes-recipe/sbom-cve-check.bbclass
index 451595f1d7..fe145a2212 100644
--- a/meta/classes-recipe/sbom-cve-check.bbclass
+++ b/meta/classes-recipe/sbom-cve-check.bbclass
@@ -14,7 +14,7 @@ python do_sbom_cve_check() {
     """
     Task: Run sbom-cve-check analysis on SBOM.
     """
-    sbom_path = d.expand("${DEPLOY_DIR_IMAGE}/${IMAGE_NAME}.spdx.json")
+    sbom_path = d.expand("${DEPLOY_DIR_IMAGE}/${IMAGE_LINK_NAME}.spdx.json")
     image_name = d.getVar("IMAGE_NAME")
     link_name = d.getVar("IMAGE_LINK_NAME")
     run_sbom_cve_check(d, sbom_path, image_name, link_name)
-- 
2.55.0

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#239959): 
https://lists.openembedded.org/g/openembedded-core/message/239959
Mute This Topic: https://lists.openembedded.org/mt/120061528/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to