From patchwork Tue Apr  7 21:02:20 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Ross Burton <ross.burton@arm.com>
X-Patchwork-Id: 85468
Return-Path: <ross.burton@arm.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 5C11EF46C7F
	for <webhook@archiver.kernel.org>; Tue,  7 Apr 2026 21:03:16 +0000 (UTC)
Received: from foss.arm.com (foss.arm.com [217.140.110.172])
 by mx.groups.io with SMTP id smtpd.msgproc02-g2.92193.1775595784316163396
 for <openembedded-core@lists.openembedded.org>;
 Tue, 07 Apr 2026 14:03:04 -0700
Authentication-Results: mx.groups.io;
 dkim=fail reason="dkim: body hash did not verify" header.i=@arm.com
 header.s=foss header.b=W13+CvVS;
 spf=pass (domain: arm.com, ip: 217.140.110.172,
 mailfrom: ross.burton@arm.com)
Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14])
	by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id D94C9353C
	for <openembedded-core@lists.openembedded.org>;
 Tue,  7 Apr 2026 14:02:57 -0700 (PDT)
Received: from cesw-amp-gbt-1s-m12830-04.lab.cambridge.arm.com
 (usa-sjc-imap-foss1.foss.arm.com [10.121.207.14])
	by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPA id 4698B3F7D8
	for <openembedded-core@lists.openembedded.org>;
 Tue,  7 Apr 2026 14:03:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=arm.com; s=foss;
	t=1775595783; bh=CY/XXJJP+FpgGIEFv/giz3JI9Od6jv4nF1bkBYcpiPU=;
	h=From:To:Subject:Date:From;
	b=W13+CvVS9M+VW+xebx7tpvrS77r1Qweb+3HqqTSoVYA4AkA11fjt1Ay8c0ihZgkNJ
	 Xb/ar2PEX/4+ibsrYbhYwv5Y2Fyxh+MsLl8vSzeYcjfKzT7PikK0/yKCeGF9MBwSBw
	 sJfST/rZJj3nu52Fkbd3/inixpjdnIBcITmKHJDI=
From: Ross Burton <ross.burton@arm.com>
To: openembedded-core@lists.openembedded.org
Subject: [PATCH v2 1/7] sbom-cve-check-update-db: Fix do_populate_lic failure
Date: Tue,  7 Apr 2026 22:02:20 +0100
Message-ID: <20260407210226.2375631-1-ross.burton@arm.com>
X-Mailer: git-send-email 2.43.0
MIME-Version: 1.0
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Tue, 07 Apr 2026 21:03:16 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/234780

From: Benjamin Robin <benjamin.robin@bootlin.com>

The `do_populate_lic` task was failing because it runs after `do_patch`,
but the indirect dependency on `do_unpack` was lost when the `do_patch`
task was deleted.

It is safe, and even preferable, to retain the `do_patch` task, as this
allows users to apply patches to their CVE databases.

Follow-up to commit 8ef22ad9e302f86b2da4fa81541a464e95b9ef3c
("sbom-cve-check: Add class for post-build CVE analysis").

Signed-off-by: Benjamin Robin <benjamin.robin@bootlin.com>
---
 meta/classes-recipe/sbom-cve-check.bbclass                    | 4 ++--
 .../sbom-cve-check/sbom-cve-check-update-db.inc               | 1 -
 2 files changed, 2 insertions(+), 3 deletions(-)

diff --git a/meta/classes-recipe/sbom-cve-check.bbclass b/meta/classes-recipe/sbom-cve-check.bbclass
index 6c62a5119d..4abc427c58 100644
--- a/meta/classes-recipe/sbom-cve-check.bbclass
+++ b/meta/classes-recipe/sbom-cve-check.bbclass
@@ -106,8 +106,8 @@ do_sbom_cve_check[sstate-inputdirs] = "${SBOM_CVE_CHECK_DEPLOYDIR}"
 do_sbom_cve_check[sstate-outputdirs] = "${DEPLOY_DIR_IMAGE}"
 do_sbom_cve_check[depends] += " \
     python3-sbom-cve-check-native:do_populate_sysroot \
-    sbom-cve-check-update-cvelist-native:do_unpack \
-    sbom-cve-check-update-nvd-native:do_unpack \
+    sbom-cve-check-update-cvelist-native:do_patch \
+    sbom-cve-check-update-nvd-native:do_patch \
 "
 
 python do_sbom_cve_check_setscene() {
diff --git a/meta/recipes-devtools/sbom-cve-check/sbom-cve-check-update-db.inc b/meta/recipes-devtools/sbom-cve-check/sbom-cve-check-update-db.inc
index 4e9cef96e8..a318e2c40e 100644
--- a/meta/recipes-devtools/sbom-cve-check/sbom-cve-check-update-db.inc
+++ b/meta/recipes-devtools/sbom-cve-check/sbom-cve-check-update-db.inc
@@ -9,7 +9,6 @@ require sbom-cve-check-config.inc
 SBOM_CVE_CHECK_DB_NAME[doc] = "Database name, which is the Git repository directory name. \
     The git repository will be stored in ${SBOM_CVE_CHECK_DEPLOY_DB_DIR)/"
 
