create-spdx-3.0: rerun do_create_recipe_spdx on patch changes

From: Peter Marko <peter.marko@siemens.com>

Valkyrie patchmetrics from 2026-04-17 is showing two CVEs where patches
were merged the day before (2026-04-16) - inetutils/CVE-2026-32746 and
re2c/CVE-2026-2903.
Root-cause is that the CVE patches are evaluated in task
do_create_recipe_spdx which does not have any dependency on SRC_URI nor
content of the patches, so it is taken from sstate-cache which contains
old (stale) data.

Note that this will mean that running sbom-cve-check will run do_fetch
task for all evaluated recipes, however that is necessary to catch also
changes within patch content (e.g. adding additional CVE: tags) in
addition to re-running when adding new patches if we would only add
dependency on SRC_URI variable.

Signed-off-by: Peter Marko <peter.marko@siemens.com>
---
 meta/classes/create-spdx-3.0.bbclass | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

On Fri, 2026-04-17 at 10:30 +0200, Peter Marko via lists.openembedded.org wrote:
> From: Peter Marko <peter.marko@siemens.com>
> 
> Valkyrie patchmetrics from 2026-04-17 is showing two CVEs where patches
> were merged the day before (2026-04-16) - inetutils/CVE-2026-32746 and
> re2c/CVE-2026-2903.
> Root-cause is that the CVE patches are evaluated in task
> do_create_recipe_spdx which does not have any dependency on SRC_URI nor
> content of the patches, so it is taken from sstate-cache which contains
> old (stale) data.
> 
> Note that this will mean that running sbom-cve-check will run do_fetch
> task for all evaluated recipes, however that is necessary to catch also
> changes within patch content (e.g. adding additional CVE: tags) in
> addition to re-running when adding new patches if we would only add
> dependency on SRC_URI variable.
> 
> Signed-off-by: Peter Marko <peter.marko@siemens.com>
> ---
>  meta/classes/create-spdx-3.0.bbclass | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/meta/classes/create-spdx-3.0.bbclass b/meta/classes/create-spdx-3.0.bbclass
> index 432adb14cd..db1ccc0c81 100644
> --- a/meta/classes/create-spdx-3.0.bbclass
> +++ b/meta/classes/create-spdx-3.0.bbclass
> @@ -192,7 +192,7 @@ python do_create_recipe_spdx() {
>      import oe.spdx30_tasks
>      oe.spdx30_tasks.create_recipe_spdx(d)
>  }
> -addtask do_create_recipe_spdx
> +addtask do_create_recipe_spdx after do_fetch
>  
>  SSTATETASKS += "do_create_recipe_spdx"
>  do_create_recipe_spdx[sstate-inputdirs] = "${SPDXRECIPEDEPLOY}"

What data does do_create_recipe_spdx actually need?

Does it just need SRC_URI, or does it need to re-run if any of the
contents of items in SRC_URI changes? Or does it actually need the
patch contents?

If it needs to depend on more than the contents of SRC_URI, it should
have a dependency but I think Joshua was trying to avoid that. The
dependency would be on unpack or patch, not fetch as it shouldn't be
poking into DL_DIR.

FWIW, the way do_fetch runs only if it needs to is:

do_fetch[file-checksums] = "${@bb.fetch.get_checksum_file_list(d)}"
do_fetch[file-checksums] += " ${@get_lic_checksum_file_list(d)}"

