@@ -1366,12 +1366,9 @@
"metrics" : {
"NEEDREPOS" : ["bitbake", "meta-openembedded"],
"extravars" : [
- "INHERIT += 'cve-check'",
+ "OE_FRAGMENTS += 'core/yocto/sbom-cve-check'",
+ "INHERIT += 'sbom-cve-check-recipe'",
"BB_DISKMON_DIRS = ''",
- "CVE_CHECK_FORMAT_JSON = '1'",
- "CVE_CHECK_SHOW_WARNINGS = '0'",
- "CVE_DB_UPDATE_INTERVAL = '21600'",
- "CVE_DB_INCR_UPDATE_AGE_THRES = '21600'",
"LICENSE_FLAGS_ACCEPTED = 'commercial'",
"BB_SERVER_TIMEOUT = '0'"
],
@@ -74,15 +74,16 @@ fi
set +u
source ./init-build-env build
set -u
-bitbake world --runall cve_check -R conf/distro/include/cve-extra-exclusions.inc
+bitbake meta-world-recipe-sbom -R conf/distro/include/cve-extra-exclusions.inc -c sbom_cve_check_recipe
# Do another pull to make sure we're as up to date as possible. This is
# preferable to committing and rebasing before pushing as it would be better to
# waste some time repeating work than commit potentially corrupted files from a
# git merge gone wrong.
git -C $METRICSDIR pull
-CVE_REPORT=tmp/log/cve/cve-summary.json
+# Use the latest report, in case the build tree has more than one
+CVE_REPORT=$(ls -t tmp/deploy/images/*/world-recipe-sbom.sbom-cve-check.yocto.json | head -n1)
if [ -e $CVE_REPORT ]; then
git -C $METRICSDIR rm --ignore-unmatch cve-check/$BRANCH/*.json
Use the new sbom-cve-check-recipe class to scan meta-world-recipe-sbom, instead of using cve-check. Signed-off-by: Ross Burton <ross.burton@arm.com> --- config.json | 7 ++----- scripts/run-cvecheck | 5 +++-- 2 files changed, 5 insertions(+), 7 deletions(-)