-deltask do_patch
 deltask do_configure
 deltask do_compile
 deltask do_install

From patchwork Tue Apr  7 21:02:21 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Ross Burton <ross.burton@arm.com>
X-Patchwork-Id: 85466
Return-Path: <ross.burton@arm.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 7753AFEEF2D
	for <webhook@archiver.kernel.org>; Tue,  7 Apr 2026 21:03:14 +0000 (UTC)
Received: from foss.arm.com (foss.arm.com [217.140.110.172])
 by mx.groups.io with SMTP id smtpd.msgproc01-g2.92008.1775595784674426486
 for <openembedded-core@lists.openembedded.org>;
 Tue, 07 Apr 2026 14:03:04 -0700
Authentication-Results: mx.groups.io;
 dkim=fail reason="dkim: body hash did not verify" header.i=@arm.com
 header.s=foss header.b=fWGDQf7W;
 spf=pass (domain: arm.com, ip: 217.140.110.172,
 mailfrom: ross.burton@arm.com)
Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14])
	by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 6D8CD353E
	for <openembedded-core@lists.openembedded.org>;
 Tue,  7 Apr 2026 14:02:58 -0700 (PDT)
Received: from cesw-amp-gbt-1s-m12830-04.lab.cambridge.arm.com
 (usa-sjc-imap-foss1.foss.arm.com [10.121.207.14])
	by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPA id D29803F7D8
	for <openembedded-core@lists.openembedded.org>;
 Tue,  7 Apr 2026 14:03:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=arm.com; s=foss;
	t=1775595784; bh=9AYRw16KtkIBBg7pjtC/50sy89BdQwAyVc7sVD8hAeE=;
	h=From:To:Subject:Date:In-Reply-To:References:From;
	b=fWGDQf7Wn/ylkxLgXDyBDxfQF7qAtM1DvoHv1635m9XOgYwRM5WjXRm6sjdXhTgDr
	 Av+8F9YHbVZ6xyFR7Y0LMakUiC1DK4ZN3rHyfZjlOl/UZ/xmlKOp37yjGCc4ZTvEs8
	 vohE7gb9sm84WJE/h+n350Md2Tmp+6tLa/7wQMdA=
From: Ross Burton <ross.burton@arm.com>
To: openembedded-core@lists.openembedded.org
Subject: [PATCH v2 2/7] sbom-cve-check-update-db: Fix unpack removing other
 databases
Date: Tue,  7 Apr 2026 22:02:21 +0100
Message-ID: <20260407210226.2375631-2-ross.burton@arm.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20260407210226.2375631-1-ross.burton@arm.com>
References: <20260407210226.2375631-1-ross.burton@arm.com>
MIME-Version: 1.0
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Tue, 07 Apr 2026 21:03:14 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/234781

From: Benjamin Robin <benjamin.robin@bootlin.com>

Previously, `UNPACKDIR` was set to `${SBOM_CVE_CHECK_DEPLOY_DB_DIR}`,
which points to the `./databases/` directory and may contain multiple
databases. Since `do_unpack` cleans the `${UNPACKDIR}` directory,
`UNPACKDIR` must only contain a single database.

To address this, set `UNPACKDIR` to
`${SBOM_CVE_CHECK_DEPLOY_DB_DIR}/${SBOM_CVE_CHECK_DB_NAME}` and
configure `destsuffix` to an empty string. However, it is currently not
possible to set `BB_GIT_DEFAULT_DESTSUFFIX` to an empty string, so
`destsuffix` is configured through the SRC_URI instead.

Signed-off-by: Benjamin Robin <benjamin.robin@bootlin.com>
Tested-by: Antonin Godard <antonin.godard@bootlin.com>
---
 .../sbom-cve-check/sbom-cve-check-update-cvelist-native.bb    | 2 +-
 .../sbom-cve-check/sbom-cve-check-update-db.inc               | 3 +--
 .../sbom-cve-check/sbom-cve-check-update-nvd-native.bb        | 4 ++--
 3 files changed, 4 insertions(+), 5 deletions(-)

diff --git a/meta/recipes-devtools/sbom-cve-check/sbom-cve-check-update-cvelist-native.bb b/meta/recipes-devtools/sbom-cve-check/sbom-cve-check-update-cvelist-native.bb
index ce204db6c5..3387122165 100644
--- a/meta/recipes-devtools/sbom-cve-check/sbom-cve-check-update-cvelist-native.bb
+++ b/meta/recipes-devtools/sbom-cve-check/sbom-cve-check-update-cvelist-native.bb
@@ -3,7 +3,7 @@ LICENSE = "MIT"
 LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302"
 
 HOMEPAGE = "https://github.com/CVEProject/cvelistV5"
-SRC_URI = "git://github.com/CVEProject/cvelistV5.git;branch=main;protocol=https"
+SRC_URI = "git://github.com/CVEProject/cvelistV5.git;branch=main;protocol=https;destsuffix="
 SBOM_CVE_CHECK_DB_NAME = "cvelist"
 
 # 2026-03-19_baseline
diff --git a/meta/recipes-devtools/sbom-cve-check/sbom-cve-check-update-db.inc b/meta/recipes-devtools/sbom-cve-check/sbom-cve-check-update-db.inc
index a318e2c40e..7ada67363d 100644
--- a/meta/recipes-devtools/sbom-cve-check/sbom-cve-check-update-db.inc
+++ b/meta/recipes-devtools/sbom-cve-check/sbom-cve-check-update-db.inc
@@ -15,6 +15,5 @@ deltask do_install
 deltask do_populate_sysroot
 
 # Directly unpack the fetched CVE database to the deploy directory.
-UNPACKDIR = "${SBOM_CVE_CHECK_DEPLOY_DB_DIR}"
+UNPACKDIR = "${SBOM_CVE_CHECK_DEPLOY_DB_DIR}/${SBOM_CVE_CHECK_DB_NAME}"
 S = "${UNPACKDIR}"
-BB_GIT_DEFAULT_DESTSUFFIX = "${SBOM_CVE_CHECK_DB_NAME}"
diff --git a/meta/recipes-devtools/sbom-cve-check/sbom-cve-check-update-nvd-native.bb b/meta/recipes-devtools/sbom-cve-check/sbom-cve-check-update-nvd-native.bb
index 30c7868b2a..c868ba09c1 100644
--- a/meta/recipes-devtools/sbom-cve-check/sbom-cve-check-update-nvd-native.bb
+++ b/meta/recipes-devtools/sbom-cve-check/sbom-cve-check-update-nvd-native.bb
@@ -1,9 +1,9 @@
 SUMMARY = "Updates the NVD CVE database"
 LICENSE = "cve-tou"
-LIC_FILES_CHKSUM = "file://${SBOM_CVE_CHECK_DB_NAME}/LICENSES/cve-tou.md;md5=bc5bbf146f01e20ece63d83c8916d8fb"
+LIC_FILES_CHKSUM = "file://LICENSES/cve-tou.md;md5=bc5bbf146f01e20ece63d83c8916d8fb"
 
