@@ -1386,12 +1386,9 @@
"metrics" : {
"NEEDREPOS" : ["bitbake", "meta-openembedded"],
"extravars" : [
- "INHERIT += 'cve-check'",
+ "OE_FRAGMENTS += 'core/yocto/sbom-cve-check'",
+ "INHERIT += 'sbom-cve-check-recipe'",
"BB_DISKMON_DIRS = ''",
- "CVE_CHECK_FORMAT_JSON = '1'",
- "CVE_CHECK_SHOW_WARNINGS = '0'",
- "CVE_DB_UPDATE_INTERVAL = '21600'",
- "CVE_DB_INCR_UPDATE_AGE_THRES = '21600'",
"LICENSE_FLAGS_ACCEPTED = 'commercial'",
"BB_SERVER_TIMEOUT = '0'"
],
@@ -74,18 +74,21 @@ fi
set +u
source ./init-build-env build
set -u
-bitbake world --runall cve_check -R conf/distro/include/cve-extra-exclusions.inc
+bitbake meta-world-recipe-sbom -R conf/distro/include/cve-extra-exclusions.inc -c sbom_cve_check_recipe
# Do another pull to make sure we're as up to date as possible. This is
# preferable to committing and rebasing before pushing as it would be better to
# waste some time repeating work than commit potentially corrupted files from a
# git merge gone wrong.
git -C $METRICSDIR pull
-if [ -e tmp/log/cve/cve-summary.json ]; then
+# Use the latest report, in case the build tree has more than one
+CVE_REPORT=$(ls -t tmp/deploy/images/*/world-recipe-sbom.sbom-cve-check.yocto.json | head -n1)
+
+if [ -e $CVE_REPORT ]; then
git -C $METRICSDIR rm --ignore-unmatch cve-check/$BRANCH/*.json
mkdir -p $METRICSDIR/cve-check/$BRANCH/
- cp tmp/log/cve/cve-summary.json $METRICSDIR/cve-check/$BRANCH/$TIMESTAMP.json
+ cp $CVE_REPORT $METRICSDIR/cve-check/$BRANCH/$TIMESTAMP.json
git -C $METRICSDIR add cve-check/$BRANCH/$TIMESTAMP.json
git -C $METRICSDIR commit -asm "Autobuilder adding new CVE data for branch $BRANCH" || true
if [ "$PUSH" = "1" ]; then
@@ -95,7 +98,7 @@ if [ -e tmp/log/cve/cve-summary.json ]; then
fi
git -C $METRICSDIR push
fi
- $OURDIR/cve-report.py tmp/log/cve/cve-summary.json > $RESULTSDIR/cve-status-$BRANCH.txt
+ $OURDIR/cve-report.py $CVE_REPORT > $RESULTSDIR/cve-status-$BRANCH.txt
fi
if [ "$BRANCH" = "master" ]; then