diff mbox series

sbom-cve-check: set PV from upstream tags and ensure version checks are correct

Message ID 20260508133042.1046523-1-alex.kanavin@gmail.com
State New
Headers show
Series sbom-cve-check: set PV from upstream tags and ensure version checks are correct | expand

Commit Message

Alexander Kanavin May 8, 2026, 1:30 p.m. UTC 
From: Alexander Kanavin <alex@linutronix.de>

These recipes didn't set PV, which by default is 1.0. This isn't correct:
upstream does provide date-based tags that can be used to perform version upgrades.

Correct SRCREV in one of the recipes to point to the next tagged commit,
as existing SRCREV was pointing to a non-tagged commit between 03.19 and 03.20 tags.

Signed-off-by: Alexander Kanavin <alex@linutronix.de>
---
 ...b => sbom-cve-check-update-cvelist-native_2026-03-19.bb} | 4 ++--
 ...> sbom-cve-check-update-nvd-native_2026.03.20-010002.bb} | 6 +++---
 2 files changed, 5 insertions(+), 5 deletions(-)
 rename meta/recipes-devtools/sbom-cve-check/{sbom-cve-check-update-cvelist-native.bb => sbom-cve-check-update-cvelist-native_2026-03-19.bb} (79%)
 rename meta/recipes-devtools/sbom-cve-check/{sbom-cve-check-update-nvd-native.bb => sbom-cve-check-update-nvd-native_2026.03.20-010002.bb} (70%)

Comments

Peter Marko May 8, 2026, 7:20 p.m. UTC | #1 
These recipes are intended to be used with ${AUTOREV} (e.g. in nightly CVE metrics jobs).
Tag in SRCREV breaks that feature and thus this part of this patch should be rejected.

Peter

> -----Original Message-----
> From: openembedded-core@lists.openembedded.org <openembedded-
> core@lists.openembedded.org> On Behalf Of Alexander Kanavin via
> lists.openembedded.org
> Sent: Friday, May 8, 2026 3:31 PM
> To: openembedded-core@lists.openembedded.org
> Cc: Alexander Kanavin <alex@linutronix.de>
> Subject: [OE-core] [PATCH] sbom-cve-check: set PV from upstream tags and ensure
> version checks are correct
> 
> From: Alexander Kanavin <alex@linutronix.de>
> 
> These recipes didn't set PV, which by default is 1.0. This isn't correct:
> upstream does provide date-based tags that can be used to perform version
> upgrades.
> 
> Correct SRCREV in one of the recipes to point to the next tagged commit,
> as existing SRCREV was pointing to a non-tagged commit between 03.19 and 03.20
> tags.
> 
> Signed-off-by: Alexander Kanavin <alex@linutronix.de>
> ---
>  ...b => sbom-cve-check-update-cvelist-native_2026-03-19.bb} | 4 ++--
>  ...> sbom-cve-check-update-nvd-native_2026.03.20-010002.bb} | 6 +++---
>  2 files changed, 5 insertions(+), 5 deletions(-)
>  rename meta/recipes-devtools/sbom-cve-check/{sbom-cve-check-update-cvelist-
> native.bb => sbom-cve-check-update-cvelist-native_2026-03-19.bb} (79%)
>  rename meta/recipes-devtools/sbom-cve-check/{sbom-cve-check-update-nvd-
> native.bb => sbom-cve-check-update-nvd-native_2026.03.20-010002.bb} (70%)
> 
> diff --git a/meta/recipes-devtools/sbom-cve-check/sbom-cve-check-update-cvelist-
> native.bb b/meta/recipes-devtools/sbom-cve-check/sbom-cve-check-update-cvelist-
> native_2026-03-19.bb
> similarity index 79%
> rename from meta/recipes-devtools/sbom-cve-check/sbom-cve-check-update-
> cvelist-native.bb
> rename to meta/recipes-devtools/sbom-cve-check/sbom-cve-check-update-cvelist-
> native_2026-03-19.bb
> index 3387122165..850537e777 100644
> --- a/meta/recipes-devtools/sbom-cve-check/sbom-cve-check-update-cvelist-
> native.bb
> +++ b/meta/recipes-devtools/sbom-cve-check/sbom-cve-check-update-cvelist-
> native_2026-03-19.bb
> @@ -3,10 +3,10 @@ LICENSE = "MIT"
>  LIC_FILES_CHKSUM =
> "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302"
> 
>  HOMEPAGE = "https://github.com/CVEProject/cvelistV5"
> -SRC_URI =
> "git://github.com/CVEProject/cvelistV5.git;branch=main;protocol=https;destsuffix="
> +SRC_URI =
> "git://github.com/CVEProject/cvelistV5.git;branch=main;protocol=https;tag=${PV}_ba
> seline;destsuffix="
>  SBOM_CVE_CHECK_DB_NAME = "cvelist"
> 
> -# 2026-03-19_baseline
>  SRCREV = "ada54ee3cc8380820aa45e4996910bdc9dcb94e7"
> +UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>.+)_baseline"
> 
>  require sbom-cve-check-update-db.inc
> diff --git a/meta/recipes-devtools/sbom-cve-check/sbom-cve-check-update-nvd-
> native.bb b/meta/recipes-devtools/sbom-cve-check/sbom-cve-check-update-nvd-
> native_2026.03.20-010002.bb
> similarity index 70%
> rename from meta/recipes-devtools/sbom-cve-check/sbom-cve-check-update-nvd-
> native.bb
> rename to meta/recipes-devtools/sbom-cve-check/sbom-cve-check-update-nvd-
> native_2026.03.20-010002.bb
> index c868ba09c1..d1290ba8e3 100644
> --- a/meta/recipes-devtools/sbom-cve-check/sbom-cve-check-update-nvd-native.bb
> +++ b/meta/recipes-devtools/sbom-cve-check/sbom-cve-check-update-nvd-
> native_2026.03.20-010002.bb
> @@ -3,10 +3,10 @@ LICENSE = "cve-tou"
>  LIC_FILES_CHKSUM = "file://LICENSES/cve-
> tou.md;md5=bc5bbf146f01e20ece63d83c8916d8fb"
> 
>  HOMEPAGE = "https://github.com/fkie-cad/nvd-json-data-feeds"
> -SRC_URI = "git://github.com/fkie-cad/nvd-json-data-
> feeds.git;branch=main;protocol=https;destsuffix="
> +SRC_URI = "git://github.com/fkie-cad/nvd-json-data-
> feeds.git;branch=main;protocol=https;tag=v${PV};destsuffix="
>  SBOM_CVE_CHECK_DB_NAME = "nvd-fkie"
> 
> -# v2026.03.19-010002
> -SRCREV = "49f8bbe1b0b0884e16bdc37ab68db997085570a7"
> +SRCREV = "71a7984884a918f7f1464a0efe25ba4a24c569ca"
> +UPSTREAM_CHECK_GITTAGREGEX = "v(?P<pver>.+)"
> 
>  require sbom-cve-check-update-db.inc
> --
> 2.47.3
diff mbox series