 HOMEPAGE = "https://github.com/fkie-cad/nvd-json-data-feeds"
-SRC_URI = "git://github.com/fkie-cad/nvd-json-data-feeds.git;branch=main;protocol=https"
+SRC_URI = "git://github.com/fkie-cad/nvd-json-data-feeds.git;branch=main;protocol=https;destsuffix="
 SBOM_CVE_CHECK_DB_NAME = "nvd-fkie"
 
 # v2026.03.19-010002

From patchwork Tue Apr  7 21:02:22 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Ross Burton <ross.burton@arm.com>
X-Patchwork-Id: 85470
Return-Path: <ross.burton@arm.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id BF470FEEF55
	for <webhook@archiver.kernel.org>; Tue,  7 Apr 2026 21:03:14 +0000 (UTC)
Received: from foss.arm.com (foss.arm.com [217.140.110.172])
 by mx.groups.io with SMTP id smtpd.msgproc01-g2.92009.1775595785215274849
 for <openembedded-core@lists.openembedded.org>;
 Tue, 07 Apr 2026 14:03:05 -0700
Authentication-Results: mx.groups.io;
 dkim=fail reason="dkim: body hash did not verify" header.i=@arm.com
 header.s=foss header.b=J5g5SJf9;
 spf=pass (domain: arm.com, ip: 217.140.110.172,
 mailfrom: ross.burton@arm.com)
Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14])
	by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 06536353C
	for <openembedded-core@lists.openembedded.org>;
 Tue,  7 Apr 2026 14:02:59 -0700 (PDT)
Received: from cesw-amp-gbt-1s-m12830-04.lab.cambridge.arm.com
 (usa-sjc-imap-foss1.foss.arm.com [10.121.207.14])
	by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPA id 69DB63F7D8
	for <openembedded-core@lists.openembedded.org>;
 Tue,  7 Apr 2026 14:03:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=arm.com; s=foss;
	t=1775595784; bh=5znjWh/AnddNerciQiOnFHuxW+kgZi7H8ApkGrIX7oc=;
	h=From:To:Subject:Date:In-Reply-To:References:From;
	b=J5g5SJf9QrfFX4SOBfZDR7AyMisG1u8OxNooSofGRQyNVZWuzpmyNn2Q1BfjeqZuY
	 Q2OKivbFPbMVorKM4CAlMO8FYyWuz/yD0Ini8geVWpfJCvQMTeK7mlywvHUbdCFqSL
	 GazD5NxU+5UTfqdCqp38cG+ql/b7mxpHguGl9cLM=
From: Ross Burton <ross.burton@arm.com>
To: openembedded-core@lists.openembedded.org
Subject: [PATCH v2 3/7] sbom-cve-check-config.inc: move to meta/conf/
Date: Tue,  7 Apr 2026 22:02:22 +0100
Message-ID: <20260407210226.2375631-3-ross.burton@arm.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20260407210226.2375631-1-ross.burton@arm.com>
References: <20260407210226.2375631-1-ross.burton@arm.com>
MIME-Version: 1.0
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Tue, 07 Apr 2026 21:03:14 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/234782

This file is used by classes and recipes, so it's best to put it into
conf/ instead of alongside the recipe.

Signed-off-by: Ross Burton <ross.burton@arm.com>
---
 meta/classes-recipe/sbom-cve-check.bbclass                      | 2 +-
 .../sbom-cve-check => conf}/sbom-cve-check-config.inc           | 0
 .../sbom-cve-check/sbom-cve-check-update-db.inc                 | 2 +-
 3 files changed, 2 insertions(+), 2 deletions(-)
 rename meta/{recipes-devtools/sbom-cve-check => conf}/sbom-cve-check-config.inc (100%)

diff --git a/meta/classes-recipe/sbom-cve-check.bbclass b/meta/classes-recipe/sbom-cve-check.bbclass
index 4abc427c58..0534833ebe 100644
--- a/meta/classes-recipe/sbom-cve-check.bbclass
+++ b/meta/classes-recipe/sbom-cve-check.bbclass
@@ -6,7 +6,7 @@
 # Or it is possible to add this line in local.conf:
 # OE_FRAGMENTS += "core/yocto/sbom-cve-check"
 
-require recipes-devtools/sbom-cve-check/sbom-cve-check-config.inc
+require conf/sbom-cve-check-config.inc
 
 SBOM_CVE_CHECK_DEPLOYDIR = "${WORKDIR}/sbom-cve-check/image-deploy"
 
diff --git a/meta/recipes-devtools/sbom-cve-check/sbom-cve-check-config.inc b/meta/conf/sbom-cve-check-config.inc
similarity index 100%
rename from meta/recipes-devtools/sbom-cve-check/sbom-cve-check-config.inc
rename to meta/conf/sbom-cve-check-config.inc
diff --git a/meta/recipes-devtools/sbom-cve-check/sbom-cve-check-update-db.inc b/meta/recipes-devtools/sbom-cve-check/sbom-cve-check-update-db.inc
index 7ada67363d..fbdc561e8c 100644
--- a/meta/recipes-devtools/sbom-cve-check/sbom-cve-check-update-db.inc
+++ b/meta/recipes-devtools/sbom-cve-check/sbom-cve-check-update-db.inc
@@ -4,7 +4,7 @@ INHIBIT_DEFAULT_DEPS = "1"
 EXCLUDE_FROM_WORLD = "1"
 
 inherit native
-require sbom-cve-check-config.inc
+require conf/sbom-cve-check-config.inc
 
 SBOM_CVE_CHECK_DB_NAME[doc] = "Database name, which is the Git repository directory name. \
     The git repository will be stored in ${SBOM_CVE_CHECK_DEPLOY_DB_DIR)/"

