From patchwork Tue Feb 24 15:53:43 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Benjamin Robin X-Patchwork-Id: 81797 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3FE13F3C9A0 for ; Tue, 24 Feb 2026 15:54:04 +0000 (UTC) Received: from smtpout-03.galae.net (smtpout-03.galae.net [185.246.85.4]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.23415.1771948442543877539 for ; Tue, 24 Feb 2026 07:54:02 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@bootlin.com header.s=dkim header.b=YcFxFUDl; spf=pass (domain: bootlin.com, ip: 185.246.85.4, mailfrom: benjamin.robin@bootlin.com) Received: from smtpout-01.galae.net (smtpout-01.galae.net [212.83.139.233]) by smtpout-03.galae.net (Postfix) with ESMTPS id CD8B64E4109C; Tue, 24 Feb 2026 15:54:00 +0000 (UTC) Received: from mail.galae.net (mail.galae.net [212.83.136.155]) by smtpout-01.galae.net (Postfix) with ESMTPS id 8E2395FD9D; Tue, 24 Feb 2026 15:54:00 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) by localhost (Mailerdaemon) with ESMTPSA id 04494103691CC; Tue, 24 Feb 2026 16:53:58 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bootlin.com; s=dkim; t=1771948439; h=from:subject:date:message-id:to:cc:mime-version:content-type: content-transfer-encoding:in-reply-to:references; bh=i/xRJAbXyRaCY0HpHpXbv+VCTIglhRRsSsbQNiOcCOQ=; b=YcFxFUDlYILoAiZGx0s8ytrUYwdE/+nvWUkuFeYmup+MzELcY4iTJ1HsNlbCRPQ2X3tWIe jL6GVbqs1yhrxYFOgGOHB9VCOtW4oR3x+Lk58l5RjvVZVDBwLi+7F4AnlLol7p75WLABa5 wmT2yorQH08vEv1fRbZu0DSJLjAAhsA/4wUSD2dok0YVKTNjyzgs0kR2x//rY/v0QNwwio IyXNzBJww5kgdSoejauekDaIJf05/vgff8yNFGrl3HVo5c3dxRVxtLVYrg91bDJimD76v6 gSAT2M+uufMK5069/66t4tvetd+M+ofc6Gd299wP8DpFE+UaIA5bUaa2lXF62w== From: Benjamin Robin Date: Tue, 24 Feb 2026 16:53:43 +0100 Subject: [PATCH 1/5] python3-shacl2code: add recipe MIME-Version: 1.0 Message-Id: <20260224-add-sbom-cve-check-v1-1-1c76fbd7f01b@bootlin.com> References: <20260224-add-sbom-cve-check-v1-0-1c76fbd7f01b@bootlin.com> In-Reply-To: <20260224-add-sbom-cve-check-v1-0-1c76fbd7f01b@bootlin.com> To: openembedded-core@lists.openembedded.org Cc: ross.burton@arm.com, peter.marko@siemens.com, jpewhacker@gmail.com, olivier.benjamin@bootlin.com, antonin.godard@bootlin.com, mathieu.dubois-briand@bootlin.com, thomas.petazzoni@bootlin.com, Benjamin Robin X-Mailer: b4 0.14.3 X-Last-TLS-Session-Version: TLSv1.3 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 24 Feb 2026 15:54:04 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/231869 - Build dependency of python3-spdx-python-model. - Part of the dependency chain for sbom-cve-check Signed-off-by: Benjamin Robin --- .../python/python3-shacl2code_0.0.24.bb | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/meta/recipes-devtools/python/python3-shacl2code_0.0.24.bb b/meta/recipes-devtools/python/python3-shacl2code_0.0.24.bb new file mode 100644 index 000000000000..93ed9a253040 --- /dev/null +++ b/meta/recipes-devtools/python/python3-shacl2code_0.0.24.bb @@ -0,0 +1,17 @@ +SUMMARY = "Convert SHACL model to code bindings" +HOMEPAGE = "https://pypi.org/project/shacl2code/" +SECTION = "devel/python" +LICENSE = "MIT" +LIC_FILES_CHKSUM = "file://LICENSE;md5=0582f358628f299f29c23bf5fb2f73c9" + +PYPI_PACKAGE = "shacl2code" +SRC_URI[sha256sum] = "d8b511054ca564b4514b9186ece7f5eb8048cfc5daa6625def1a3adba13c4f66" + +inherit pypi python_hatchling + +RDEPENDS:${PN} += " \ + python3-jinja2 \ + python3-rdflib \ +" + +BBCLASSEXTEND = "native nativesdk" From patchwork Tue Feb 24 15:53:44 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Benjamin Robin X-Patchwork-Id: 81798 