diff mbox series

[3/3] classes/sbom-cve-check: add variable to control the scope of the CVE scan

Message ID 20260409162622.3307731-3-ross.burton@arm.com
State New
Headers show
Series [1/3] python3-sbom-cve-check: move from devtools/python to devtools/sbom-cve-check | expand

Commit Message

Ross Burton April 9, 2026, 4:26 p.m. UTC 
Unless told otherwise, sbom-cve-check will only report on issues found
in target recipes.  Whilst this is the behaviour we want for image-based
scanning, it's not the designed bevhaviour for recipe-based scanning.

Add a new variable SBOM_CVE_CHECK_SCAN_SCOPE that is used as the value
passed with --export-process-native.  Default this to "target" so the
normal behaviour is unchanged, but set it to "both" in the
sbom-cve-check-recipe class.

[1] https://sbom-cve-check.readthedocs.io/en/latest/export.html#export-options

Signed-off-by: Ross Burton <ross.burton@arm.com>
---
 meta/classes/sbom-cve-check-common.bbclass | 9 ++++++++-
 meta/classes/sbom-cve-check-recipe.bbclass | 3 +++
 2 files changed, 11 insertions(+), 1 deletion(-)
diff mbox series

Patch

diff --git a/meta/classes/sbom-cve-check-common.bbclass b/meta/classes/sbom-cve-check-common.bbclass
index 3db189d60de..6963ad71c61 100644
--- a/meta/classes/sbom-cve-check-common.bbclass
+++ b/meta/classes/sbom-cve-check-common.bbclass
@@ -6,6 +6,10 @@  require conf/sbom-cve-check-config.inc
 
 SBOM_CVE_CHECK_DEPLOYDIR = "${WORKDIR}/sbom-cve-check/image-deploy"
 
+SBOM_CVE_CHECK_SCAN_SCOPE ?= "target"
+SBOM_CVE_CHECK_SCAN_SCOPE[doc] = "Whether to scan target and native, just target, or just native. \
+    Valid values are both, target, native."
+
 SBOM_CVE_CHECK_EXTRA_ARGS[doc] = "Allow to specify extra arguments to sbom-cve-check. \
     For example to add export flags for filtering (e.g., only export vulnerable CVEs). \
 "
@@ -54,6 +58,7 @@  def run_sbom_cve_check(d, sbom_path, export_base_name, export_link_name=None):
 
     dl_db_dir = d.getVar("SBOM_CVE_CHECK_DEPLOY_DB_DIR")
     out_deploy_dir = d.getVar("SBOM_CVE_CHECK_DEPLOYDIR")
+    scan_scope = d.getVar("SBOM_CVE_CHECK_SCAN_SCOPE")
 
     export_files = []
     for export_var in d.getVar("SBOM_CVE_CHECK_EXPORT_VARS").split():
@@ -70,7 +75,9 @@  def run_sbom_cve_check(d, sbom_path, export_base_name, export_link_name=None):
         d.expand("${STAGING_BINDIR_NATIVE}/sbom-cve-check"),
         "--sbom-path",
         sbom_path,
-        "--disable-auto-updates"
+        "--disable-auto-updates",
+        "--export-process-native",
+        scan_scope,
     ]
 
     for export_type, export_file, export_link in export_files:
diff --git a/meta/classes/sbom-cve-check-recipe.bbclass b/meta/classes/sbom-cve-check-recipe.bbclass
index 904ce57f5cc..c80b8ac83ff 100644
--- a/meta/classes/sbom-cve-check-recipe.bbclass
+++ b/meta/classes/sbom-cve-check-recipe.bbclass
@@ -9,6 +9,9 @@ 
 
 inherit sbom-cve-check-common
 
+# Recipe-based scanning should cover both target and native components.
+SBOM_CVE_CHECK_SCAN_SCOPE = "both"
+
 python do_sbom_cve_check_recipe() {
     """
     Task: Run sbom-cve-check analysis on a recipe SBOM.