From patchwork Tue Apr  7 21:02:23 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Ross Burton <ross.burton@arm.com>
X-Patchwork-Id: 85469
Return-Path: <ross.burton@arm.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 5DBFE105D986
	for <webhook@archiver.kernel.org>; Tue,  7 Apr 2026 21:03:16 +0000 (UTC)
Received: from foss.arm.com (foss.arm.com [217.140.110.172])
 by mx.groups.io with SMTP id smtpd.msgproc01-g2.92010.1775595785699574496
 for <openembedded-core@lists.openembedded.org>;
 Tue, 07 Apr 2026 14:03:05 -0700
Authentication-Results: mx.groups.io;
 dkim=fail reason="dkim: body hash did not verify" header.i=@arm.com
 header.s=foss header.b=bNUWylG0;
 spf=pass (domain: arm.com, ip: 217.140.110.172,
 mailfrom: ross.burton@arm.com)
Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14])
	by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 93F81353C
	for <openembedded-core@lists.openembedded.org>;
 Tue,  7 Apr 2026 14:02:59 -0700 (PDT)
Received: from cesw-amp-gbt-1s-m12830-04.lab.cambridge.arm.com
 (usa-sjc-imap-foss1.foss.arm.com [10.121.207.14])
	by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPA id 016993F7D8
	for <openembedded-core@lists.openembedded.org>;
 Tue,  7 Apr 2026 14:03:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=arm.com; s=foss;
	t=1775595785; bh=cw1VkFH4Y/eSbeEbWhOe7fAAh77LQp1tgQKf4txZA3M=;
	h=From:To:Subject:Date:In-Reply-To:References:From;
	b=bNUWylG0tj592uVnj3AsGeTJ2tuP3olGmOTepzQMZF4v7/UhipNEEnRt1pDIzPy2h
	 2JSF+p61VjQxen8CD1YQ6A67svu9aLYxvLECkSVwnDjq7oDBdBoxsBomwoMG+NKBL4
	 hl2evDgulIGDL31VS2pp6BICvJZb2dlUw2smhxEk=
From: Ross Burton <ross.burton@arm.com>
To: openembedded-core@lists.openembedded.org
Subject: [PATCH v2 4/7] classes/sbom-cve-check: refactor do_sbom_cve_check
Date: Tue,  7 Apr 2026 22:02:23 +0100
Message-ID: <20260407210226.2375631-4-ross.burton@arm.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20260407210226.2375631-1-ross.burton@arm.com>
References: <20260407210226.2375631-1-ross.burton@arm.com>
MIME-Version: 1.0
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Tue, 07 Apr 2026 21:03:16 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/234783

Extract the bulk of the logic to a separate function, so the task just
has to pass a few variables.

Signed-off-by: Ross Burton <ross.burton@arm.com>
---
 meta/classes-recipe/sbom-cve-check.bbclass | 27 +++++++++++++---------
 1 file changed, 16 insertions(+), 11 deletions(-)

diff --git a/meta/classes-recipe/sbom-cve-check.bbclass b/meta/classes-recipe/sbom-cve-check.bbclass
index 0534833ebe..a24d34b896 100644
--- a/meta/classes-recipe/sbom-cve-check.bbclass
+++ b/meta/classes-recipe/sbom-cve-check.bbclass
@@ -43,28 +43,23 @@ SBOM_CVE_CHECK_EXPORT_SUMMARY[doc] = "Export configuration to generate a human-r
 SBOM_CVE_CHECK_EXPORT_SUMMARY[type] ?= "summary"
 SBOM_CVE_CHECK_EXPORT_SUMMARY[ext] ?= ".cve.txt"
 
-python do_sbom_cve_check() {
-    """
-    Task: Run sbom-cve-check analysis on SBOM.
-    """
+
+def run_sbom_cve_check(d, sbom_path, export_base_name, export_link_name=None):
     import os
     import bb
     from oe.cve_check import update_symlinks
 
     if not bb.data.inherits_class("create-spdx-3.0", d):
-        bb.fatal("Cannot execute sbom-cve-check missing create-spdx-3.0 inherit.")
+        bb.fatal("Cannot execute sbom-cve-check: missing create-spdx-3.0 inherit.")
 
-    sbom_path = d.expand("${DEPLOY_DIR_IMAGE}/${IMAGE_LINK_NAME}.spdx.json")
     dl_db_dir = d.getVar("SBOM_CVE_CHECK_DEPLOY_DB_DIR")
-    deploy_dir = d.getVar("SBOM_CVE_CHECK_DEPLOYDIR")
-    img_link_name = d.getVar("IMAGE_LINK_NAME")
-    img_name = d.getVar("IMAGE_NAME")
+    out_deploy_dir = d.getVar("SBOM_CVE_CHECK_DEPLOYDIR")
 
     export_files = []
     for export_var in d.getVar("SBOM_CVE_CHECK_EXPORT_VARS").split():
         export_ext = d.getVarFlag(export_var, "ext")
-        export_path = f"{deploy_dir}/{img_name}{export_ext}"
-        export_link = f"{deploy_dir}/{img_link_name}{export_ext}"
+        export_path = f"{out_deploy_dir}/{export_base_name}{export_ext}"
+        export_link = f"{out_deploy_dir}/{export_link_name}{export_ext}" if export_link_name else None
         export_type = d.getVarFlag(export_var, "type")
         export_files.append((export_type, export_path, export_link))
 