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 24945F3C9A1 for ; Tue, 24 Feb 2026 15:54:14 +0000 (UTC) Received: from smtpout-03.galae.net (smtpout-03.galae.net [185.246.85.4]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.23554.1771948443617361770 for ; Tue, 24 Feb 2026 07:54:04 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@bootlin.com header.s=dkim header.b=r4O/iU0T; spf=pass (domain: bootlin.com, ip: 185.246.85.4, mailfrom: benjamin.robin@bootlin.com) Received: from smtpout-01.galae.net (smtpout-01.galae.net [212.83.139.233]) by smtpout-03.galae.net (Postfix) with ESMTPS id 1B1464E410A3 for ; Tue, 24 Feb 2026 15:54:02 +0000 (UTC) Received: from mail.galae.net (mail.galae.net [212.83.136.155]) by smtpout-01.galae.net (Postfix) with ESMTPS id E4ED75FD9D; Tue, 24 Feb 2026 15:54:01 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) by localhost (Mailerdaemon) with ESMTPSA id 33DB3103691C6; Tue, 24 Feb 2026 16:54:00 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bootlin.com; s=dkim; t=1771948441; h=from:subject:date:message-id:to:cc:mime-version:content-type: content-transfer-encoding:in-reply-to:references; bh=m4K50wSTzh2jJphz9kPbiNWNqNEiTyi2Kcx15gpVNVg=; b=r4O/iU0TZCsogBCHqjyTJgujy38HMi7cFGBTI897eqjHDUpbk8LYkCC798DynSKTlpcpg2 Kvn63vm3gurTBqPsmyqzqpyLxDk4BaH9SdECmFjaWuqOoSZe/ezDpnCYJLBwjYBxpOGTSB zp+6uB07LD6lq+5FiRBQTUnazNBrTlrVvNlEFg4PTMVUUERKujs6DuULxBg79WUB9KAzUD DzW5zHXNBxJWgMh/pZFSPQw2dFSRCSaJ9ciuSpf4mnhSRdwEbb9o+w7uopnztbYhsMBbzl YZjRF3OxJvYbvQt8Ag2tNVN/PIihXKKgV1dDpCuHTMzHfx1bYx4HAiRRVgMeew== From: Benjamin Robin Date: Tue, 24 Feb 2026 16:53:44 +0100 Subject: [PATCH 2/5] python3-hatch-build-scripts: add recipe MIME-Version: 1.0 Message-Id: <20260224-add-sbom-cve-check-v1-2-1c76fbd7f01b@bootlin.com> References: <20260224-add-sbom-cve-check-v1-0-1c76fbd7f01b@bootlin.com> In-Reply-To: <20260224-add-sbom-cve-check-v1-0-1c76fbd7f01b@bootlin.com> To: openembedded-core@lists.openembedded.org Cc: ross.burton@arm.com, peter.marko@siemens.com, jpewhacker@gmail.com, olivier.benjamin@bootlin.com, antonin.godard@bootlin.com, mathieu.dubois-briand@bootlin.com, thomas.petazzoni@bootlin.com, Benjamin Robin X-Mailer: b4 0.14.3 X-Last-TLS-Session-Version: TLSv1.3 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 24 Feb 2026 15:54:14 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/231870 - Build dependency of python3-spdx-python-model. - Part of the dependency chain for sbom-cve-check Signed-off-by: Benjamin Robin --- .../python/python3-hatch-build-scripts_1.0.0.bb | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/meta/recipes-devtools/python/python3-hatch-build-scripts_1.0.0.bb b/meta/recipes-devtools/python/python3-hatch-build-scripts_1.0.0.bb new file mode 100644 index 000000000000..ba7d8b40ffc5 --- /dev/null +++ b/meta/recipes-devtools/python/python3-hatch-build-scripts_1.0.0.bb @@ -0,0 +1,12 @@ +SUMMARY = "A plugin for Hatch that runs build scripts and saves their artifacts" +HOMEPAGE = "https://pypi.org/project/hatch_build_scripts/" +SECTION = "devel/python" +LICENSE = "MIT" +LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=9ad584cda56221c7eaf48c23a5874a2a" + +PYPI_PACKAGE = "hatch_build_scripts" +SRC_URI[sha256sum] = "563735e2f265c9e1b92dece6f762309114505ffaf6e5d51d462eb6a3b4f14640" + +inherit pypi python_hatchling + +BBCLASSEXTEND = "native nativesdk" From patchwork Tue Feb 24 15:53:45 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Benjamin Robin X-Patchwork-Id: 81799 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 29ACEF3C9A3 for ; Tue, 24 Feb 2026 15:54:14 +0000 (UTC) Received: from smtpout-03.galae.net (smtpout-03.galae.net [185.246.85.4]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.23555.1771948444526575514 for ; Tue, 24 Feb 2026 07:54:05 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@bootlin.com header.s=dkim header.b=We7HAE9e; spf=pass (domain: bootlin.com, ip: 185.246.85.4, mailfrom: benjamin.robin@bootlin.com) Received: from smtpout-01.galae.net (smtpout-01.galae.net [212.83.139.233]) by smtpout-03.galae.net (Postfix) with ESMTPS id 019EB4E4109C for ; Tue, 24 Feb 2026 15:54:03 +0000 (UTC) Received: from mail.galae.net (mail.galae.net [212.83.136.155]) by smtpout-01.galae.net (Postfix) with ESMTPS id CD43E5FD9D; Tue, 24 Feb 2026 15:54:02 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) by localhost (Mailerdaemon) with ESMTPSA id 698AD103691CA; Tue, 24 Feb 2026 16:54:01 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bootlin.com; s=dkim; t=1771948442; h=from:subject:date:message-id:to:cc:mime-version:content-type: content-transfer-encoding:in-reply-to:references; bh=Kc2kcIP/2AKo1OLyWPEC4946u52k26BLXe3NSJILp6c=; b=We7HAE9eG2btrbTmGhUmtIIiv8AMx2tJSdTNTWscGlKgOG3MOUFQTHAKzya6gY4dWHXz5b nbWkGtDW4upsdrrVwt8t3nsa8ejmxv8QICwFktPTsl7xt0cTce28h/v2TW518roNaFqbSW j+/zLbGqYZ9yJM2gAzLslEq4+MZFeN6iJqouXtp973UcnH0ty6zhfF+NpaMCp9azAOb8af bEmRlE3PXKuSiTF2XEJeF01w292DXbEEXcKgRNlfStqnBdIimjZPXFHDfpcDF4idS4JEEW kde76a25OzrKuRfwDF2K9oXLiGz3T7aVr2SLZuLQXCJG4hbQATFtcUOyCoGEsw== From: Benjamin Robin Date: Tue, 24 Feb 2026 16:53:45 +0100 Subject: [PATCH 3/5] python3-spdx-python-model: add recipe MIME-Version: 1.0 Message-Id: <20260224-add-sbom-cve-check-v1-3-1c76fbd7f01b@bootlin.com> References: <20260224-add-sbom-cve-check-v1-0-1c76fbd7f01b@bootlin.com> In-Reply-To: <20260224-add-sbom-cve-check-v1-0-1c76fbd7f01b@bootlin.com> To: openembedded-core@lists.openembedded.org Cc: ross.burton@arm.com, peter.marko@siemens.com, jpewhacker@gmail.com, olivier.benjamin@bootlin.com, antonin.godard@bootlin.com, mathieu.dubois-briand@bootlin.com, thomas.petazzoni@bootlin.com, Benjamin Robin X-Mailer: b4 0.14.3 X-Last-TLS-Session-Version: TLSv1.3 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 24 Feb 2026 15:54:14 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/231871 - Part of the dependency chain for sbom-cve-check Signed-off-by: Benjamin Robin --- ...enerate-bindings-allow-to-use-local-files.patch | 58 ++++++++++++++++++++++ .../python/python3-spdx-python-model_0.0.4.bb | 37 ++++++++++++++ 2 files changed, 95 insertions(+) diff --git a/meta/recipes-devtools/python/python3-spdx-python-model/0001-generate-bindings-allow-to-use-local-files.patch b/meta/recipes-devtools/python/python3-spdx-python-model/0001-generate-bindings-allow-to-use-local-files.patch new file mode 100644 index 000000000000..ec24d7beb3c5 --- /dev/null +++ b/meta/recipes-devtools/python/python3-spdx-python-model/0001-generate-bindings-allow-to-use-local-files.patch @@ -0,0 +1,58 @@ +From 9fb565a0a70c6985fa1efde13cfe7fb4851588ce Mon Sep 17 00:00:00 2001 +From: Benjamin Robin +Date: Tue, 24 Feb 2026 10:59:25 +0100 +Subject: [PATCH] generate-bindings: allow to use local files + +shacl2code needs to download the following URLs during build time: + - https://spdx.org/rdf/3.0.1/spdx-model.ttl + - https://spdx.org/rdf/3.0.1/spdx-json-serialize-annotations.ttl + - https://spdx.org/rdf/3.0.1/spdx-context.jsonld + +There are a lot of package build tools that do not allow to download +a file during the build. So provide a way to use local file: +If the environment variable SHACL2CODE_SPDX_DIR is defined, load +the SPDX model and