From patchwork Thu Apr 9 16:26:20 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ross Burton X-Patchwork-Id: 85709 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id AEF38E98FDF for ; Thu, 9 Apr 2026 16:26:28 +0000 (UTC) Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.136574.1775751987740644341 for ; Thu, 09 Apr 2026 09:26:27 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: body hash did not verify" header.i=@arm.com header.s=foss header.b=VZFbxM/R; spf=pass (domain: arm.com, ip: 217.140.110.172, mailfrom: ross.burton@arm.com) Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 560271C25 for ; Thu, 9 Apr 2026 09:26:21 -0700 (PDT) Received: from cesw-amp-gbt-1s-m12830-04.lab.cambridge.arm.com (usa-sjc-imap-foss1.foss.arm.com [10.121.207.14]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPA id A22D83F641 for ; Thu, 9 Apr 2026 09:26:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=arm.com; s=foss; t=1775751987; bh=LToq4hTh/XYHC8zvAoOivn3Nwr8FlzxypPBPKoADnw8=; h=From:To:Subject:Date:From; b=VZFbxM/R8Wn2ICK4HRQzgg6C+yrlvdtZv0eceXDv8v6YqmIDk4mgq2xpDYrjbWjZd nlPB5JS2F7tzLEpNbU5Q+5AxtxChzwLxrg9M9PiO8RB5g0SEg1QNeKHvFzSTVfMBsa cWuhVf1ZvwxSw1wZexVv3Zxhxs1L0ITWIXn6+RI0= From: Ross Burton To: openembedded-core@lists.openembedded.org Subject: [PATCH 1/3] python3-sbom-cve-check: move from devtools/python to devtools/sbom-cve-check Date: Thu, 9 Apr 2026 17:26:20 +0100 Message-ID: <20260409162622.3307731-1-ross.burton@arm.com> X-Mailer: git-send-email 2.43.0 MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 09 Apr 2026 16:26:28 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/234934 Move the tool recipe from the catch-all python/ directory to be alongside the recipes that fetch the databases for the tool. Signed-off-by: Ross Burton --- .../{python => sbom-cve-check}/python3-sbom-cve-check_1.2.0.bb | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename meta/recipes-devtools/{python => sbom-cve-check}/python3-sbom-cve-check_1.2.0.bb (100%) diff --git a/meta/recipes-devtools/python/python3-sbom-cve-check_1.2.0.bb b/meta/recipes-devtools/sbom-cve-check/python3-sbom-cve-check_1.2.0.bb similarity index 100% rename from meta/recipes-devtools/python/python3-sbom-cve-check_1.2.0.bb rename to meta/recipes-devtools/sbom-cve-check/python3-sbom-cve-check_1.2.0.bb From patchwork Thu Apr 9 16:26:21 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ross Burton X-Patchwork-Id: 85708 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id BD11BEA3C4E for ; Thu, 9 Apr 2026 16:26:28 +0000 (UTC) Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.136575.1775751988159787124 for ; Thu, 09 Apr 2026 09:26:28 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: body hash did not verify" header.i=@arm.com header.s=foss header.b=mLc4tma7; spf=pass (domain: arm.com, ip: 217.140.110.172, mailfrom: ross.burton@arm.com) Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 079A31E2F for ; Thu, 9 Apr 2026 09:26:22 -0700 (PDT) Received: from cesw-amp-gbt-1s-m12830-04.lab.cambridge.arm.com (usa-sjc-imap-foss1.foss.arm.com [10.121.207.14]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPA id 5D6663F641 for ; Thu, 9 Apr 2026 09:26:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=arm.com; s=foss; t=1775751987; bh=2GQS1AtY/i9GkvkfOAiH7cnrxiu+ioQBILZPeurLkEc=; h=From:To:Subject:Date:In-Reply-To:References:From; b=mLc4tma76zldmriXgzNH1Ux4k38e2Z/q/D3DPpnqt3A7vz5LB/X5P0dx5VRzoG2R6 7C2c5Mr7NGiSYRv0Uug414DH4qIAkPHPlTzuA5tFgFrOJ1/osyqBOBST9Mhb0tgpRz pSaJ/hkuGRCaz+kvpNs95myOgao5F9oRpObgzJy4= From: Ross Burton To: openembedded-core@lists.openembedded.org Subject: [PATCH 2/3] python3-sbom-cve-check: fix the version attribute in the Yocto-style JSON Date: Thu, 9 Apr 2026 17:26:21 +0100 Message-ID: <20260409162622.3307731-2-ross.burton@arm.