@@ -96,6 +91,16 @@ python do_sbom_cve_check() {
         bb.note(f"sbom-cve-check exported: {export_file}")
         if export_link:
             update_symlinks(export_file, export_link)
+
+
+python do_sbom_cve_check() {
+    """
+    Task: Run sbom-cve-check analysis on SBOM.
+    """
+    sbom_path = d.expand("${DEPLOY_DIR_IMAGE}/${IMAGE_LINK_NAME}.spdx.json")
+    image_name = d.getVar("IMAGE_NAME")
+    link_name = d.getVar("IMAGE_LINK_NAME")
+    run_sbom_cve_check(d, sbom_path, image_name, link_name)
 }
 
 addtask do_sbom_cve_check after do_create_image_sbom_spdx before do_build

From patchwork Tue Apr  7 21:02:24 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Ross Burton <ross.burton@arm.com>
X-Patchwork-Id: 85471
Return-Path: <ross.burton@arm.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 6B967105D988
	for <webhook@archiver.kernel.org>; Tue,  7 Apr 2026 21:03:16 +0000 (UTC)
Received: from foss.arm.com (foss.arm.com [217.140.110.172])
 by mx.groups.io with SMTP id smtpd.msgproc01-g2.92011.1775595786318526239
 for <openembedded-core@lists.openembedded.org>;
 Tue, 07 Apr 2026 14:03:06 -0700
Authentication-Results: mx.groups.io;
 dkim=fail reason="dkim: body hash did not verify" header.i=@arm.com
 header.s=foss header.b=SFeF8LaU;
 spf=pass (domain: arm.com, ip: 217.140.110.172,
 mailfrom: ross.burton@arm.com)
Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14])
	by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 2714C353C
	for <openembedded-core@lists.openembedded.org>;
 Tue,  7 Apr 2026 14:03:00 -0700 (PDT)
Received: from cesw-amp-gbt-1s-m12830-04.lab.cambridge.arm.com
 (usa-sjc-imap-foss1.foss.arm.com [10.121.207.14])
	by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPA id 8CFF73F7D8
	for <openembedded-core@lists.openembedded.org>;
 Tue,  7 Apr 2026 14:03:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=arm.com; s=foss;
	t=1775595785; bh=tm6rYgLTnTClL5VG48x4S6WJNMZx3ryuiezooRnN34c=;
	h=From:To:Subject:Date:In-Reply-To:References:From;
	b=SFeF8LaUwwxQsjBU2o22EW/f703RTjBdha9ZHGEeRui+R2XlPA31TYDW/pUzckIyg
	 NhhOVqM3lLsQ4iMuUS6gVS3O7tXT4jYRcDlt9lbg8BH5tGeWk1CMLlXpCfMFPTLKET
	 +bD5fwC+a1x26EYpZLfcIRcYTTIUV77mOUUDY0wI=
From: Ross Burton <ross.burton@arm.com>
To: openembedded-core@lists.openembedded.org
Subject: [PATCH v2 5/7] classes/sbom-cve-check: extract the database
 dependencies to a variable
Date: Tue,  7 Apr 2026 22:02:24 +0100
Message-ID: <20260407210226.2375631-5-ross.burton@arm.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20260407210226.2375631-1-ross.burton@arm.com>
References: <20260407210226.2375631-1-ross.burton@arm.com>
MIME-Version: 1.0
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Tue, 07 Apr 2026 21:03:16 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/234784

This tidies up the dependencies, allowing for future tasks that will
need the same dependencies.

Signed-off-by: Ross Burton <ross.burton@arm.com>
---
 meta/classes-recipe/sbom-cve-check.bbclass | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/meta/classes-recipe/sbom-cve-check.bbclass b/meta/classes-recipe/sbom-cve-check.bbclass
index a24d34b896..c861a7965f 100644
--- a/meta/classes-recipe/sbom-cve-check.bbclass
+++ b/meta/classes-recipe/sbom-cve-check.bbclass
@@ -43,6 +43,10 @@ SBOM_CVE_CHECK_EXPORT_SUMMARY[doc] = "Export configuration to generate a human-r
 SBOM_CVE_CHECK_EXPORT_SUMMARY[type] ?= "summary"
 SBOM_CVE_CHECK_EXPORT_SUMMARY[ext] ?= ".cve.txt"
 
+SBOM_CVE_CHECK_UPDATE_DB_DEPENDENCIES ?= " \
+    sbom-cve-check-update-cvelist-native:do_patch \
+    sbom-cve-check-update-nvd-native:do_patch \
+"
 
 def run_sbom_cve_check(d, sbom_path, export_base_name, export_link_name=None):
     import os
@@ -111,8 +115,7 @@ do_sbom_cve_check[sstate-inputdirs] = "${SBOM_CVE_CHECK_DEPLOYDIR}"
 do_sbom_cve_check[sstate-outputdirs] = "${DEPLOY_DIR_IMAGE}"
 do_sbom_cve_check[depends] += " \
     python3-sbom-cve-check-native:do_populate_sysroot \
-    sbom-cve-check-update-cvelist-native:do_patch \
-    sbom-cve-check-update-nvd-native:do_patch \
+    ${SBOM_CVE_CHECK_UPDATE_DB_DEPENDENCIES} \
 "
 
 python do_sbom_cve_check_setscene() {

From patchwork Tue Apr  7 21:02:25 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Ross Burton <ross.burton@arm.com>
X-Patchwork-Id: 85472
Return-Path: <ross.burton@arm.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 7DC69105D98A
	for <webhook@archiver.kernel.org>; Tue,  7 Apr 2026 21:03:16 +0000 (UTC)
Received: from foss.arm.com (foss.arm.com [217.140.110.172])
 by mx.groups.io with SMTP id smtpd.msgproc01-g2.92012.1775595786882766928
 for <openembedded-core@lists.openembedded.org>;
 Tue, 07 Apr 2026 14:03:07 -0700
Authentication-Results: mx.groups.io;
 dkim=fail reason="dkim: body hash did not verify" header.i=@arm.com
 header.s=foss header.b=Ldtr1fXt;
 spf=pass (domain: arm.com, ip: 217.140.110.172,
 mailfrom: ross.burton@arm.com)
Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14])
	by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id B6694353C
	for <openembedded-core@lists.openembedded.org>;
 Tue,  7 Apr 2026 14:03:00 -0700 (PDT)
Received: from cesw-amp-gbt-1s-m12830-04.lab.cambridge.arm.com
 (usa-sjc-imap-foss1.foss.arm.com [10.121.207.14])
	by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPA id 24EAA3F7D8
	for <openembedded-core@lists.openembedded.org>;
 Tue,  7 Apr 2026 14:03:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=arm.com; s=foss;
	t=1775595786; bh=chD1RUaqMszHl1o44dvkeveGqrI4rhO93VUbugXT8qI=;
	h=From:To:Subject:Date:In-Reply-To:References:From;
	b=Ldtr1fXtlPUtNcz0uSf/AYLhUjbJtMm7/02fxx0Nq7TbtACYwLzX8pv39x+R98XMD
	 SAJfl4GVpvsUxfX1Ae1DcxP6w8jEBW6lLuHJdwqcUnzmP0LrYOvEipegQcI1diHopu
	 T6BXxizs+XgXFwCseMT2f04cZS6mfRf7nDVRCwFo=
From: Ross Burton <ross.burton@arm.com>
To: openembedded-core@lists.openembedded.org
Subject: [PATCH v2 6/7] classes/sbom-cve-check: extract common functionality
 to a -common.bbclass
Date: Tue,  7 Apr 2026 22:02:25 +0100
Message-ID: <20260407210226.2375631-6-ross.burton@arm.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20260407210226.2375631-1-ross.burton@arm.com>
References: <20260407210226.2375631-1-ross.burton@arm.com>
MIME-Version: 1.0
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Tue, 07 Apr 2026 21:03:16 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/234785