SPDX context from the directory specified by this +environment variable. + +Upstream-Status: Submitted [https://github.com/spdx/spdx-python-model/pull/19] + +Signed-off-by: Benjamin Robin +--- + gen/generate-bindings | 22 ++++++++++++++++------ + 1 file changed, 16 insertions(+), 6 deletions(-) + +diff --git a/gen/generate-bindings b/gen/generate-bindings +index b963c55a3bc9..bc7041ee3bb9 100755 +--- a/gen/generate-bindings ++++ b/gen/generate-bindings +@@ -14,12 +14,22 @@ echo "# Import all versions" > __init__.py + for v in $SPDX_VERSIONS; do + MODNAME="v$(echo "$v" | sed 's/[^a-zA-Z0-9_]/_/g')" + +- shacl2code generate --input https://spdx.org/rdf/$v/spdx-model.ttl \ +- --input https://spdx.org/rdf/$v/spdx-json-serialize-annotations.ttl \ +- --context https://spdx.org/rdf/$v/spdx-context.jsonld \ +- --license Apache-2.0 \ +- python \ +- -o "$MODNAME.py" ++ if [ -n "${SHACL2CODE_SPDX_DIR}" ] && [ -d "${SHACL2CODE_SPDX_DIR}/$v" ] ++ then ++ shacl2code generate --input "file://${SHACL2CODE_SPDX_DIR}/$v/spdx-model.ttl" \ ++ --input "file://${SHACL2CODE_SPDX_DIR}/$v/spdx-json-serialize-annotations.ttl" \ ++ --context-url "file://${SHACL2CODE_SPDX_DIR}/$v/spdx-context.jsonld" https://spdx.org/rdf/$v/spdx-context.jsonld \ ++ --license Apache-2.0 \ ++ python \ ++ -o "$MODNAME.py" ++ else ++ shacl2code generate --input https://spdx.org/rdf/$v/spdx-model.ttl \ ++ --input https://spdx.org/rdf/$v/spdx-json-serialize-annotations.ttl \ ++ --context https://spdx.org/rdf/$v/spdx-context.jsonld \ ++ --license Apache-2.0 \ ++ python \ ++ -o "$MODNAME.py" ++ fi + + echo "from . import $MODNAME" >> __init__.py + done +-- +2.53.0 diff --git a/meta/recipes-devtools/python/python3-spdx-python-model_0.0.4.bb b/meta/recipes-devtools/python/python3-spdx-python-model_0.0.4.bb new file mode 100644 index 000000000000..5901caa3c1c8 --- /dev/null +++ b/meta/recipes-devtools/python/python3-spdx-python-model_0.0.4.bb @@ -0,0 +1,37 @@ +SUMMARY = "Generated Python code for SPDX Spec version 3" +HOMEPAGE = "https://pypi.org/project/spdx-python-model/" +SECTION = "devel/python" +LICENSE = "Apache-2.0" +LIC_FILES_CHKSUM = "file://LICENSE;md5=86d3f3a95c324c9479bd8986968f4327" + +PYPI_PACKAGE = "spdx_python_model" +SRC_URI[sha256sum] = "bdec725398babcbdd4bcb7c16cf23497d06a48d0ef3ea1edb19a3b0d431ab8c1" + +SRC_URI += " \ + https://spdx.org/rdf/3.0.1/spdx-context.jsonld;name=spdx1 \ + https://spdx.org/rdf/3.0.1/spdx-json-serialize-annotations.ttl;name=spdx2 \ + https://spdx.org/rdf/3.0.1/spdx-model.ttl;name=spdx3 \ + file://0001-generate-bindings-allow-to-use-local-files.patch \ +" + +SRC_URI[spdx1.sha256sum] = "c72b0928f094c83e5c127784edb1ebca2af74a104fcacc007c332b23cbc788bd" +SRC_URI[spdx2.sha256sum] = "c6a54b51230eb2bf3b31302546af201f303e0b7931c1db404d7f5b72b6f863e6" +SRC_URI[spdx3.sha256sum] = "30ebb4af2d70a9809044ef46f44cc3dc5125226d70f818a50ed2e1d5f404c593" + +inherit pypi python_hatchling + +export SHACL2CODE_SPDX_DIR = "${S}/spdx" + +do_configure:append() { + mkdir -p "${SHACL2CODE_SPDX_DIR}/3.0.1/" + cp ${UNPACKDIR}/spdx-context.jsonld "${SHACL2CODE_SPDX_DIR}/3.0.1/" + cp ${UNPACKDIR}/spdx-json-serialize-annotations.ttl "${SHACL2CODE_SPDX_DIR}/3.0.1/" + cp ${UNPACKDIR}/spdx-model.ttl "${SHACL2CODE_SPDX_DIR}/3.0.1/" +} + +DEPENDS += " \ + python3-shacl2code \ + python3-hatch-build-scripts \ +" + +BBCLASSEXTEND = "native nativesdk" From patchwork Tue Feb 24 15:53:46 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Benjamin Robin X-Patchwork-Id: 81800 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3148AF3C9A5 for ; Tue, 24 Feb 2026 15:54:14 +0000 (UTC) Received: from smtpout-02.galae.net (smtpout-02.galae.net [185.246.84.56]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.23420.1771948445564958781 for ; Tue, 24 Feb 2026 07:54:05 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@bootlin.com header.s=dkim header.b=wzLVQU6f; spf=pass (domain: bootlin.com, ip: 185.246.84.56, mailfrom: benjamin.robin@bootlin.com) Received: from smtpout-01.galae.net (smtpout-01.galae.net [212.83.139.233]) by smtpout-02.galae.net (Postfix) with ESMTPS id 15CE81A12F1; Tue, 24 Feb 2026 15:54:04 +0000 (UTC) Received: from mail.galae.net (mail.galae.net [212.83.136.155]) by smtpout-01.galae.net (Postfix) with ESMTPS id DEFB35FD9D; Tue, 24 Feb 2026 15:54:03 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) by localhost (Mailerdaemon) with ESMTPSA id 827FA103691C9; Tue, 24 Feb 2026 16:54:02 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bootlin.com; s=dkim; t=1771948443; h=from:subject:date:message-id:to:cc:mime-version:content-type: content-transfer-encoding:in-reply-to:references; bh=KyJHjzthKZ9iOEsd+fQ82VhFfc4TgSgnvXc+D6A/qBA=; b=wzLVQU6fZIeZ+jXfX3MkxSrOs/JKP53rTHozcKisjg4l3g6PnsMUbppiL18JvCX5TqCKfV iK7QQlVb/lOUOWdbetgMj44KLu4uyT5PEoxGgdYFPkWf3CxbFBETTDhhWvz1HXFSWD2Nyg nxva32c9gkqQsmNXJDVHBNtw+Ptg2IiZjwptZAP111TsL04WbXS/+BRWyxbfsg3sy0Th/Q X39ZYTCB5S0lOw39dlOrHEAACgoMEWRDLYP96yhoTEtZVoAjrtgcdEL8CEgRbqMd/Cx+3S N8VJ+Wd51q+3khk5t6bGR2JCvOb2wCz348TtUpciLQ9dE/SKLzQTjWpT1qoEkA== From: Benjamin Robin Date: Tue, 24 Feb 2026 16:53:46 +0100 Subject: [PATCH 4/5] sbom-cve-check: add recipe MIME-Version: 1.0 Message-Id: <20260224-add-sbom-cve-check-v1-4-1c76fbd7f01b@bootlin.com> References: <20260224-add-sbom-cve-check-v1-0-1c76fbd7f01b@bootlin.com> In-Reply-To: <20260224-add-sbom-cve-check-v1-0-1c76fbd7f01b@bootlin.com> To: openembedded-core@lists.openembedded.org Cc: ross.burton@arm.com, peter.marko@siemens.com, jpewhacker@gmail.com, olivier.benjamin@bootlin.com, antonin.godard@bootlin.com, mathieu.dubois-briand@bootlin.com, thomas.petazzoni@bootlin.com, Benjamin Robin X-Mailer: b4 0.14.3 X-Last-TLS-Session-Version: TLSv1.3 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 24 Feb 2026 15:54:14 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/231872 Provide sbom-cve-check (native) executable. Signed-off-by: Benjamin Robin --- .../python/python3-sbom-cve-check_1.1.0.bb | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/meta/recipes-devtools/python/python3-sbom-cve-check_1.1.0.bb b/meta/recipes-devtools/python/python3-sbom-cve-check_1.1.0.bb new file mode 100644 index 000000000000..3d1c581e9f86 --- /dev/null +++ b/meta/recipes-devtools/python/python3-sbom-cve-check_1.1.0.bb @@ -0,0 +1,17 @@ +SUMMARY = "Lightweight SBOM CVE analysis tool" +HOMEPAGE = "https://github.com/bootlin/sbom-cve-check" +SECTION = "devel/python" +LICENSE = "GPL-2.0-only" +LIC_FILES_CHKSUM = "file://LICENSE;md5=570a9b3749dd0463a1778803b12a6dce" + +PYPI_PACKAGE = "sbom_cve_check" +SRC_URI[sha256sum] = "953256ac99851ba59bc8649b8023303007ff2981edbc4ee395011bd91c118095" + +inherit pypi python_hatchling + +RDEPENDS:${PN} += " \ + python3-spdx-python-model \ + python3-pyyaml \ +" + +BBCLASSEXTEND = "native nativesdk" From patchwork Tue Feb 24 15:53:47 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Benjamin Robin X-Patchwork-Id: 81801 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3E2C9F3C9A7 for ; Tue, 24 Feb 2026 15:54:14 +0000 (UTC) Received: from smtpout-03.galae.net (smtpout-03.galae.net [185.246.85.4]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.23421.1771948446680866184 for ; Tue, 24 Feb 2026 07:54:07 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@bootlin.com header.s=dkim header.b=iNH1VNhg; spf=pass (domain: bootlin.com, ip: 185.246.85.4, mailfrom: benjamin.robin@bootlin.com) Received: from smtpout-01.galae.net (smtpout-01.galae.net [212.83.139.233]) by smtpout-03.galae.net (Postfix) with ESMTPS id 27DA84E4109C; Tue, 24 Feb 2026 15:54:05 +0000 (UTC) Received: from mail.galae.net (mail.galae.net [212.83.136.155]) by smtpout-01.galae.net (Postfix) with ESMTPS id F296C5FD9D; Tue, 24 Feb 2026 15:54:04 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) by localhost (Mailerdaemon) with ESMTPSA id 8CDD3103691CB; Tue, 24 Feb 2026 16:54:03 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bootlin.com; s=dkim; t=1771948444; h=from:subject:date:message-id:to:cc:mime-version:content-type: content-transfer-encoding:in-reply-to:references; bh=E4TIDxTF8IauJZiTMNW4O/dPoefhxFJ30eZDsQM79C4=; b=iNH1VNhgjTzV5nCozNIGsDiwYgoEun3tzGwAyCGdGklvjKvWNglMG7RtFRaHTGnpHwTEkG pHZXsrSf5zz8IBNjCXkKMRfKiw+dfBatlHMGHK/LV0kZwBttJ/g5zuGPa+VjAF1tDfhO4V sRjacetM8OvhhUgB3OCVgiItcEFo+lAPnGLroYLVfLkIbuFM1a56nOd9oqL9NaQVxDIrxg 9pYhkvVFL/J20BJsJdaJQxkFJAJv7n8w3xvnt24Bkj8Nb5qYNuTD7qM8QmWd7jMcs0HQbK 8PFy7r6Je+0waaUCJLh53XcpvuM3deGaQ7kNlTvLWR7kgyOAYCh+KeVdWMeJJQ== From: Benjamin Robin Date: Tue, 24 Feb 2026 16:53:47 +0100 Subject: [PATCH 5/5] sbom-cve-check.bbclass: Add class for post-build CVE analysis MIME-Version: 1.0 Message-Id: <20260224-add-sbom-cve-check-v1-5-1c76fbd7f01b@bootlin.com> References: <20260224-add-sbom-cve-check-v1-0-1c76fbd7f01b@bootlin.com> In-Reply-To: <20260224-add-sbom-cve-check-v1-0-1c76fbd7f01b@bootlin.com> To: openembedded-core@lists.openembedded.org Cc: ross.burton@arm.com, peter.marko@siemens.com, jpewhacker@gmail.com, olivier.benjamin@bootlin.com, antonin.godard@bootlin.com, mathieu.dubois-briand@bootlin.com, thomas.petazzoni@bootlin.com, Benjamin Robin X-Mailer: b4 0.14.3 X-Last-TLS-Session-Version: TLSv1.3 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 24 Feb 2026 15:54:14 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/231873 By default, the CVE databases are downloaded using the following recipes: - sbom-cve-check-update-cvelist-native.bb - sbom-cve-check-update-nvd-native.bb The database download logic is implemented in sbom-cve-check-update-db.bbclass. The CVE databases are stored in the download directory (`DL_DIR`). Access to the database is managed using an exclusive file lock (`flock`) on the directory. During CVE analysis, sbom-cve-check acquires a shared lock, allowing multiple analyses to run in parallel. However, if the database is being updated, any ongoing CVE analysis is temporarily paused. This design ensures that, under normal circumstances, sbom-cve-check can run without requiring network access. If a user needs network access during execution (e.g., to download annotation databases), they can set `SBOM_CVE_CHECK_ALLOW_NETWORK` to "1". Signed-off-by: Benjamin Robin --- .../sbom-cve-check-update-db.bbclass | 87 ++++++++++++++++++++ meta/classes-recipe/sbom-cve-check.bbclass | 96 ++++++++++++++++++++++ .../meta/sbom-cve-check-update-cvelist-native.bb | 7 ++ .../meta/sbom-cve-check-update-nvd-native.bb | 7 ++ 4 files changed, 197 insertions(+) diff --git a/meta/classes-recipe/sbom-cve-check-update-db.bbclass b/meta/classes-recipe/sbom-cve-check-update-db.bbclass new file mode 100644 index 000000000000..4f62c831eb72 --- /dev/null +++ b/meta/classes-recipe/sbom-cve-check-update-db.bbclass @@ -0,0 +1,87 @@ +# SPDX-License-Identifier: MIT + +INHIBIT_DEFAULT_DEPS = "1" +EXCLUDE_FROM_WORLD = "1" + +inherit native + +deltask do_patch +deltask do_configure +deltask do_compile +deltask do_install +deltask do_populate_sysroot + +SBOM_CVE_CHECK_FETCH_PATH[doc] = "Path to the Git repository to be downloaded. \ + Should be prefixed by {DL_DIR}/sbom_cve_check/databases/" + +SBOM_CVE_CHECK_FETCH_URL[doc] = "Git clone URL of the CVE database" + +SBOM_CVE_CHECK_FETCH_INTERVAL ?