new file mode 100644
@@ -0,0 +1,35 @@
+# SPDX-License-Identifier: MIT
+
+# Perform CVE analysis on recipe SBOMs using sbom-cve-check.
+#
+# This will analyse the entire SBOM for the recipe, so the recipe itself and
+# all of the dependencies. It is expected that for most purposes
+# sbom-cve-check.bbclass is preferred as that will analyse what is deployed
+# in an image.
+
+inherit sbom-cve-check-common
+
+python do_sbom_cve_check_recipe() {
+ """
+ Task: Run sbom-cve-check analysis on a recipe SBOM.
+ """
+ sbom_path = d.expand("${DEPLOY_DIR_IMAGE}/${SPDX_RECIPE_SBOM_NAME}.spdx.json")
+ recipe = d.getVar("SPDX_RECIPE_SBOM_NAME")
+ run_sbom_cve_check(d, sbom_path, recipe)
+}
+
+addtask do_sbom_cve_check_recipe after do_create_recipe_sbom
+
+SSTATETASKS += "do_sbom_cve_check_recipe"
+do_sbom_cve_check_recipe[cleandirs] = "${SBOM_CVE_CHECK_DEPLOYDIR}"
+do_sbom_cve_check_recipe[sstate-inputdirs] = "${SBOM_CVE_CHECK_DEPLOYDIR}"
+do_sbom_cve_check_recipe[sstate-outputdirs] = "${DEPLOY_DIR_IMAGE}"
+do_sbom_cve_check_recipe[depends] += " \
+ python3-sbom-cve-check-native:do_populate_sysroot \
+ ${SBOM_CVE_CHECK_UPDATE_DB_DEPENDENCIES} \
+"
+
+python do_sbom_cve_check_recipe_setscene() {
+ sstate_setscene(d)
+}
+addtask do_sbom_cve_check_recipe_setscene
Add a second sbom-cve-check class that scans the recipe-SBOM, unlike sbom-cve-check.bbclass which scans specifically an image's SBOM. In most cases, image-derived SBOM scanning is preferred as this is able to analyse the actual content of the image, e.g. reporting just the kernel issues that have actually been compiled into the image (for linux-yocto 6.18.19, this reduces the CVE count from 108 to 52). However, for metrics or other specific purposes it might be useful to scan a recipe-SPDX, so add a class that can do this. Signed-off-by: Ross Burton <ross.burton@arm.com> --- meta/classes/sbom-cve-check-recipe.bbclass | 35 ++++++++++++++++++++++ 1 file changed, 35 insertions(+) create mode 100644 meta/classes/sbom-cve-check-recipe.bbclass