Cheers,

Richard

> -----Original Message-----
> From: Richard Purdie <richard.purdie@linuxfoundation.org>
> Sent: Friday, April 17, 2026 2:04 PM
> To: Marko, Peter (FT D EU SK BFS1) <Peter.Marko@siemens.com>;
> openembedded-core@lists.openembedded.org
> Cc: JPEWhacker@gmail.com
> Subject: Re: [OE-core] [PATCH] create-spdx-3.0: rerun do_create_recipe_spdx on
> patch changes
> 
> On Fri, 2026-04-17 at 10:30 +0200, Peter Marko via lists.openembedded.org
> wrote:
> > From: Peter Marko <peter.marko@siemens.com>
> >
> > Valkyrie patchmetrics from 2026-04-17 is showing two CVEs where patches
> > were merged the day before (2026-04-16) - inetutils/CVE-2026-32746 and
> > re2c/CVE-2026-2903.
> > Root-cause is that the CVE patches are evaluated in task
> > do_create_recipe_spdx which does not have any dependency on SRC_URI
> nor
> > content of the patches, so it is taken from sstate-cache which contains
> > old (stale) data.
> >
> > Note that this will mean that running sbom-cve-check will run do_fetch
> > task for all evaluated recipes, however that is necessary to catch also
> > changes within patch content (e.g. adding additional CVE: tags) in
> > addition to re-running when adding new patches if we would only add
> > dependency on SRC_URI variable.
> >
> > Signed-off-by: Peter Marko <peter.marko@siemens.com>
> > ---
> >  meta/classes/create-spdx-3.0.bbclass | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/meta/classes/create-spdx-3.0.bbclass b/meta/classes/create-spdx-
> 3.0.bbclass
> > index 432adb14cd..db1ccc0c81 100644
> > --- a/meta/classes/create-spdx-3.0.bbclass
> > +++ b/meta/classes/create-spdx-3.0.bbclass
> > @@ -192,7 +192,7 @@ python do_create_recipe_spdx() {
> >      import oe.spdx30_tasks
> >      oe.spdx30_tasks.create_recipe_spdx(d)
> >  }
> > -addtask do_create_recipe_spdx
> > +addtask do_create_recipe_spdx after do_fetch
> >
> >  SSTATETASKS += "do_create_recipe_spdx"
> >  do_create_recipe_spdx[sstate-inputdirs] = "${SPDXRECIPEDEPLOY}"
> 
> What data does do_create_recipe_spdx actually need?
> 
> Does it just need SRC_URI, or does it need to re-run if any of the
> contents of items in SRC_URI changes? Or does it actually need the
> patch contents?

It reads file content as it scans the file for "CVE: xyz" strings.

> 
> If it needs to depend on more than the contents of SRC_URI, it should
> have a dependency but I think Joshua was trying to avoid that. The
> dependency would be on unpack or patch, not fetch as it shouldn't be
> poking into DL_DIR.
> 
> FWIW, the way do_fetch runs only if it needs to is:
> 
> do_fetch[file-checksums] = "${@bb.fetch.get_checksum_file_list(d)}"
> do_fetch[file-checksums] += " ${@get_lic_checksum_file_list(d)}"

OK, in the evening I'll try to rework the patch to use this concept.

> 
> Cheers,
> 
> Richard
>

On Fri, Apr 17, 2026 at 6:03 AM Richard Purdie
<richard.purdie@linuxfoundation.org> wrote:
>
> On Fri, 2026-04-17 at 10:30 +0200, Peter Marko via lists.openembedded.org wrote:
> > From: Peter Marko <peter.marko@siemens.com>
> >
> > Valkyrie patchmetrics from 2026-04-17 is showing two CVEs where patches
> > were merged the day before (2026-04-16) - inetutils/CVE-2026-32746 and
> > re2c/CVE-2026-2903.
> > Root-cause is that the CVE patches are evaluated in task
> > do_create_recipe_spdx which does not have any dependency on SRC_URI nor
> > content of the patches, so it is taken from sstate-cache which contains
> > old (stale) data.
> >
> > Note that this will mean that running sbom-cve-check will run do_fetch
> > task for all evaluated recipes, however that is necessary to catch also
> > changes within patch content (e.g. adding additional CVE: tags) in
> > addition to re-running when adding new patches if we would only add
> > dependency on SRC_URI variable.
> >
> > Signed-off-by: Peter Marko <peter.marko@siemens.com>
> > ---
> >  meta/classes/create-spdx-3.0.bbclass | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/meta/classes/create-spdx-3.0.bbclass b/meta/classes/create-spdx-3.0.bbclass
> > index 432adb14cd..db1ccc0c81 100644
> > --- a/meta/classes/create-spdx-3.0.bbclass
> > +++ b/meta/classes/create-spdx-3.0.bbclass
> > @@ -192,7 +192,7 @@ python do_create_recipe_spdx() {
> >      import oe.spdx30_tasks
> >      oe.spdx30_tasks.create_recipe_spdx(d)
> >  }
> > -addtask do_create_recipe_spdx
> > +addtask do_create_recipe_spdx after do_fetch
> >
> >  SSTATETASKS += "do_create_recipe_spdx"
> >  do_create_recipe_spdx[sstate-inputdirs] = "${SPDXRECIPEDEPLOY}"
>
> What data does do_create_recipe_spdx actually need?
>
> Does it just need SRC_URI, or does it need to re-run if any of the
> contents of items in SRC_URI changes? Or does it actually need the
> patch contents?
>
> If it needs to depend on more than the contents of SRC_URI, it should
> have a dependency but I think Joshua was trying to avoid that. The
> dependency would be on unpack or patch, not fetch as it shouldn't be
> poking into DL_DIR.

