diff mbox series

[v2] sbom-cve-check-common: print warnings on unpatched CVEs

Message ID 20260421-sbom-cve-check-warnings-v2-1-79ae1d2395be@bootlin.com
State Accepted, archived
Commit 5a5162406ffed68fa82476f81c0709c2a05e735f
Headers show
Series [v2] sbom-cve-check-common: print warnings on unpatched CVEs | expand

Commit Message

Antonin Godard April 21, 2026, 1:01 p.m. UTC 
The now removed cve-check class used to print warnings when CVEs with
status "Unpatched" were found. Add this feature to the
sbom-cve-check class with the same default value (enabled).

For now it only does so when the cvecheck report type is enabled. It may
be possible to do the same for the SPDX report type.

Sample output:

WARNING: core-image-minimal-1.0-r0 do_sbom_cve_check: busybox-1.37.0: Found unpatched CVEs: CVE-2024-58251
WARNING: core-image-minimal-1.0-r0 do_sbom_cve_check: expat-2.7.5: Found unpatched CVEs: CVE-2025-66382, CVE-2026-41080
WARNING: core-image-minimal-1.0-r0 do_sbom_cve_check: glibc-2.43+git: Found unpatched CVEs: CVE-2010-4756, CVE-2026-4046

Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
---
Changes in v2:
- Apply suggestions from Paul
- Link to v1: https://patch.msgid.link/20260421-sbom-cve-check-warnings-v1-1-df7861a0a0bc@bootlin.com
---
 meta/classes/sbom-cve-check-common.bbclass | 30 ++++++++++++++++++++++++++++++
 1 file changed, 30 insertions(+)


---
base-commit: 9a83f0878b6bacbc7b322cfec076b4e79ad7b8fb
change-id: 20260421-sbom-cve-check-warnings-408de9776bc0

Comments

Benjamin Robin April 22, 2026, 6:53 a.m. UTC | #1 
Hello Antonin,

Looks good to me. I have just a slight suggestion.

On Tuesday, April 21, 2026 at 3:01 PM, Antonin Godard wrote:
> The now removed cve-check class used to print warnings when CVEs with
> status "Unpatched" were found. Add this feature to the
> sbom-cve-check class with the same default value (enabled).
> 
> For now it only does so when the cvecheck report type is enabled. It may
> be possible to do the same for the SPDX report type.
> 
> Sample output:
> 
> WARNING: core-image-minimal-1.0-r0 do_sbom_cve_check: busybox-1.37.0: Found unpatched CVEs: CVE-2024-58251
> WARNING: core-image-minimal-1.0-r0 do_sbom_cve_check: expat-2.7.5: Found unpatched CVEs: CVE-2025-66382, CVE-2026-41080
> WARNING: core-image-minimal-1.0-r0 do_sbom_cve_check: glibc-2.43+git: Found unpatched CVEs: CVE-2010-4756, CVE-2026-4046
> 
> Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
> ---
> Changes in v2:
> - Apply suggestions from Paul
> - Link to v1: https://patch.msgid.link/20260421-sbom-cve-check-warnings-v1-1-df7861a0a0bc@bootlin.com
> ---
>  meta/classes/sbom-cve-check-common.bbclass | 30 ++++++++++++++++++++++++++++++
>  1 file changed, 30 insertions(+)
> 
> diff --git a/meta/classes/sbom-cve-check-common.bbclass b/meta/classes/sbom-cve-check-common.bbclass
> index 6963ad71c61..32c29a0ec2c 100644
> --- a/meta/classes/sbom-cve-check-common.bbclass
> +++ b/meta/classes/sbom-cve-check-common.bbclass
> @@ -48,6 +48,32 @@ SBOM_CVE_CHECK_UPDATE_DB_DEPENDENCIES ?= " \
>      sbom-cve-check-update-nvd-native:do_patch \
>  "
>  
> +SBOM_CVE_CHECK_SHOW_WARNINGS ?= "1"
> +SBOM_CVE_CHECK_SHOW_WARNINGS[doc] = "Show warning messages when unpatched CVEs are found. \
> +Requires the SBOM_CVE_CHECK_EXPORT_CVECHECK report type to be enabled"
> +
> +def show_warnings_from_file(cvecheck_export_file):
> +    import json
> +
> +    try:
> +        with open(cvecheck_export_file, "r") as f:
> +            report = json.load(f)
> +    except (json.JSONDecodeError, UnicodeDecodeError) as e:
> +        bb.error(f"Failed to open JSON report file {f}: {e}")
> +        return
> +
> +    packages = report.get("package", [])
> +    for package in packages:
> +        unpatched = []
> +        cves = package.get("issue", [])
> +        for cve in cves:
> +            if cve["status"] == "Unpatched":
> +                unpatched.append(cve["id"])

