diff mbox series

sbom-cve-check-recipe: add SBOM_CVE_CHECK_RECIPE_AUTO

Message ID 20260625182435.979787-1-hfranco@baylibre.com
State New
Headers show
Series sbom-cve-check-recipe: add SBOM_CVE_CHECK_RECIPE_AUTO | expand

Commit Message

Hiago De Franco June 25, 2026, 6:23 p.m. UTC 
"do_sbom_cve_check_recipe" is only added "after do_create_recipe_sbom"
and is never wired before "do_build", so it does not run as part of a
normal build. Users who build packages directly or run "bitbake world"
without producing an image get no CVE analysis.

Add SBOM_CVE_CHECK_RECIPE_AUTO variable that, when enabled, hooks
do_sbom_cve_check_recipe into do_build for every recipe. This lets
"bitbake world" run recipe-scoped CVE analysis across the whole package
feed without first building an image.

The task is only wired for recipes that actually produce a recipe SBOM.
Recipes inheriting "nospdx" delete "do_create_recipe_sbom" and are
skipped, to avoid scanning a non-existent SBOM.

Signed-off-by: Hiago De Franco <hfranco@baylibre.com>
---
Hello,

I tested this with Poky Wrynose, running "bitbake world" from an empty
build (from scratch). It worked as do_sbom_cve_check_recipe ran for
every recipe.

This patch is dependent on the patch I sent earlier,
https://lore.kernel.org/all/20260619183406.239931-1-hfranco@baylibre.com/.

Thanks,
Hiago.
---
 meta/classes/sbom-cve-check-common.bbclass | 5 +++++
 meta/classes/sbom-cve-check-recipe.bbclass | 7 +++++++
 2 files changed, 12 insertions(+)
diff mbox series

Patch

diff --git a/meta/classes/sbom-cve-check-common.bbclass b/meta/classes/sbom-cve-check-common.bbclass
index 32c29a0ec2..236bce8545 100644
--- a/meta/classes/sbom-cve-check-common.bbclass
+++ b/meta/classes/sbom-cve-check-common.bbclass
@@ -52,6 +52,11 @@  SBOM_CVE_CHECK_SHOW_WARNINGS ?= "1"
 SBOM_CVE_CHECK_SHOW_WARNINGS[doc] = "Show warning messages when unpatched CVEs are found. \
 Requires the SBOM_CVE_CHECK_EXPORT_CVECHECK report type to be enabled"
 
+SBOM_CVE_CHECK_RECIPE_AUTO ?= "0"
+SBOM_CVE_CHECK_RECIPE_AUTO[doc] = "If '1', run do_sbom_cve_check_recipe as part of \
+    the normal build (do_build) for every recipe. This also includes running CVE \
+    check for all recipes with 'bitbake world'. Default is '0' (disabled)."
+
 def show_warnings_from_file(cvecheck_export_file):
     import json
 
diff --git a/meta/classes/sbom-cve-check-recipe.bbclass b/meta/classes/sbom-cve-check-recipe.bbclass
index c80b8ac83f..084fcf4946 100644
--- a/meta/classes/sbom-cve-check-recipe.bbclass
+++ b/meta/classes/sbom-cve-check-recipe.bbclass
@@ -22,6 +22,13 @@  python do_sbom_cve_check_recipe() {
 }
 
 addtask do_sbom_cve_check_recipe after do_create_recipe_sbom
+python() {
+    if oe.types.boolean(d.getVar("SBOM_CVE_CHECK_RECIPE_AUTO") or "0"):
+        # Recipes that inherit nospdx.bbclass delete do_create_recipe_sbom, so
+        # skip them to avoid running the check against a missing SBOM.
+        if d.getVarFlag("do_create_recipe_sbom", "task", False):
+            bb.build.addtask("do_sbom_cve_check_recipe", "do_build", None, d)
+}
 
 SSTATETASKS += "do_sbom_cve_check_recipe"
 do_sbom_cve_check_recipe[cleandirs] = "${SBOM_CVE_CHECK_DEPLOYDIR}"