Extract the common configuration variables and run_sbom_cve_check() that
actually invokes sbom-cve-check to a separate class, so that other
classes that are not tied to image generation can use the same logic.

No code changes, just movement.

Signed-off-by: Ross Burton <ross.burton@arm.com>
---
 meta/classes-recipe/sbom-cve-check.bbclass | 93 +--------------------
 meta/classes/sbom-cve-check-common.bbclass | 95 ++++++++++++++++++++++
 2 files changed, 98 insertions(+), 90 deletions(-)
 create mode 100644 meta/classes/sbom-cve-check-common.bbclass

diff --git a/meta/classes-recipe/sbom-cve-check.bbclass b/meta/classes-recipe/sbom-cve-check.bbclass
index c861a7965f..fe145a2212 100644
--- a/meta/classes-recipe/sbom-cve-check.bbclass
+++ b/meta/classes-recipe/sbom-cve-check.bbclass
@@ -1,101 +1,14 @@
 # SPDX-License-Identifier: MIT
 
+# Perform CVE analysis on image SBOMs using sbom-cve-check.
+#
 # It is recommended to enable this class through the sbom-cve-check fragment:
 # bitbake-config-build enable-fragment core/yocto/sbom-cve-check
 #
 # Or it is possible to add this line in local.conf:
 # OE_FRAGMENTS += "core/yocto/sbom-cve-check"
 
-require conf/sbom-cve-check-config.inc
-
-SBOM_CVE_CHECK_DEPLOYDIR = "${WORKDIR}/sbom-cve-check/image-deploy"
-
-SBOM_CVE_CHECK_EXTRA_ARGS[doc] = "Allow to specify extra arguments to sbom-cve-check. \
-    For example to add export flags for filtering (e.g., only export vulnerable CVEs). \
-"
-SBOM_CVE_CHECK_EXTRA_ARGS ??= ""
-
-SBOM_CVE_CHECK_EXPORT_VARS[doc] = "List of variables that declare export files to generate. \
-    Each variable must have a 'type' and an 'ext' flag set. \
-    The 'type' flag contains the value that is passed to the --export-type command flags. \
-    The 'ext' flag contains the filename extension (suffix). The output filename is going \
-    to be ${IMAGE_NAME}${ext} \
-"
-SBOM_CVE_CHECK_EXPORT_VARS ?= "SBOM_CVE_CHECK_EXPORT_SPDX3 SBOM_CVE_CHECK_EXPORT_CVECHECK"
-
-SBOM_CVE_CHECK_EXPORT_SPDX3[doc] = "Export configuration to generate an SPDX3 SBOM file, \
-    with the following name: ${IMAGE_NAME}.sbom-cve-check.spdx.json \
-"
-SBOM_CVE_CHECK_EXPORT_SPDX3[type] ?= "spdx3"
-SBOM_CVE_CHECK_EXPORT_SPDX3[ext] ?= ".sbom-cve-check.spdx.json"
-
-SBOM_CVE_CHECK_EXPORT_CVECHECK[doc] = "Export configuration to generate a JSON manifest \
-    in the same format as the cve-check class, with the following name: \
-    ${IMAGE_NAME}.sbom-cve-check.json \
-"
-SBOM_CVE_CHECK_EXPORT_CVECHECK[type] ?= "yocto-cve-check-manifest"
-SBOM_CVE_CHECK_EXPORT_CVECHECK[ext] ?= ".sbom-cve-check.yocto.json"
-
-SBOM_CVE_CHECK_EXPORT_SUMMARY[doc] = "Export configuration to generate a human-readable \
-    summary report, with the following name: \
-    ${IMAGE_NAME}.cve.txt \
-"
-SBOM_CVE_CHECK_EXPORT_SUMMARY[type] ?= "summary"
-SBOM_CVE_CHECK_EXPORT_SUMMARY[ext] ?= ".cve.txt"
-
-SBOM_CVE_CHECK_UPDATE_DB_DEPENDENCIES ?= " \
-    sbom-cve-check-update-cvelist-native:do_patch \
-    sbom-cve-check-update-nvd-native:do_patch \
-"
-
-def run_sbom_cve_check(d, sbom_path, export_base_name, export_link_name=None):
-    import os
-    import bb
-    from oe.cve_check import update_symlinks
-
-    if not bb.data.inherits_class("create-spdx-3.0", d):
-        bb.fatal("Cannot execute sbom-cve-check: missing create-spdx-3.0 inherit.")
-
-    dl_db_dir = d.getVar("SBOM_CVE_CHECK_DEPLOY_DB_DIR")
-    out_deploy_dir = d.getVar("SBOM_CVE_CHECK_DEPLOYDIR")
-
-    export_files = []
-    for export_var in d.getVar("SBOM_CVE_CHECK_EXPORT_VARS").split():
-        export_ext = d.getVarFlag(export_var, "ext")
-        export_path = f"{out_deploy_dir}/{export_base_name}{export_ext}"
-        export_link = f"{out_deploy_dir}/{export_link_name}{export_ext}" if export_link_name else None
-        export_type = d.getVarFlag(export_var, "type")
-        export_files.append((export_type, export_path, export_link))
-
-    cmd_env = os.environ.copy()
-    cmd_env["SBOM_CVE_CHECK_DATABASES_DIR"] = dl_db_dir
-
-    cmd_args = [
-        d.expand("${STAGING_BINDIR_NATIVE}/sbom-cve-check"),
-        "--sbom-path",
-        sbom_path,
-        "--disable-auto-updates"
-    ]
-
-    for export_type, export_file, export_link in export_files:
-        cmd_args.extend(
-            ["--export-type", export_type, "--export-path", export_file]
-        )
-
-    cmd_args.extend(d.getVar("SBOM_CVE_CHECK_EXTRA_ARGS").split())
-
-    try:
-        bb.note("Running: {}".format(" ".join(cmd_args)))
-        bb.process.run(cmd_args, env=cmd_env)
-    except bb.process.ExecutionError as e:
-        bb.error(f"sbom-cve-check failed: {e}")
-        return
-
-    for export_type, export_file, export_link in export_files:
-        bb.note(f"sbom-cve-check exported: {export_file}")
-        if export_link:
-            update_symlinks(export_file, export_link)
-
+inherit sbom-cve-check-common
 