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260409162622.3307731-1-ross.burton@arm.com> References: <20260409162622.3307731-1-ross.burton@arm.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 09 Apr 2026 16:26:28 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/234935 The type of the version was an integer, but it should be a string. Signed-off-by: Ross Burton --- ...-correct-type-for-the-version-attrib.patch | 31 +++++++++++++++++++ .../python3-sbom-cve-check_1.2.0.bb | 2 ++ 2 files changed, 33 insertions(+) create mode 100644 meta/recipes-devtools/sbom-cve-check/files/0001-export_yocto-use-correct-type-for-the-version-attrib.patch diff --git a/meta/recipes-devtools/sbom-cve-check/files/0001-export_yocto-use-correct-type-for-the-version-attrib.patch b/meta/recipes-devtools/sbom-cve-check/files/0001-export_yocto-use-correct-type-for-the-version-attrib.patch new file mode 100644 index 00000000000..392f0b99ea7 --- /dev/null +++ b/meta/recipes-devtools/sbom-cve-check/files/0001-export_yocto-use-correct-type-for-the-version-attrib.patch @@ -0,0 +1,31 @@ +From 1a5ae49c520d3569ed12f0c6373b4223d428f92b Mon Sep 17 00:00:00 2001 +From: Ross Burton +Date: Thu, 9 Apr 2026 11:55:19 +0100 +Subject: [PATCH] export_yocto: use correct type for the version attribute + +This should be a string, not an integer: + +https://git.openembedded.org/openembedded-core/tree/meta/classes/cve-check.bbclass?h=yocto-5.2.4#n235 + +Upstream-Status: Backport +Signed-off-by: Ross Burton +--- + src/sbom_cve_check/export/export_yocto.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/sbom_cve_check/export/export_yocto.py b/src/sbom_cve_check/export/export_yocto.py +index c8261f4..78d72c0 100644 +--- a/src/sbom_cve_check/export/export_yocto.py ++++ b/src/sbom_cve_check/export/export_yocto.py +@@ -172,7 +172,7 @@ class YoctoCveCheckExport(BaseExport): + :return: Generator context. + """ + yield +- json_obj = {"version": 1, "package": self._packages} ++ json_obj = {"version": "1", "package": self._packages} + with self._open_output_as_text() as f: + json.dump(json_obj, f, indent=2) + +-- +2.43.0 + diff --git a/meta/recipes-devtools/sbom-cve-check/python3-sbom-cve-check_1.2.0.bb b/meta/recipes-devtools/sbom-cve-check/python3-sbom-cve-check_1.2.0.bb index 070e8789713..2a09d8ea4c3 100644 --- a/meta/recipes-devtools/sbom-cve-check/python3-sbom-cve-check_1.2.0.bb +++ b/meta/recipes-devtools/sbom-cve-check/python3-sbom-cve-check_1.2.0.bb @@ -7,6 +7,8 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=570a9b3749dd0463a1778803b12a6dce" PYPI_PACKAGE = "sbom_cve_check" SRC_URI[sha256sum] = "0b01474c541fb4b9d29d36f86fae6d0f27ff2b991fcb59b2fbeb70c1eaa09664" +SRC_URI += "file://0001-export_yocto-use-correct-type-for-the-version-attrib.patch" + inherit pypi python_hatchling RDEPENDS:${PN} += " \ From patchwork Thu Apr 9 16:26:22 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ross Burton X-Patchwork-Id: 85710 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 993A0EA3C4E for ; Thu, 9 Apr 2026 16:26:38 +0000 (UTC) Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.136576.1775751988830639898 for ; Thu, 09 Apr 2026 09:26:28 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: body hash did not verify" header.i=@arm.com header.s=foss header.b=Hj6HYmbv; spf=pass (domain: arm.com, ip: 217.140.110.172, mailfrom: ross.burton@arm.com) Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id A94E61C25 for ; Thu, 9 Apr 2026 09:26:22 -0700 (PDT) Received: from