@@ -49,7 +49,6 @@ python do_sbom_cve_check() {
sbom_path = d.expand("${DEPLOY_DIR_IMAGE}/${IMAGE_LINK_NAME}.spdx.json")
vex_manifest_path = d.expand("${DEPLOY_DIR_IMAGE}/${IMAGE_LINK_NAME}.json")
- dl_db_dir = d.getVar("SBOM_CVE_CHECK_DEPLOY_DB_DIR")
deploy_dir = d.getVar("SBOM_CVE_CHECK_DEPLOYDIR")
img_link_name = d.getVar("IMAGE_LINK_NAME")
img_name = d.getVar("IMAGE_NAME")
@@ -62,16 +61,21 @@ python do_sbom_cve_check() {
export_type = d.getVarFlag(export_var, "type")
export_files.append((export_type, export_path, export_link))
- cmd_env = os.environ.copy()
- cmd_env["SBOM_CVE_CHECK_DATABASES_DIR"] = dl_db_dir
-
cmd_args = [
d.expand("${STAGING_BINDIR_NATIVE}/sbom-cve-check"),
"--sbom-path",
sbom_path,
- "--disable-auto-updates"
]
+ cmd_env = os.environ.copy()
+ if int(d.getVar("SBOM_CVE_CHECK_INTERNAL_FETCHER")):
+ db_dir = d.getVar("SBOM_CVE_CHECK_DATABASES_DIR")
+ if db_dir:
+ cmd_env["SBOM_CVE_CHECK_DATABASES_DIR"] = db_dir
+ else:
+ cmd_args.append("--disable-auto-updates")
+ cmd_env["SBOM_CVE_CHECK_DATABASES_DIR"] = d.getVar("SBOM_CVE_CHECK_DEPLOY_DB_DIR")
+
# Assume that SPDX_INCLUDE_VEX is set globally to "all", and not only for the
# image recipe, which is very unlikely. This is not an issue to include the
# VEX manifest even if not needed.
@@ -97,6 +101,12 @@ python do_sbom_cve_check() {
update_symlinks(export_file[1], export_file[2])
}
+python() {
+ if int(d.getVar("SBOM_CVE_CHECK_INTERNAL_FETCHER")):
+ d.setVarFlag("do_sbom_cve_check", "network", "1")
+ d.setVarFlag("do_sbom_cve_check", "nostamp", "1")
+}
+
addtask do_sbom_cve_check after do_create_image_sbom_spdx before do_build
SSTATETASKS += "do_sbom_cve_check"
@@ -105,8 +115,10 @@ do_sbom_cve_check[sstate-inputdirs] = "${SBOM_CVE_CHECK_DEPLOYDIR}"
do_sbom_cve_check[sstate-outputdirs] = "${DEPLOY_DIR_IMAGE}"
do_sbom_cve_check[depends] += " \
python3-sbom-cve-check-native:do_populate_sysroot \
- sbom-cve-check-update-cvelist-native:do_install \
- sbom-cve-check-update-nvd-native:do_install \
+ ${@oe.utils.conditional('SBOM_CVE_CHECK_INTERNAL_FETCHER','0',' \
+ sbom-cve-check-update-cvelist-native:do_install \
+ sbom-cve-check-update-nvd-native:do_install \
+ ','',d)} \
"
python do_sbom_cve_check_setscene() {
@@ -3,3 +3,18 @@
SBOM_CVE_CHECK_DEPLOY_DB_DIR ??= "${DEPLOY_DIR}/sbom-cve-check/databases"
SBOM_CVE_CHECK_DEPLOY_DB_DIR[doc] = "Path to the directory where the CVE databases, \
fetched by the sbom-cve-check-update-* recipes, are extracted for use."
+
+SBOM_CVE_CHECK_DATABASES_DIR ??= ""
+SBOM_CVE_CHECK_DATABASES_DIR[doc] = "Allows to configure the directory where the \
+ CVE databases are extracted for use, if fetched by sbom-cve-check itself. \
+ This variable is only used if SBOM_CVE_CHECK_INTERNAL_FETCHER is set to 1. \
+"
+
+SBOM_CVE_CHECK_INTERNAL_FETCHER ?= "0"
+SBOM_CVE_CHECK_INTERNAL_FETCHER[doc] = "Set to 1 to use sbom-cve-check internal fetcher. \
+ In this case sbom-cve-check task will have access to network, and the downloaded \
+ databases are stored in the default location or in the directory specified by \
+ SBOM_CVE_CHECK_DATABASES_DIR if not empty. \
+ This is useful, if a user needs network access during execution (e.g., to download \
+ annotation databases), they can set `SBOM_CVE_CHECK_ALLOW_NETWORK` to "1". \
+"
For advanced usage of sbom-cve-check, allow users to leverage the internal fetcher (e.g., for downloading annotation databases). Introduce the SBOM_CVE_CHECK_INTERNAL_FETCHER configuration variable to control this behavior. When set to 1, the do_sbom_cve_check task is granted network access and the task is always run (nostamp = 1). Additionally, allow overriding the default download location for databases fetched by the internal fetcher by introducing the SBOM_CVE_CHECK_DATABASES_DIR Yocto variable. Signed-off-by: Benjamin Robin <benjamin.robin@bootlin.com> --- meta/classes-recipe/sbom-cve-check.bbclass | 26 ++++++++++++++++------ .../sbom-cve-check/sbom-cve-check-config.inc | 15 +++++++++++++ 2 files changed, 34 insertions(+), 7 deletions(-)