sbom-cve-check: set PV from upstream tags and ensure version checks are correct

From: Alexander Kanavin <alex@linutronix.de>

These recipes didn't set PV, which by default is 1.0. This isn't correct:
upstream does provide date-based tags that can be used to perform version upgrades.

Signed-off-by: Alexander Kanavin <alex@linutronix.de>
---
 ...ve.bb => sbom-cve-check-update-cvelist-native_2026-05-07.bb} | 2 +-
 ...bb => sbom-cve-check-update-nvd-native_2026.05.07-000006.bb} | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)
 rename meta/recipes-devtools/sbom-cve-check/{sbom-cve-check-update-cvelist-native.bb => sbom-cve-check-update-cvelist-native_2026-05-07.bb} (88%)
 rename meta/recipes-devtools/sbom-cve-check/{sbom-cve-check-update-nvd-native.bb => sbom-cve-check-update-nvd-native_2026.05.07-000006.bb} (90%)

> -----Original Message-----
> From: openembedded-core@lists.openembedded.org <openembedded-
> core@lists.openembedded.org> On Behalf Of Alexander Kanavin via
> lists.openembedded.org
> Sent: Tuesday, May 12, 2026 12:10 PM
> To: openembedded-core@lists.openembedded.org
> Cc: Alexander Kanavin <alex@linutronix.de>
> Subject: [OE-core] [PATCH] sbom-cve-check: set PV from upstream tags and
> ensure version checks are correct
> 
> From: Alexander Kanavin <alex@linutronix.de>
> 
> These recipes didn't set PV, which by default is 1.0. This isn't correct:

This is probably old commit message that claims PV being 1.0.
I can see version provided in filename of recipes being updated in this commit.

> upstream does provide date-based tags that can be used to perform version
> upgrades.
> 
> Signed-off-by: Alexander Kanavin <alex@linutronix.de>
> ---
>  ...ve.bb => sbom-cve-check-update-cvelist-native_2026-05-07.bb} | 2 +-
>  ...bb => sbom-cve-check-update-nvd-native_2026.05.07-000006.bb} | 2 +-
>  2 files changed, 2 insertions(+), 2 deletions(-)
>  rename meta/recipes-devtools/sbom-cve-check/{sbom-cve-check-update-cvelist-
> native.bb => sbom-cve-check-update-cvelist-native_2026-05-07.bb} (88%)
>  rename meta/recipes-devtools/sbom-cve-check/{sbom-cve-check-update-nvd-
> native.bb => sbom-cve-check-update-nvd-native_2026.05.07-000006.bb} (90%)
> 
> diff --git a/meta/recipes-devtools/sbom-cve-check/sbom-cve-check-update-cvelist-
> native.bb b/meta/recipes-devtools/sbom-cve-check/sbom-cve-check-update-
> cvelist-native_2026-05-07.bb
> similarity index 88%
> rename from meta/recipes-devtools/sbom-cve-check/sbom-cve-check-update-
> cvelist-native.bb
> rename to meta/recipes-devtools/sbom-cve-check/sbom-cve-check-update-
> cvelist-native_2026-05-07.bb
> index 3763e7f21f..7670172c40 100644
> --- a/meta/recipes-devtools/sbom-cve-check/sbom-cve-check-update-cvelist-
> native.bb
> +++ b/meta/recipes-devtools/sbom-cve-check/sbom-cve-check-update-cvelist-
> native_2026-05-07.bb
> @@ -6,7 +6,7 @@ HOMEPAGE = "https://github.com/CVEProject/cvelistV5"
>  SRC_URI =
> "git://github.com/CVEProject/cvelistV5.git;branch=main;protocol=https;destsuffix="
>  SBOM_CVE_CHECK_DB_NAME = "cvelist"
> 
> -# cve_2026-05-07_1300Z
>  SRCREV = "dd0e93c75034d0167498174c886a56729edc44de"
> +UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>.+)_baseline"
> 
>  require sbom-cve-check-update-db.inc
> diff --git a/meta/recipes-devtools/sbom-cve-check/sbom-cve-check-update-nvd-
> native.bb b/meta/recipes-devtools/sbom-cve-check/sbom-cve-check-update-nvd-
> native_2026.05.07-000006.bb
> similarity index 90%
> rename from meta/recipes-devtools/sbom-cve-check/sbom-cve-check-update-
> nvd-native.bb
> rename to meta/recipes-devtools/sbom-cve-check/sbom-cve-check-update-nvd-
> native_2026.05.07-000006.bb
> index 26a14e6eb1..02446e30ce 100644
> --- a/meta/recipes-devtools/sbom-cve-check/sbom-cve-check-update-nvd-
> native.bb
> +++ b/meta/recipes-devtools/sbom-cve-check/sbom-cve-check-update-nvd-
> native_2026.05.07-000006.bb
> @@ -6,7 +6,7 @@ HOMEPAGE = "https://github.com/fkie-cad/nvd-json-data-
> feeds"
>  SRC_URI = "git://github.com/fkie-cad/nvd-json-data-
> feeds.git;branch=main;protocol=https;destsuffix="
>  SBOM_CVE_CHECK_DB_NAME = "nvd-fkie"
> 
> -# v2026.05.07-000006
>  SRCREV = "72d8841c8ad9083ebf6723063f275444ea0d76f9"
> +UPSTREAM_CHECK_GITTAGREGEX = "v(?P<pver>.+)"
> 
>  require sbom-cve-check-update-db.inc
> --
> 2.47.3

On Tue, 12 May 2026 at 12:14, Marko, Peter <Peter.Marko@siemens.com> wrote:
> This is probably old commit message that claims PV being 1.0.
> I can see version provided in filename of recipes being updated in this commit.

The commit updates the filenames from not including a version to
including a version, and is based on current oe-core master. Do you
see something different?

Alex

> -----Original Message-----
> From: Alexander Kanavin <alex.kanavin@gmail.com>
> Sent: Tuesday, May 12, 2026 12:24 PM
> To: Marko, Peter (FT D EU SK BFS1) <Peter.Marko@siemens.com>
> Cc: openembedded-core@lists.openembedded.org; Alexander Kanavin
> <alex@linutronix.de>
> Subject: Re: [OE-core] [PATCH] sbom-cve-check: set PV from upstream tags and
> ensure version checks are correct
> 
> On Tue, 12 May 2026 at 12:14, Marko, Peter <Peter.Marko@siemens.com> wrote:
> > This is probably old commit message that claims PV being 1.0.
> > I can see version provided in filename of recipes being updated in this commit.
> 
> The commit updates the filenames from not including a version to
> including a version, and is based on current oe-core master. Do you
> see something different?
> 
> Alex

My bad, sorry.
The original names were shortend with ...