Execute `sbom-cve-check` with the generated VEX manifest only if enabled and if `SPDX_INCLUDE_VEX` is set to a value other than "all". When `SPDX_INCLUDE_VEX=all`, the SPDX 3.0 file already contains all the necessary information for CVE analysis, making the VEX manifest redundant.
Signed-off-by: Benjamin Robin <[email protected]> --- meta/classes-recipe/sbom-cve-check.bbclass | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/meta/classes-recipe/sbom-cve-check.bbclass b/meta/classes-recipe/sbom-cve-check.bbclass index 2ab29001008a..3709fa98d97e 100644 --- a/meta/classes-recipe/sbom-cve-check.bbclass +++ b/meta/classes-recipe/sbom-cve-check.bbclass @@ -41,8 +41,6 @@ python do_sbom_cve_check() { import bb from oe.cve_check import update_symlinks - if not bb.data.inherits_class("vex", d): - bb.fatal("Cannot execute sbom-cve-check missing vex inherit.") if not bb.data.inherits_class("create-spdx-3.0", d): bb.fatal("Cannot execute sbom-cve-check missing create-spdx-3.0 inherit.") @@ -68,10 +66,14 @@ python do_sbom_cve_check() { d.expand("${STAGING_BINDIR_NATIVE}/sbom-cve-check"), "--sbom-path", sbom_path, - "--yocto-vex-manifest", - vex_manifest_path, ] + # Assume that SPDX_INCLUDE_VEX is set globally to "all", and not only for the + # image recipe, which is very unlikely. This is not an issue to include the + # VEX manifest even if not needed. + if bb.data.inherits_class("vex", d) and d.getVar("SPDX_INCLUDE_VEX") != "all": + cmd_args.extend(["--yocto-vex-manifest", vex_manifest_path]) + for export_file in export_files: cmd_args.extend( ["--export-type", export_file[0], "--export-path", export_file[1]] -- 2.53.0
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#232698): https://lists.openembedded.org/g/openembedded-core/message/232698 Mute This Topic: https://lists.openembedded.org/mt/118219712/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