 python do_sbom_cve_check() {
     """
diff --git a/meta/classes/sbom-cve-check-common.bbclass b/meta/classes/sbom-cve-check-common.bbclass
new file mode 100644
index 0000000000..3db189d60d
--- /dev/null
+++ b/meta/classes/sbom-cve-check-common.bbclass
@@ -0,0 +1,95 @@
+# SPDX-License-Identifier: MIT
+
+# Common functionality for the sbom-cve-check classes.
+
+require conf/sbom-cve-check-config.inc
+
+SBOM_CVE_CHECK_DEPLOYDIR = "${WORKDIR}/sbom-cve-check/image-deploy"
+
+SBOM_CVE_CHECK_EXTRA_ARGS[doc] = "Allow to specify extra arguments to sbom-cve-check. \
+    For example to add export flags for filtering (e.g., only export vulnerable CVEs). \
+"
+SBOM_CVE_CHECK_EXTRA_ARGS ??= ""
+
+SBOM_CVE_CHECK_EXPORT_VARS[doc] = "List of variables that declare export files to generate. \
+    Each variable must have a 'type' and an 'ext' flag set. \
+    The 'type' flag contains the value that is passed to the --export-type command flags. \
+    The 'ext' flag contains the filename extension (suffix). The output filename is going \
+    to be ${IMAGE_NAME}${ext} \
+"
+SBOM_CVE_CHECK_EXPORT_VARS ?= "SBOM_CVE_CHECK_EXPORT_SPDX3 SBOM_CVE_CHECK_EXPORT_CVECHECK"
+
+SBOM_CVE_CHECK_EXPORT_SPDX3[doc] = "Export configuration to generate an SPDX3 SBOM file, \
+    with the following name: ${IMAGE_NAME}.sbom-cve-check.spdx.json \
+"
+SBOM_CVE_CHECK_EXPORT_SPDX3[type] ?= "spdx3"
+SBOM_CVE_CHECK_EXPORT_SPDX3[ext] ?= ".sbom-cve-check.spdx.json"
+
+SBOM_CVE_CHECK_EXPORT_CVECHECK[doc] = "Export configuration to generate a JSON manifest \
+    in the same format as the cve-check class, with the following name: \
+    ${IMAGE_NAME}.sbom-cve-check.json \
+"
+SBOM_CVE_CHECK_EXPORT_CVECHECK[type] ?= "yocto-cve-check-manifest"
+SBOM_CVE_CHECK_EXPORT_CVECHECK[ext] ?= ".sbom-cve-check.yocto.json"
+
+SBOM_CVE_CHECK_EXPORT_SUMMARY[doc] = "Export configuration to generate a human-readable \
+    summary report, with the following name: \
+    ${IMAGE_NAME}.cve.txt \
+"
+SBOM_CVE_CHECK_EXPORT_SUMMARY[type] ?= "summary"
+SBOM_CVE_CHECK_EXPORT_SUMMARY[ext] ?= ".cve.txt"
+
+SBOM_CVE_CHECK_UPDATE_DB_DEPENDENCIES ?= " \
+    sbom-cve-check-update-cvelist-native:do_patch \
+    sbom-cve-check-update-nvd-native:do_patch \
+"
+
+def run_sbom_cve_check(d, sbom_path, export_base_name, export_link_name=None):
+    import os
+    import bb
+    from oe.cve_check import update_symlinks
+
+    if not bb.data.inherits_class("create-spdx-3.0", d):
+        bb.fatal("Cannot execute sbom-cve-check: missing create-spdx-3.0 inherit.")
+
+    dl_db_dir = d.getVar("SBOM_CVE_CHECK_DEPLOY_DB_DIR")
+    out_deploy_dir = d.getVar("SBOM_CVE_CHECK_DEPLOYDIR")
+
+    export_files = []
+    for export_var in d.getVar("SBOM_CVE_CHECK_EXPORT_VARS").split():
+        export_ext = d.getVarFlag(export_var, "ext")
+        export_path = f"{out_deploy_dir}/{export_base_name}{export_ext}"
+        export_link = f"{out_deploy_dir}/{export_link_name}{export_ext}" if export_link_name else None
+        export_type = d.getVarFlag(export_var, "type")
+        export_files.append((export_type, export_path, export_link))
+
+    cmd_env = os.environ.copy()
+    cmd_env["SBOM_CVE_CHECK_DATABASES_DIR"] = dl_db_dir
+
+    cmd_args = [
+        d.expand("${STAGING_BINDIR_NATIVE}/sbom-cve-check"),
+        "--sbom-path",
+        sbom_path,
+        "--disable-auto-updates"
+    ]
+
+    for export_type, export_file, export_link in export_files:
+        cmd_args.extend(
+            ["--export-type", export_type, "--export-path", export_file]
+        )
+
+    cmd_args.extend(d.getVar("SBOM_CVE_CHECK_EXTRA_ARGS").split())
+
+    try:
+        bb.note("Running: {}".format(" ".join(cmd_args)))
+        bb.process.run(cmd_args, env=cmd_env)
+    except bb.process.ExecutionError as e:
+        bb.error(f"sbom-cve-check failed: {e}")
+        return
+
+    for export_type, export_file, export_link in export_files:
+        bb.note(f"sbom-cve-check exported: {export_file}")
+        if export_link:
+            update_symlinks(export_file, export_link)
+
+

