@@ -5,7 +5,7 @@
set -eu
-ARGS=$(getopt -o '' --long 'metrics:,branch:,results:,push' -n 'run-cvecheck' -- "$@")
+ARGS=$(getopt -o '' --long 'metrics:,branch:,results:,push,hide-core' -n 'run-cvecheck' -- "$@")
if [ $? -ne 0 ]; then
echo 'Cannot parse arguments...' >&2
exit 1
@@ -23,6 +23,8 @@ RESULTSDIR=""
BRANCH=""
# Whether to push the metrics
PUSH=0
+# Whether to remove recipes in oe-core from the report
+HIDE_CORE=0
while true; do
case "$1" in
@@ -46,6 +48,11 @@ while true; do
shift
continue
;;
+ '--hide-core')
+ HIDE_CORE=1
+ shift
+ continue
+ ;;
'--')
shift
break
@@ -86,6 +93,13 @@ git -C $METRICSDIR pull
CVE_REPORT=$(ls -t tmp/deploy/images/*/world-recipe-sbom.sbom-cve-check.yocto.json | head -n1)
if [ -e $CVE_REPORT ]; then
+
+ # Filter out core layers, if requested
+ if [ $HIDE_CORE -eq 1 ]; then
+ jq '.package |= map(select(.layer | IN("core", "selftest", "yocto") | not))' $CVE_REPORT > $CVE_REPORT.tmp
+ mv $CVE_REPORT.tmp $CVE_REPORT
+ fi
+
git -C $METRICSDIR rm --ignore-unmatch cve-check/$BRANCH/*.json
mkdir -p $METRICSDIR/cve-check/$BRANCH/
cp $CVE_REPORT $METRICSDIR/cve-check/$BRANCH/$TIMESTAMP.json
Add an option to filter out "core" recipes from the CVE report, so that the same tooling can be used to scan other layers without the report also containing issues from core. For the purposes of this we consider "core", "selftest", and "yocto" (oe-core, meta-selftest, meta-poky) to be core layers. This uses jq to filter the generated JSON before it is committed to the metrics repository. Signed-off-by: Ross Burton <ross.burton@arm.com> --- scripts/run-cvecheck | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-)