Patch

diff --git a/meta/recipes-devtools/sbom-cve-check/sbom-cve-check-update-cvelist-native.bb b/meta/recipes-devtools/sbom-cve-check/sbom-cve-check-update-cvelist-native_2026-03-19.bb
similarity index 79%
rename from meta/recipes-devtools/sbom-cve-check/sbom-cve-check-update-cvelist-native.bb
rename to meta/recipes-devtools/sbom-cve-check/sbom-cve-check-update-cvelist-native_2026-03-19.bb
index 3387122165..850537e777 100644
--- a/meta/recipes-devtools/sbom-cve-check/sbom-cve-check-update-cvelist-native.bb
+++ b/meta/recipes-devtools/sbom-cve-check/sbom-cve-check-update-cvelist-native_2026-03-19.bb
@@ -3,10 +3,10 @@  LICENSE = "MIT"
 LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302"
 
 HOMEPAGE = "https://github.com/CVEProject/cvelistV5"
-SRC_URI = "git://github.com/CVEProject/cvelistV5.git;branch=main;protocol=https;destsuffix="
+SRC_URI = "git://github.com/CVEProject/cvelistV5.git;branch=main;protocol=https;tag=${PV}_baseline;destsuffix="
 SBOM_CVE_CHECK_DB_NAME = "cvelist"
 
-# 2026-03-19_baseline
 SRCREV = "ada54ee3cc8380820aa45e4996910bdc9dcb94e7"
+UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>.+)_baseline"
 
 require sbom-cve-check-update-db.inc
diff --git a/meta/recipes-devtools/sbom-cve-check/sbom-cve-check-update-nvd-native.bb b/meta/recipes-devtools/sbom-cve-check/sbom-cve-check-update-nvd-native_2026.03.20-010002.bb
similarity index 70%
rename from meta/recipes-devtools/sbom-cve-check/sbom-cve-check-update-nvd-native.bb
rename to meta/recipes-devtools/sbom-cve-check/sbom-cve-check-update-nvd-native_2026.03.20-010002.bb
index c868ba09c1..d1290ba8e3 100644
--- a/meta/recipes-devtools/sbom-cve-check/sbom-cve-check-update-nvd-native.bb
+++ b/meta/recipes-devtools/sbom-cve-check/sbom-cve-check-update-nvd-native_2026.03.20-010002.bb
@@ -3,10 +3,10 @@  LICENSE = "cve-tou"
 LIC_FILES_CHKSUM = "file://LICENSES/cve-tou.md;md5=bc5bbf146f01e20ece63d83c8916d8fb"
 
 HOMEPAGE = "https://github.com/fkie-cad/nvd-json-data-feeds"
-SRC_URI = "git://github.com/fkie-cad/nvd-json-data-feeds.git;branch=main;protocol=https;destsuffix="
+SRC_URI = "git://github.com/fkie-cad/nvd-json-data-feeds.git;branch=main;protocol=https;tag=v${PV};destsuffix="
 SBOM_CVE_CHECK_DB_NAME = "nvd-fkie"
 
-# v2026.03.19-010002
-SRCREV = "49f8bbe1b0b0884e16bdc37ab68db997085570a7"
+SRCREV = "71a7984884a918f7f1464a0efe25ba4a24c569ca"
+UPSTREAM_CHECK_GITTAGREGEX = "v(?P<pver>.+)"
 
 require sbom-cve-check-update-db.inc