This patch does not look correct as it basically reverts previous patch, 
returning to broken builds with empty image link name.

There is I think a better patch for this on the mailing list - 
https://lists.openembedded.org/g/openembedded-core/message/239739

The main problem is that spdx tasks create sstate objects for images.
Image tasks are not supposed to do that.
I think I’ll send a patch for that some day.

Peter

From: [email protected] 
<[email protected]> On Behalf Of Yoann Congal via 
lists.openembedded.org
Sent: Wednesday, July 1, 2026 12:31 PM
To: [email protected]
Cc: [email protected]; Ryan Eatmon <[email protected]>
Subject: Re: [OE-core] [PATCH] classes-recipe/sbom-cve-check: fix sstate cache 
mismatch in sbom path



Le mer. 1 juil. 2026 à 12:00, Anna-Lena Marx via 
lists.openembedded.org<http://lists.openembedded.org> 
<[email protected]<mailto:[email protected]>>
 a écrit :
Using ${IMAGE_NAME} to construct the sbom_path causes the do_sbom_cve_check
task to fail in subsequent builds when the image generation is restored from
the sstate cache.
${IMAGE_NAME} utilizes the DATETIME variable via ${IMAGE_VERSION_SUFFIX},
which is re-evaluated during the current execution.
This results in a timestamp mismatch with the actually deployed cached
SPDX artifact.

Switching the path construction to use ${IMAGE_LINK_NAME} ensures the task
reliably targets the stable symlink in the deploy directory,
restoring cache determinism and preventing "No such file or directory"
errors on rebuilds.

Signed-off-by: Anna-Lena Marx 
<[email protected]<mailto:[email protected]>>
---

Ping Ryan, isn't what you worked on as well?
That patch from Anna-Lena looks like a fix for the regression created by [0] 
you talked about.

Anna-Lena, do you think your fix is linked to [0]?

[0]: 
https://git.openembedded.org/openembedded-core/commit/?id=b9f060ea6d54cc419df9ff5f8822a3536934606f

 meta/classes-recipe/sbom-cve-check.bbclass | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/classes-recipe/sbom-cve-check.bbclass 
b/meta/classes-recipe/sbom-cve-check.bbclass
index 451595f1d7..fe145a2212 100644
--- a/meta/classes-recipe/sbom-cve-check.bbclass
+++ b/meta/classes-recipe/sbom-cve-check.bbclass
@@ -14,7 +14,7 @@ python do_sbom_cve_check() {
     """
     Task: Run sbom-cve-check analysis on SBOM.
     """
-    sbom_path = d.expand("${DEPLOY_DIR_IMAGE}/${IMAGE_NAME}.spdx.json")
+    sbom_path = d.expand("${DEPLOY_DIR_IMAGE}/${IMAGE_LINK_NAME}.spdx.json")
     image_name = d.getVar("IMAGE_NAME")
     link_name = d.getVar("IMAGE_LINK_NAME")
     run_sbom_cve_check(d, sbom_path, image_name, link_name)
--
2.55.0





--
Yoann Congal
Smile ECS
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#239961): 
https://lists.openembedded.org/g/openembedded-core/message/239961
Mute This Topic: https://lists.openembedded.org/mt/120061528/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to