From patchwork Tue Apr  7 21:02:26 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Ross Burton <ross.burton@arm.com>
X-Patchwork-Id: 85467
Return-Path: <ross.burton@arm.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 75AC1FEEF28
	for <webhook@archiver.kernel.org>; Tue,  7 Apr 2026 21:03:14 +0000 (UTC)
Received: from foss.arm.com (foss.arm.com [217.140.110.172])
 by mx.groups.io with SMTP id smtpd.msgproc01-g2.92013.1775595787740693766
 for <openembedded-core@lists.openembedded.org>;
 Tue, 07 Apr 2026 14:03:07 -0700
Authentication-Results: mx.groups.io;
 dkim=fail reason="dkim: body hash did not verify" header.i=@arm.com
 header.s=foss header.b=aXGLBnMx;
 spf=pass (domain: arm.com, ip: 217.140.110.172,
 mailfrom: ross.burton@arm.com)
Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14])
	by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 4F13E353C
	for <openembedded-core@lists.openembedded.org>;
 Tue,  7 Apr 2026 14:03:01 -0700 (PDT)
Received: from cesw-amp-gbt-1s-m12830-04.lab.cambridge.arm.com
 (usa-sjc-imap-foss1.foss.arm.com [10.121.207.14])
	by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPA id B02063F7D8
	for <openembedded-core@lists.openembedded.org>;
 Tue,  7 Apr 2026 14:03:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=arm.com; s=foss;
	t=1775595787; bh=owRpomKFSAsLmLIxrd+KeXJf7LfW0ZMsCQ7PRgkrtGI=;
	h=From:To:Subject:Date:In-Reply-To:References:From;
	b=aXGLBnMxsaRjOdwYKFPoI4lS3KzrWSBDqD7bmOgBwl4kdziVvaYAZEssYfeXoUpl5
	 CgbtxJWySB3ecBF9+G7CTemA3W5JMbkr4dzwFlDSjNtVK5d+q8JmlEN9tlOSWnDtys
	 ayWwymBeWr+oXhW1v8pPaWvuSgcZcYxVryY8kSPM=
From: Ross Burton <ross.burton@arm.com>
To: openembedded-core@lists.openembedded.org
Subject: [PATCH v2 7/7] classes/sbom-cve-check-recipe: add recipe-scanning
 class
Date: Tue,  7 Apr 2026 22:02:26 +0100
Message-ID: <20260407210226.2375631-7-ross.burton@arm.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20260407210226.2375631-1-ross.burton@arm.com>
References: <20260407210226.2375631-1-ross.burton@arm.com>
MIME-Version: 1.0
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Tue, 07 Apr 2026 21:03:14 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/234786

Add a second sbom-cve-check class that scans the recipe-SBOM, unlike
sbom-cve-check.bbclass which scans specifically an image's SBOM.

In most cases, image-derived SBOM scanning is preferred as this is able
to analyse the actual content of the image, e.g. reporting just the
kernel issues that have actually been compiled into the image (for
linux-yocto 6.18.19, this reduces the CVE count from 108 to 52).

However, for metrics or other specific purposes it might be useful to
scan a recipe-SPDX, so add a class that can do this.

Signed-off-by: Ross Burton <ross.burton@arm.com>
---
 meta/classes/sbom-cve-check-recipe.bbclass | 35 ++++++++++++++++++++++
 1 file changed, 35 insertions(+)
 create mode 100644 meta/classes/sbom-cve-check-recipe.bbclass

diff --git a/meta/classes/sbom-cve-check-recipe.bbclass b/meta/classes/sbom-cve-check-recipe.bbclass
new file mode 100644
index 0000000000..904ce57f5c
--- /dev/null
+++ b/meta/classes/sbom-cve-check-recipe.bbclass
@@ -0,0 +1,35 @@
+# SPDX-License-Identifier: MIT
+
+# Perform CVE analysis on recipe SBOMs using sbom-cve-check.
+#
+# This will analyse the entire SBOM for the recipe, so the recipe itself and
+# all of the dependencies. It is expected that for most purposes
+# sbom-cve-check.bbclass is preferred as that will analyse what is deployed
+# in an image.
+
+inherit sbom-cve-check-common
+
+python do_sbom_cve_check_recipe() {
+    """
+    Task: Run sbom-cve-check analysis on a recipe SBOM.
+    """
+    sbom_path = d.expand("${DEPLOY_DIR_IMAGE}/${SPDX_RECIPE_SBOM_NAME}.spdx.json")
+    recipe = d.getVar("SPDX_RECIPE_SBOM_NAME")
+    run_sbom_cve_check(d, sbom_path, recipe)
+}
+
+addtask do_sbom_cve_check_recipe after do_create_recipe_sbom
+
+SSTATETASKS += "do_sbom_cve_check_recipe"
+do_sbom_cve_check_recipe[cleandirs] = "${SBOM_CVE_CHECK_DEPLOYDIR}"
+do_sbom_cve_check_recipe[sstate-inputdirs] = "${SBOM_CVE_CHECK_DEPLOYDIR}"
+do_sbom_cve_check_recipe[sstate-outputdirs] = "${DEPLOY_DIR_IMAGE}"
+do_sbom_cve_check_recipe[depends] += " \
+    python3-sbom-cve-check-native:do_populate_sysroot \
+    ${SBOM_CVE_CHECK_UPDATE_DB_DEPENDENCIES} \
+"
+
+python do_sbom_cve_check_recipe_setscene() {
+    sstate_setscene(d)
+}
+addtask do_sbom_cve_check_recipe_setscene