= "57600" +SBOM_CVE_CHECK_FETCH_INTERVAL[doc] = "\ + CVE database update interval, in seconds. By default every 16 hours. \ + Use 0 to force the update. Use a negative value to skip the update. \ +" + +python do_fetch() { + from datetime import datetime, timezone, timedelta + import fcntl + import os + import pathlib + import subprocess + + bb.utils.export_proxies(d) + + fetch_interval = int(d.get("SBOM_CVE_CHECK_FETCH_INTERVAL")) + git_url = d.getVar("SBOM_CVE_CHECK_FETCH_URL") + git_dir = pathlib.Path(d.getVar("SBOM_CVE_CHECK_FETCH_PATH")) + git_dir.mkdir(parents=True, exist_ok=True) + + def _exec_git_cmd(args): + cmd = ["git"] + cmd.extend(args) + return subprocess.run( + cmd, + input="", + capture_output=True, + check=True, + cwd=git_dir, + encoding="utf-8", + ) + + # Lock the git directory: take an exclusive lock + lock_fd = os.open(git_dir, os.O_RDONLY | os.O_NOCTTY) + try: + fcntl.flock(lock_fd, fcntl.LOCK_EX) + + # Clone the git repository if it does not exist + if not git_dir.joinpath(".git", "HEAD").is_file(): + _exec_git_cmd(["clone", "--depth", "1", "--single-branch", git_url, "."]) + return + + # Check if an updated is necessary + if fetch_interval < 0: + return + + if fetch_interval > 0: + # Get date of last commit + r = _exec_git_cmd(["show", "-s", "--format=%ct", "HEAD"]) + commit_date = datetime.fromtimestamp(int(r.stdout.strip()), tz=timezone.utc) + delta_last_commit = datetime.now(timezone.utc) - commit_date + if delta_last_commit < timedelta(seconds=fetch_interval): + return + + _exec_git_cmd(["pull"]) + except subprocess.SubprocessError as e: + bb.error(f"{e.cmd} failed:\n{e.stdout}\n---\n{e.stderr}\n") + finally: + # Release the exclusive lock + os.close(lock_fd) +} + +do_fetch[file-checksums] = "" +do_fetch[vardeps] = " \ + SBOM_CVE_CHECK_FETCH_PATH \ + SBOM_CVE_CHECK_FETCH_URL \ + SBOM_CVE_CHECK_FETCH_INTERVAL \ +" +do_fetch[nostamp] = "1" diff --git a/meta/classes-recipe/sbom-cve-check.bbclass b/meta/classes-recipe/sbom-cve-check.bbclass new file mode 100644 index 000000000000..86e06bdf7c23 --- /dev/null +++ b/meta/classes-recipe/sbom-cve-check.bbclass @@ -0,0 +1,96 @@ +# SPDX-License-Identifier: MIT + +SBOM_CVE_CHECK_WORKDIR ??= "${WORKDIR}/sbom_cve_check" +SBOM_CVE_CHECK_DEPLOYDIR = "${SBOM_CVE_CHECK_WORKDIR}/image-deploy" + +SBOM_CVE_CHECK_EXTRA_ARGS[doc] = "Allow to specify extra arguments to sbom-cve-check. For example to add filtering" +SBOM_CVE_CHECK_EXTRA_ARGS ?= "" + +SBOM_CVE_CHECK_EXPORT_VARS[doc] = "List of variables that declare export files to generate. Each variable must have a 'type' and an 'ext' flag set" +SBOM_CVE_CHECK_EXPORT_VARS ?= "SBOM_CVE_CHECK_EXPORT_FILE" + +SBOM_CVE_CHECK_EXPORT_FILE[doc] = "Default configuration of generated export file" +SBOM_CVE_CHECK_EXPORT_FILE[type] ?= "spdx3" +SBOM_CVE_CHECK_EXPORT_FILE[ext] ?= ".cve-check.spdx.json" + +SBOM_CVE_CHECK_ALLOW_NETWORK[doc] = "Set to 1 to enable network usage." +SBOM_CVE_CHECK_ALLOW_NETWORK ?