From patchwork Thu Apr 2 16:25:08 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ross Burton X-Patchwork-Id: 85186 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 82E96D6AAEE for ; Thu, 2 Apr 2026 16:25:20 +0000 (UTC) Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.413.1775147119321507069 for ; Thu, 02 Apr 2026 09:25:19 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: body hash did not verify" header.i=@arm.com header.s=foss header.b=sF//9SQd; spf=pass (domain: arm.com, ip: 217.140.110.172, mailfrom: ross.burton@arm.com) Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id CBF8A3328; Thu, 2 Apr 2026 09:25:12 -0700 (PDT) Received: from cesw-amp-gbt-1s-m12830-04.lab.cambridge.arm.com (usa-sjc-imap-foss1.foss.arm.com [10.121.207.14]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPA id 3E34C3F915; Thu, 2 Apr 2026 09:25:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=arm.com; s=foss; t=1775147118; bh=oHCbA38Da0OdGhZ6mTdNAMaFf1hMgyS6RD6GHp4aBHI=; h=From:To:Cc:Subject:Date:From; b=sF//9SQdKLW22o/IRruQ5QRpgC+r0rMwR4w/QM7RTtCITIv2qAucw7Tbt1gSduYfs QfdY0/Ds1Huejp3m+/FnziBckCQHDAeKxJFaun/C3KZ6QGwjxgw64OqWGGJsH496ow GPv6DyOnVrjayNO8UNiw3I3sZMdyqQkR+CZ3Q7C4= From: Ross Burton To: openembedded-core@lists.openembedded.org Cc: benjamin.robin@bootlin.com Subject: [RFC PATCH 1/3] sbom-cve-check: refactor do_sbom_cve_check Date: Thu, 2 Apr 2026 17:25:08 +0100 Message-ID: <20260402162510.1945892-1-ross.burton@arm.com> X-Mailer: git-send-email 2.47.1 MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 02 Apr 2026 16:25:20 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/234546 Extract the bulk of the logic to a separate function, so the task just has to pass a few variables. Signed-off-by: Ross Burton --- meta/classes-recipe/sbom-cve-check.bbclass | 29 +++++++++++++--------- 1 file changed, 17 insertions(+), 12 deletions(-) diff --git a/meta/classes-recipe/sbom-cve-check.bbclass b/meta/classes-recipe/sbom-cve-check.bbclass index 4abc427c58..fef6f0c2aa 100644 --- a/meta/classes-recipe/sbom-cve-check.bbclass +++ b/meta/classes-recipe/sbom-cve-check.bbclass @@ -43,28 +43,24 @@ SBOM_CVE_CHECK_EXPORT_SUMMARY[doc] = "Export configuration to generate a human-r SBOM_CVE_CHECK_EXPORT_SUMMARY[type] ?= "summary" SBOM_CVE_CHECK_EXPORT_SUMMARY[ext] ?= ".cve.txt" -python do_sbom_cve_check() { - """ - Task: Run sbom-cve-check analysis on SBOM. - """ + +def run_sbom_cve_check(d, recipe_name, link_name=None): import os import bb - from oe.cve_check import update_symlinks if not bb.data.inherits_class("create-spdx-3.0", d): - bb.fatal("Cannot execute sbom-cve-check missing create-spdx-3.0 inherit.") + bb.fatal("Cannot execute sbom-cve-check: missing create-spdx-3.0 inherit.") - sbom_path = d.expand("${DEPLOY_DIR_IMAGE}/${IMAGE_LINK_NAME}.spdx.json") + image_deploy_dir = d.getVar("DEPLOY_DIR_IMAGE") + sbom_path = d.expand(f"{image_deploy_dir}/{recipe_name}.spdx.json") dl_db_dir = d.getVar("SBOM_CVE_CHECK_DEPLOY_DB_DIR") - deploy_dir = d.getVar("SBOM_CVE_CHECK_DEPLOYDIR") - img_link_name = d.getVar("IMAGE_LINK_NAME") - img_name = d.getVar("IMAGE_NAME") + out_deploy_dir = d.getVar("SBOM_CVE_CHECK_DEPLOYDIR") export_files = [] for export_var in d.getVar("SBOM_CVE_CHECK_EXPORT_VARS").split(): export_ext = d.getVarFlag(export_var, "ext") - export_path = f"{deploy_dir}/{img_name}{export_ext}" - export_link = f"{deploy_dir}/{img_link_name}{export_ext}" + export_path = f"{out_deploy_dir}/{recipe_name}{export_ext}" + export_link = f"{out_deploy_dir}/{link_name}{export_ext}" if link_name else None export_type = d.getVarFlag(export_var, "type") export_files.append((export_type, export_path, export_link)) @@ -96,6 +92,15 @@ python do_sbom_cve_check() { bb.note(f"sbom-cve-check exported: {export_file}") if export_link: update_symlinks(export_file, export_link) + + +python do_sbom_cve_check() { + """ + Task: Run sbom-cve-check analysis on SBOM. + """ + image_name = d.getVar("IMAGE_NAME") + link_name = d.getVar("IMAGE_LINK_NAME") + run_sbom_cve_check(d, image_name, link_name, sbom_path) } addtask do_sbom_cve_check after do_create_image_sbom_spdx before do_build From patchwork Thu Apr 2 16:25:09 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ross Burton X-Patchwork-Id: 85185 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9400AD6AAF0 for ; Thu, 2 Apr 2026 16:25:20 +0000 (UTC) Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.409.1775147120069173787 for ; Thu, 02 Apr 2026 09:25:20 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: body hash did not verify" header.i=@arm.com header.s=foss header.b=ubJACbdY; spf=pass (domain: arm.com, ip: 217.140.110.172, mailfrom: ross.burton@arm.com) Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 84AB8344A; Thu, 2 Apr 2026 09:25:13 -0700 (PDT) Received: from cesw-amp-gbt-1s-m12830-04.lab.cambridge.arm.com (usa-sjc-imap-foss1.foss.arm.com [10.121.207.14]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPA id E42523F915; Thu, 2 Apr 2026 09:25:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=arm.com; s=foss; t=1775147119; bh=XdqMmAAULNQSc+T7eC9TN6wtCcccXxCE4BzttoR9cR0=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=ubJACbdYAl9cRI8tK++DxdXmHyb10zGEc8FiBhS8ckiyFwQOyCmuoHyfpSNEGFzc1 1dRzflQAtexUqOKidkp8nRgRuQaDw/IrgpyT1vU26Y5vSMs0IUlVx+a+ZTq/SqB1a7 Vqi/Ao5A1fAtsjR+DLyEd4P9+Fc0Xv5wDjna9zOs= From: Ross Burton To: openembedded-core@lists.openembedded.org Cc: benjamin.robin@bootlin.com Subject: [RFC PATCH 2/3] sbom-cve-check: move to classes from classes-recipe Date: Thu, 2 Apr 2026 17:25:09 +0100 Message-ID: <20260402162510.1945892-2-ross.burton@arm.com> X-Mailer: git-send-email 2.47.1 In-Reply-To: <20260402162510.1945892-1-ross.burton@arm.com> References: <20260402162510.1945892-1-ross.burton@arm.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 02 Apr 2026 16:25:20 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/234547 Signed-off-by: Ross Burton --- meta/{classes-recipe => classes}/sbom-cve-check.bbclass | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename meta/{classes-recipe => classes}/sbom-cve-check.bbclass (100%) diff --git a/meta/classes-recipe/sbom-cve-check.bbclass b/meta/classes/sbom-cve-check.bbclass similarity index 100% rename from meta/classes-recipe/sbom-cve-check.bbclass rename to meta/classes/sbom-cve-check.bbclass From patchwork Thu Apr 2 16:25:10 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ross Burton X-Patchwork-Id: 85187 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 60926D6AAF0 for ; Thu, 2 Apr 2026 16:25:30 +0000 (UTC) Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.411.1775147120588388121 for ; Thu, 02 Apr 2026 09:25:20 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: body hash did not verify" header.i=@arm.com header.s=foss header.b=s+5shWpk; spf=pass (domain: arm.com, ip: 217.140.110.172, mailfrom: ross.burton@arm.com) Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 34B6F34A9; Thu, 2 Apr 2026 09:25:14 -0700 (PDT) Received: from cesw-amp-gbt-1s-m12830-04.lab.cambridge.arm.com (usa-sjc-imap-foss1.foss.arm.com [10.121.207.14]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPA id 9DD763F915; Thu, 2 Apr 2026 09:25:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=arm.com; s=foss; t=1775147120; bh=dz7DAKzC0Elcpim4m68Xs/MMdCZKboQRcwX1dElF6VI=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=s+5shWpktXUZK4dAY+WJ3xEiSXJmqXiYyw07oOVamqc6w2FBlgnQhbwx/ALKI9DBp HTLv1uQXzSWgQNkuzZInVlCx+dS5B5gU++bECIsA5PV5pVykIGR/S05LxLL5gf1q2i Cm/1vOLkia3pM/Hl/3ycqjjzP5mI68xmBv6h/eCI= From: Ross Burton To: openembedded-core@lists.openembedded.org Cc: benjamin.robin@bootlin.com Subject: [RFC PATCH 3/3] sbom-cve-check: add prototype recipe scanning task Date: Thu, 2 Apr 2026 17:25:10 +0100 Message-ID: <20260402162510.1945892-3-ross.burton@arm.com> X-Mailer: git-send-email 2.47.1 In-Reply-To: <20260402162510.1945892-1-ross.burton@arm.com> References: <20260402162510.1945892-1-ross.burton@arm.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 02 Apr 2026 16:25:30 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/234548 Add a new task, sbom_cve_check_recipe, that will do a CVE scan of the SPDX for the specified recipe. This is mainly useful for top-level or aggregration packages (e.g. meta-world-recipe-sbom) as it follows dependencies, so running it on a single package (e.g. curl) will also show CVEs for its dependencies (e.g. zlib). Signed-off-by: Ross Burton --- meta/classes/sbom-cve-check.bbclass | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) diff --git a/meta/classes/sbom-cve-check.bbclass b/meta/classes/sbom-cve-check.bbclass index fef6f0c2aa..fc89ab9799 100644 --- a/meta/classes/sbom-cve-check.bbclass +++ b/meta/classes/sbom-cve-check.bbclass @@ -94,6 +94,9 @@ def run_sbom_cve_check(d, recipe_name, link_name=None): update_symlinks(export_file, export_link) +# +# Scan the SBOM of an image. +# python do_sbom_cve_check() { """ Task: Run sbom-cve-check analysis on SBOM. @@ -119,3 +122,29 @@ python do_sbom_cve_check_setscene() { sstate_setscene(d) } addtask do_sbom_cve_check_setscene + + +# +# Scan the SBOM of a recipe. +# + +python do_sbom_cve_check_recipe() { + recipe = d.getVar("SPDX_RECIPE_SBOM_NAME") + run_sbom_cve_check(d, recipe) +} + +addtask do_sbom_cve_check_recipe after do_create_recipe_sbom + +SSTATETASKS += "do_sbom_cve_check_recipe" +do_sbom_cve_check_recipe[cleandirs] = "${SBOM_CVE_CHECK_DEPLOYDIR}" +do_sbom_cve_check_recipe[sstate-inputdirs] = "${SBOM_CVE_CHECK_DEPLOYDIR}" +do_sbom_cve_check_recipe[sstate-outputdirs] = "${DEPLOY_DIR_IMAGE}" +do_sbom_cve_check_recipe[depends] += " \ + python3-sbom-cve-check-native:do_populate_sysroot \ + sbom-cve-check-update-cvelist-native:do_unpack \ + sbom-cve-check-update-nvd-native:do_unpack \ +" +python do_sbom_cve_check_recipe_setscene() { + sstate_setscene(d) +} +addtask do_sbom_cve_check_recipe_setscene