@@ -94,6 +94,9 @@ def run_sbom_cve_check(d, recipe_name, link_name=None):
update_symlinks(export_file, export_link)
+#
+# Scan the SBOM of an image.
+#
python do_sbom_cve_check() {
"""
Task: Run sbom-cve-check analysis on SBOM.
@@ -119,3 +122,29 @@ python do_sbom_cve_check_setscene() {
sstate_setscene(d)
}
addtask do_sbom_cve_check_setscene
+
+
+#
+# Scan the SBOM of a recipe.
+#
+
+python do_sbom_cve_check_recipe() {
+ recipe = d.getVar("SPDX_RECIPE_SBOM_NAME")
+ run_sbom_cve_check(d, recipe)
+}
+
+addtask do_sbom_cve_check_recipe after do_create_recipe_sbom
+
+SSTATETASKS += "do_sbom_cve_check_recipe"
+do_sbom_cve_check_recipe[cleandirs] = "${SBOM_CVE_CHECK_DEPLOYDIR}"
+do_sbom_cve_check_recipe[sstate-inputdirs] = "${SBOM_CVE_CHECK_DEPLOYDIR}"
+do_sbom_cve_check_recipe[sstate-outputdirs] = "${DEPLOY_DIR_IMAGE}"
+do_sbom_cve_check_recipe[depends] += " \
+ python3-sbom-cve-check-native:do_populate_sysroot \
+ sbom-cve-check-update-cvelist-native:do_unpack \
+ sbom-cve-check-update-nvd-native:do_unpack \
+"
+python do_sbom_cve_check_recipe_setscene() {
+ sstate_setscene(d)
+}
+addtask do_sbom_cve_check_recipe_setscene
Add a new task, sbom_cve_check_recipe, that will do a CVE scan of the SPDX for the specified recipe. This is mainly useful for top-level or aggregration packages (e.g. meta-world-recipe-sbom) as it follows dependencies, so running it on a single package (e.g. curl) will also show CVEs for its dependencies (e.g. zlib). Signed-off-by: Ross Burton <ross.burton@arm.com> --- meta/classes/sbom-cve-check.bbclass | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+)