@@ -41,8 +41,6 @@ python do_sbom_cve_check() {
import bb
from oe.cve_check import update_symlinks
- if not bb.data.inherits_class("vex", d):
- bb.fatal("Cannot execute sbom-cve-check missing vex inherit.")
if not bb.data.inherits_class("create-spdx-3.0", d):
bb.fatal("Cannot execute sbom-cve-check missing create-spdx-3.0 inherit.")
@@ -68,10 +66,14 @@ python do_sbom_cve_check() {
d.expand("${STAGING_BINDIR_NATIVE}/sbom-cve-check"),
"--sbom-path",
sbom_path,
- "--yocto-vex-manifest",
- vex_manifest_path,
]
+ # Assume that SPDX_INCLUDE_VEX is set globally to "all", and not only for the
+ # image recipe, which is very unlikely. This is not an issue to include the
+ # VEX manifest even if not needed.
+ if bb.data.inherits_class("vex", d) and d.getVar("SPDX_INCLUDE_VEX") != "all":
+ cmd_args.extend(["--yocto-vex-manifest", vex_manifest_path])
+
for export_file in export_files:
cmd_args.extend(
["--export-type", export_file[0], "--export-path", export_file[1]]
Execute `sbom-cve-check` with the generated VEX manifest only if enabled and if `SPDX_INCLUDE_VEX` is set to a value other than "all". When `SPDX_INCLUDE_VEX=all`, the SPDX 3.0 file already contains all the necessary information for CVE analysis, making the VEX manifest redundant. Signed-off-by: Benjamin Robin <benjamin.robin@bootlin.com> --- meta/classes-recipe/sbom-cve-check.bbclass | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-)