| Message ID | 20260701100045.3903557-1-anna-lena.marx@inovex.de |
|---|---|
| State | New |
| Headers | show |
| Series | classes-recipe/sbom-cve-check: fix sstate cache mismatch in sbom path | expand |
Le mer. 1 juil. 2026 à 12:00, Anna-Lena Marx via lists.openembedded.org <anna-lena.marx=inovex.de@lists.openembedded.org> a écrit : > Using ${IMAGE_NAME} to construct the sbom_path causes the do_sbom_cve_check > task to fail in subsequent builds when the image generation is restored > from > the sstate cache. > ${IMAGE_NAME} utilizes the DATETIME variable via ${IMAGE_VERSION_SUFFIX}, > which is re-evaluated during the current execution. > This results in a timestamp mismatch with the actually deployed cached > SPDX artifact. > > Switching the path construction to use ${IMAGE_LINK_NAME} ensures the task > reliably targets the stable symlink in the deploy directory, > restoring cache determinism and preventing "No such file or directory" > errors on rebuilds. > > Signed-off-by: Anna-Lena Marx <anna-lena.marx@inovex.de> > --- > Ping Ryan, isn't what you worked on as well? That patch from Anna-Lena looks like a fix for the regression created by [0] you talked about. Anna-Lena, do you think your fix is linked to [0]? [0]: https://git.openembedded.org/openembedded-core/commit/?id=b9f060ea6d54cc419df9ff5f8822a3536934606f > meta/classes-recipe/sbom-cve-check.bbclass | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/meta/classes-recipe/sbom-cve-check.bbclass > b/meta/classes-recipe/sbom-cve-check.bbclass > index 451595f1d7..fe145a2212 100644 > --- a/meta/classes-recipe/sbom-cve-check.bbclass > +++ b/meta/classes-recipe/sbom-cve-check.bbclass > @@ -14,7 +14,7 @@ python do_sbom_cve_check() { > """ > Task: Run sbom-cve-check analysis on SBOM. > """ > - sbom_path = d.expand("${DEPLOY_DIR_IMAGE}/${IMAGE_NAME}.spdx.json") > + sbom_path = > d.expand("${DEPLOY_DIR_IMAGE}/${IMAGE_LINK_NAME}.spdx.json") > image_name = d.getVar("IMAGE_NAME") > link_name = d.getVar("IMAGE_LINK_NAME") > run_sbom_cve_check(d, sbom_path, image_name, link_name) > -- > 2.55.0 > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#239959): > https://lists.openembedded.org/g/openembedded-core/message/239959 > Mute This Topic: https://lists.openembedded.org/mt/120061528/4316185 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [ > yoann.congal@smile.fr] > -=-=-=-=-=-=-=-=-=-=-=- > >
This patch does not look correct as it basically reverts previous patch, returning to broken builds with empty image link name. There is I think a better patch for this on the mailing list - https://lists.openembedded.org/g/openembedded-core/message/239739 The main problem is that spdx tasks create sstate objects for images. Image tasks are not supposed to do that. I think I’ll send a patch for that some day. Peter From: openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org> On Behalf Of Yoann Congal via lists.openembedded.org Sent: Wednesday, July 1, 2026 12:31 PM To: anna-lena.marx@inovex.de Cc: openembedded-core@lists.openembedded.org; Ryan Eatmon <reatmon@ti.com> Subject: Re: [OE-core] [PATCH] classes-recipe/sbom-cve-check: fix sstate cache mismatch in sbom path Le mer. 1 juil. 2026 à 12:00, Anna-Lena Marx via lists.openembedded.org<http://lists.openembedded.org> <anna-lena.marx=inovex.de@lists.openembedded.org<mailto:inovex.de@lists.openembedded.org>> a écrit : Using ${IMAGE_NAME} to construct the sbom_path causes the do_sbom_cve_check task to fail in subsequent builds when the image generation is restored from the sstate cache. ${IMAGE_NAME} utilizes the DATETIME variable via ${IMAGE_VERSION_SUFFIX}, which is re-evaluated during the current execution. This results in a timestamp mismatch with the actually deployed cached SPDX artifact. Switching the path construction to use ${IMAGE_LINK_NAME} ensures the task reliably targets the stable symlink in the deploy directory, restoring cache determinism and preventing "No such file or directory" errors on rebuilds. Signed-off-by: Anna-Lena Marx <anna-lena.marx@inovex.de<mailto:anna-lena.marx@inovex.de>> --- Ping Ryan, isn't what you worked on as well? That patch from Anna-Lena looks like a fix for the regression created by [0] you talked about. Anna-Lena, do you think your fix is linked to [0]? [0]: https://git.openembedded.org/openembedded-core/commit/?id=b9f060ea6d54cc419df9ff5f8822a3536934606f meta/classes-recipe/sbom-cve-check.bbclass | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta/classes-recipe/sbom-cve-check.bbclass b/meta/classes-recipe/sbom-cve-check.bbclass index 451595f1d7..fe145a2212 100644 --- a/meta/classes-recipe/sbom-cve-check.bbclass +++ b/meta/classes-recipe/sbom-cve-check.bbclass @@ -14,7 +14,7 @@ python do_sbom_cve_check() { """ Task: Run sbom-cve-check analysis on SBOM. """ - sbom_path = d.expand("${DEPLOY_DIR_IMAGE}/${IMAGE_NAME}.spdx.json") + sbom_path = d.expand("${DEPLOY_DIR_IMAGE}/${IMAGE_LINK_NAME}.spdx.json") image_name = d.getVar("IMAGE_NAME") link_name = d.getVar("IMAGE_LINK_NAME") run_sbom_cve_check(d, sbom_path, image_name, link_name) -- 2.55.0 -- Yoann Congal Smile ECS
diff --git a/meta/classes-recipe/sbom-cve-check.bbclass b/meta/classes-recipe/sbom-cve-check.bbclass index 451595f1d7..fe145a2212 100644 --- a/meta/classes-recipe/sbom-cve-check.bbclass +++ b/meta/classes-recipe/sbom-cve-check.bbclass @@ -14,7 +14,7 @@ python do_sbom_cve_check() { """ Task: Run sbom-cve-check analysis on SBOM. """ - sbom_path = d.expand("${DEPLOY_DIR_IMAGE}/${IMAGE_NAME}.spdx.json") + sbom_path = d.expand("${DEPLOY_DIR_IMAGE}/${IMAGE_LINK_NAME}.spdx.json") image_name = d.getVar("IMAGE_NAME") link_name = d.getVar("IMAGE_LINK_NAME") run_sbom_cve_check(d, sbom_path, image_name, link_name)
Using ${IMAGE_NAME} to construct the sbom_path causes the do_sbom_cve_check task to fail in subsequent builds when the image generation is restored from the sstate cache. ${IMAGE_NAME} utilizes the DATETIME variable via ${IMAGE_VERSION_SUFFIX}, which is re-evaluated during the current execution. This results in a timestamp mismatch with the actually deployed cached SPDX artifact. Switching the path construction to use ${IMAGE_LINK_NAME} ensures the task reliably targets the stable symlink in the deploy directory, restoring cache determinism and preventing "No such file or directory" errors on rebuilds. Signed-off-by: Anna-Lena Marx <anna-lena.marx@inovex.de> --- meta/classes-recipe/sbom-cve-check.bbclass | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)