Correct, we do not want a dependency on do_fetch as that would make
the "fast" CVE check very slow. I'm curious if this is a problem with
the old cve_check.bbclass also, or if not how it solved the problem

>
> FWIW, the way do_fetch runs only if it needs to is:
>
> do_fetch[file-checksums] = "${@bb.fetch.get_checksum_file_list(d)}"
> do_fetch[file-checksums] += " ${@get_lic_checksum_file_list(d)}"
>
> Cheers,
>
> Richard
>
>

> -----Original Message-----
> From: Joshua Watt <jpewhacker@gmail.com>
> Sent: Friday, April 17, 2026 4:01 PM
> To: Richard Purdie <richard.purdie@linuxfoundation.org>
> Cc: Marko, Peter (FT D EU SK BFS1) <Peter.Marko@siemens.com>;
> openembedded-core@lists.openembedded.org
> Subject: Re: [OE-core] [PATCH] create-spdx-3.0: rerun do_create_recipe_spdx on
> patch changes
> 
> On Fri, Apr 17, 2026 at 6:03 AM Richard Purdie
> <richard.purdie@linuxfoundation.org> wrote:
> >
> > On Fri, 2026-04-17 at 10:30 +0200, Peter Marko via lists.openembedded.org
> wrote:
> > > From: Peter Marko <peter.marko@siemens.com>
> > >
> > > Valkyrie patchmetrics from 2026-04-17 is showing two CVEs where patches
> > > were merged the day before (2026-04-16) - inetutils/CVE-2026-32746 and
> > > re2c/CVE-2026-2903.
> > > Root-cause is that the CVE patches are evaluated in task
> > > do_create_recipe_spdx which does not have any dependency on SRC_URI
> nor
> > > content of the patches, so it is taken from sstate-cache which contains
> > > old (stale) data.
> > >
> > > Note that this will mean that running sbom-cve-check will run do_fetch
> > > task for all evaluated recipes, however that is necessary to catch also
> > > changes within patch content (e.g. adding additional CVE: tags) in
> > > addition to re-running when adding new patches if we would only add
> > > dependency on SRC_URI variable.
> > >
> > > Signed-off-by: Peter Marko <peter.marko@siemens.com>
> > > ---
> > >  meta/classes/create-spdx-3.0.bbclass | 2 +-
> > >  1 file changed, 1 insertion(+), 1 deletion(-)
> > >
> > > diff --git a/meta/classes/create-spdx-3.0.bbclass b/meta/classes/create-spdx-
> 3.0.bbclass
> > > index 432adb14cd..db1ccc0c81 100644
> > > --- a/meta/classes/create-spdx-3.0.bbclass
> > > +++ b/meta/classes/create-spdx-3.0.bbclass
> > > @@ -192,7 +192,7 @@ python do_create_recipe_spdx() {
> > >      import oe.spdx30_tasks
> > >      oe.spdx30_tasks.create_recipe_spdx(d)
> > >  }
> > > -addtask do_create_recipe_spdx
> > > +addtask do_create_recipe_spdx after do_fetch
> > >
> > >  SSTATETASKS += "do_create_recipe_spdx"
> > >  do_create_recipe_spdx[sstate-inputdirs] = "${SPDXRECIPEDEPLOY}"
> >
> > What data does do_create_recipe_spdx actually need?
> >
> > Does it just need SRC_URI, or does it need to re-run if any of the
> > contents of items in SRC_URI changes? Or does it actually need the
> > patch contents?
> >
> > If it needs to depend on more than the contents of SRC_URI, it should
> > have a dependency but I think Joshua was trying to avoid that. The
> > dependency would be on unpack or patch, not fetch as it shouldn't be
> > poking into DL_DIR.
> 
> Correct, we do not want a dependency on do_fetch as that would make
> the "fast" CVE check very slow. I'm curious if this is a problem with
> the old cve_check.bbclass also, or if not how it solved the problem

The old cve-check did that in single nostamp task, so there was no dependency on sstate-cached objects.
Peter

> 
> >
> > FWIW, the way do_fetch runs only if it needs to is:
> >
> > do_fetch[file-checksums] = "${@bb.fetch.get_checksum_file_list(d)}"
> > do_fetch[file-checksums] += " ${@get_lic_checksum_file_list(d)}"
> >
> > Cheers,
> >
> > Richard
> >
> >