= "0" + +python do_sbom_cve_check() { + """ + Task: Run sbom-cve-check analysis on SBOM. + """ + import os + import bb + from oe.cve_check import update_symlinks + + if not bb.data.inherits_class("vex", d): + bb.fatal("Cannot execute sbom-cve-check missing vex inherit.") + if not bb.data.inherits_class("create-spdx-3.0", d): + bb.fatal("Cannot execute sbom-cve-check missing create-spdx-3.0 inherit.") + + sbom_path = d.expand("${DEPLOY_DIR_IMAGE}/${IMAGE_LINK_NAME}.spdx.json") + vex_manifest_path = d.expand("${DEPLOY_DIR_IMAGE}/${IMAGE_LINK_NAME}.json") + dl_db_dir = d.expand("${DL_DIR}/sbom_cve_check/databases") + deploy_dir = d.getVar("SBOM_CVE_CHECK_DEPLOYDIR") + img_link_name = d.getVar("IMAGE_LINK_NAME") + img_name = d.getVar("IMAGE_NAME") + + export_files = [] + for export_var in d.getVar("SBOM_CVE_CHECK_EXPORT_VARS").split(): + export_ext = d.getVarFlag(export_var, "ext") + export_path = f"{deploy_dir}/{img_name}{export_ext}" + export_link = f"{deploy_dir}/{img_link_name}{export_ext}" + export_type = d.getVarFlag(export_var, "type") + export_files.append((export_type, export_path, export_link)) + + cmd_env = os.environ.copy() + cmd_env["SBOM_CVE_CHECK_DATABASES_DIR"] = dl_db_dir + + cmd_args = [ + d.expand("${STAGING_BINDIR_NATIVE}/sbom-cve-check"), + "--sbom-path", + sbom_path, + "--yocto-vex-manifest", + vex_manifest_path, + ] + + for export_file in export_files: + cmd_args.extend( + ["--export-type", export_file[0], "--export-path", export_file[1]] + ) + + cmd_args.extend(d.getVar("SBOM_CVE_CHECK_EXTRA_ARGS").split()) + + try: + bb.note("Running: {}".format(" ".join(cmd_args))) + bb.process.run(cmd_args, env=cmd_env) + except bb.process.ExecutionError as e: + bb.fatal( + f"sbom-cve-check failed with exit code {e.exitcode}\n{e.stdout}\n{e.stderr}" + ) + return + + for export_file in export_files: + bb.note(f"sbom-cve-check exported: {export_file[1]}") + update_symlinks(export_file[1], export_file[2]) +} + +addtask do_sbom_cve_check after do_create_image_sbom_spdx before do_build + +SSTATETASKS += "do_sbom_cve_check" +SSTATE_SKIP_CREATION:task-sbom-cve-check = "1" +do_sbom_cve_check[cleandirs] = "${SBOM_CVE_CHECK_DEPLOYDIR}" +do_sbom_cve_check[sstate-inputdirs] = "${SBOM_CVE_CHECK_DEPLOYDIR}" +do_sbom_cve_check[sstate-outputdirs] = "${DEPLOY_DIR_IMAGE}" +do_sbom_cve_check[recrdeptask] += "do_create_image_sbom_spdx" +do_sbom_cve_check[depends] += " \ + python3-sbom-cve-check-native:do_populate_sysroot \ + ${@oe.utils.conditional('SBOM_CVE_CHECK_ALLOW_NETWORK','0',' \ + sbom-cve-check-update-cvelist-native:do_fetch \ + sbom-cve-check-update-nvd-native:do_fetch \ + ','',d)} \ +" + +do_sbom_cve_check[network] = "${SBOM_CVE_CHECK_ALLOW_NETWORK}" +do_sbom_cve_check[nostamp] = "1" diff --git a/meta/recipes-core/meta/sbom-cve-check-update-cvelist-native.bb b/meta/recipes-core/meta/sbom-cve-check-update-cvelist-native.bb new file mode 100644 index 000000000000..cd5ed680b4dd --- /dev/null +++ b/meta/recipes-core/meta/sbom-cve-check-update-cvelist-native.bb @@ -0,0 +1,7 @@ +SUMMARY = "Updates the CVE List database" +LICENSE = "MIT" + +SBOM_CVE_CHECK_FETCH_PATH = "${DL_DIR}/sbom_cve_check/databases/cvelist" +SBOM_CVE_CHECK_FETCH_URL = "https://github.com/CVEProject/cvelistV5.git" + +inherit sbom-cve-check-update-db diff --git a/meta/recipes-core/meta/sbom-cve-check-update-nvd-native.bb b/meta/recipes-core/meta/sbom-cve-check-update-nvd-native.bb new file mode 100644 index 000000000000..7add8e6bfba5 --- /dev/null +++ b/meta/recipes-core/meta/sbom-cve-check-update-nvd-native.bb @@ -0,0 +1,7 @@ +SUMMARY = "Updates the NVD CVE database" +LICENSE = "MIT" + +SBOM_CVE_CHECK_FETCH_PATH = "${DL_DIR}/sbom_cve_check/databases/nvd-fkie" +SBOM_CVE_CHECK_FETCH_URL = "https://github.com/fkie-cad/nvd-json-data-feeds.git" + +inherit sbom-cve-check-update-db