cesw-amp-gbt-1s-m12830-04.lab.cambridge.arm.com (usa-sjc-imap-foss1.foss.arm.com [10.121.207.14]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPA id 0E9A83F641 for ; Thu, 9 Apr 2026 09:26:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=arm.com; s=foss; t=1775751988; bh=OlEmW7jzJals1XFIEB1Tg4p9uiLV8ZucmBoHsZSE8cA=; h=From:To:Subject:Date:In-Reply-To:References:From; b=Hj6HYmbv76athivj9CicbRDHJvXrv1ropHpKYaBO/8EMUQrCX13dLd6bC36hwehJo gQ4ANtQa8J+EOmPxlKR0uWdURY9mrOff0jeoeaZXIWaErbFM9H9WG87Cu8X8Qa82AU tqNd9oj9+eyLXN1xXSTdQfq/Alck9g42IPTIwP9M= From: Ross Burton To: openembedded-core@lists.openembedded.org Subject: [PATCH 3/3] classes/sbom-cve-check: add variable to control the scope of the CVE scan Date: Thu, 9 Apr 2026 17:26:22 +0100 Message-ID: <20260409162622.3307731-3-ross.burton@arm.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260409162622.3307731-1-ross.burton@arm.com> References: <20260409162622.3307731-1-ross.burton@arm.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 09 Apr 2026 16:26:38 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/234936 Unless told otherwise, sbom-cve-check will only report on issues found in target recipes. Whilst this is the behaviour we want for image-based scanning, it's not the designed bevhaviour for recipe-based scanning. Add a new variable SBOM_CVE_CHECK_SCAN_SCOPE that is used as the value passed with --export-process-native. Default this to "target" so the normal behaviour is unchanged, but set it to "both" in the sbom-cve-check-recipe class. [1] https://sbom-cve-check.readthedocs.io/en/latest/export.html#export-options Signed-off-by: Ross Burton --- meta/classes/sbom-cve-check-common.bbclass | 9 ++++++++- meta/classes/sbom-cve-check-recipe.bbclass | 3 +++ 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/meta/classes/sbom-cve-check-common.bbclass b/meta/classes/sbom-cve-check-common.bbclass index 3db189d60de..6963ad71c61 100644 --- a/meta/classes/sbom-cve-check-common.bbclass +++ b/meta/classes/sbom-cve-check-common.bbclass @@ -6,6 +6,10 @@ require conf/sbom-cve-check-config.inc SBOM_CVE_CHECK_DEPLOYDIR = "${WORKDIR}/sbom-cve-check/image-deploy" +SBOM_CVE_CHECK_SCAN_SCOPE ?= "target" +SBOM_CVE_CHECK_SCAN_SCOPE[doc] = "Whether to scan target and native, just target, or just native. \ + Valid values are both, target, native." + SBOM_CVE_CHECK_EXTRA_ARGS[doc] = "Allow to specify extra arguments to sbom-cve-check. \ For example to add export flags for filtering (e.g., only export vulnerable CVEs). \ " @@ -54,6 +58,7 @@ def run_sbom_cve_check(d, sbom_path, export_base_name, export_link_name=None): dl_db_dir = d.getVar("SBOM_CVE_CHECK_DEPLOY_DB_DIR") out_deploy_dir = d.getVar("SBOM_CVE_CHECK_DEPLOYDIR") + scan_scope = d.getVar("SBOM_CVE_CHECK_SCAN_SCOPE") export_files = [] for export_var in d.getVar("SBOM_CVE_CHECK_EXPORT_VARS").split(): @@ -70,7 +75,9 @@ def run_sbom_cve_check(d, sbom_path, export_base_name, export_link_name=None): d.expand("${STAGING_BINDIR_NATIVE}/sbom-cve-check"), "--sbom-path", sbom_path, - "--disable-auto-updates" + "--disable-auto-updates", + "--export-process-native", + scan_scope, ] for export_type, export_file, export_link in export_files: diff --git a/meta/classes/sbom-cve-check-recipe.bbclass b/meta/classes/sbom-cve-check-recipe.bbclass index 904ce57f5cc..c80b8ac83ff 100644 --- a/meta/classes/sbom-cve-check-recipe.bbclass +++ b/meta/classes/sbom-cve-check-recipe.bbclass @@ -9,6 +9,9 @@ inherit sbom-cve-check-common +# Recipe-based scanning should cover both target and native components. +SBOM_CVE_CHECK_SCAN_SCOPE = "both" + python do_sbom_cve_check_recipe() { """ Task: Run sbom-cve-check analysis on a recipe SBOM.