A more Pythonic way of writing that is:

       for package in packages:
           cves = package.get("issue", [])
           unpatched = [cve["id"] for cve in cves if cve["status"] == "Unpatched"]

> +        if unpatched:
> +            pname = package["name"]
> +            version = package["version"]
> +            bb.warn(f"{pname}-{version}: Found unpatched CVEs: {', '.join(unpatched)}")
> +
>  def run_sbom_cve_check(d, sbom_path, export_base_name, export_link_name=None):
>      import os
>      import bb
> @@ -94,9 +120,13 @@ def run_sbom_cve_check(d, sbom_path, export_base_name, export_link_name=None):
>          bb.error(f"sbom-cve-check failed: {e}")
>          return
>  
> +    show_warnings = bb.utils.to_boolean(d.getVar("SBOM_CVE_CHECK_SHOW_WARNINGS"))
> +
>      for export_type, export_file, export_link in export_files:
>          bb.note(f"sbom-cve-check exported: {export_file}")
>          if export_link:
>              update_symlinks(export_file, export_link)
> +        if show_warnings and export_type == d.getVarFlag("SBOM_CVE_CHECK_EXPORT_CVECHECK", "type"):
> +            show_warnings_from_file(export_file)
>  
>  
> 
> ---
> base-commit: 9a83f0878b6bacbc7b322cfec076b4e79ad7b8fb
> change-id: 20260421-sbom-cve-check-warnings-408de9776bc0
> 
> 
> 
>
diff mbox series

Patch

diff --git a/meta/classes/sbom-cve-check-common.bbclass b/meta/classes/sbom-cve-check-common.bbclass
index 6963ad71c61..32c29a0ec2c 100644
--- a/meta/classes/sbom-cve-check-common.bbclass
+++ b/meta/classes/sbom-cve-check-common.bbclass
@@ -48,6 +48,32 @@  SBOM_CVE_CHECK_UPDATE_DB_DEPENDENCIES ?= " \
     sbom-cve-check-update-nvd-native:do_patch \
 "
 
+SBOM_CVE_CHECK_SHOW_WARNINGS ?= "1"
+SBOM_CVE_CHECK_SHOW_WARNINGS[doc] = "Show warning messages when unpatched CVEs are found. \
+Requires the SBOM_CVE_CHECK_EXPORT_CVECHECK report type to be enabled"
+
+def show_warnings_from_file(cvecheck_export_file):
+    import json
+
+    try:
+        with open(cvecheck_export_file, "r") as f:
+            report = json.load(f)
+    except (json.JSONDecodeError, UnicodeDecodeError) as e:
+        bb.error(f"Failed to open JSON report file {f}: {e}")
+        return
+
+    packages = report.get("package", [])
+    for package in packages:
+        unpatched = []
+        cves = package.get("issue", [])
+        for cve in cves:
+            if cve["status"] == "Unpatched":
+                unpatched.append(cve["id"])
+        if unpatched:
+            pname = package["name"]
+            version = package["version"]
+            bb.warn(f"{pname}-{version}: Found unpatched CVEs: {', '.join(unpatched)}")
+
 def run_sbom_cve_check(d, sbom_path, export_base_name, export_link_name=None):
     import os
     import bb
@@ -94,9 +120,13 @@  def run_sbom_cve_check(d, sbom_path, export_base_name, export_link_name=None):
         bb.error(f"sbom-cve-check failed: {e}")
         return
 
+    show_warnings = bb.utils.to_boolean(d.getVar("SBOM_CVE_CHECK_SHOW_WARNINGS"))
+
     for export_type, export_file, export_link in export_files:
         bb.note(f"sbom-cve-check exported: {export_file}")
         if export_link:
             update_symlinks(export_file, export_link)
+        if show_warnings and export_type == d.getVarFlag("SBOM_CVE_CHECK_EXPORT_CVECHECK", "type"):
+            show_warnings_from_file(export_file)