On Thu, Mar 19, 2026 at 4:42 PM Benjamin Robin <[email protected]>
wrote:
> By default, the sbom-cve-check class generates these export files:
> - A JSON in `cve-check` format, named `${IMAGE_NAME}.cve-check.json`
> - An SPDX 3.0 SBOM, named `${IMAGE_NAME}.cve-check.spdx.json`.
>
> A user can add or remove export file formats by using the
> `SBOM_CVE_CHECK_EXPORT_VARS` variable.
>
> By default, the CVE databases are downloaded using the following
> recipes:
> - sbom-cve-check-update-cvelist-native.bb
> - sbom-cve-check-update-nvd-native.bb
>
> The database fetch and deploy logic is implemented in
> sbom-cve-check-update-db.inc. The CVE databases are stored in the
> download directory (`DL_DIR`) by default. This can be configured by
> the `SBOM_CVE_CHECK_DATABASES_DIR` variable defined in
> meta/recipes-core/meta/sbom-cve-check-config.inc.
>
> The CVE git databases are fetched using the Bitbake fetcher. Currently,
> Bitbake fetcher does not support a shallow clone that can be updated.
> While `BB_GIT_SHALLOW` exists, it creates multiple tarballs in the
> download directory, which is inefficient for updates. For now, the git
> database is fully fetched.
>
> The `SRCREV` of the git database is set to a fixed version. A user can
> override this by specifying any other version, or `AUTOREV` can be
> specified.
>
> To simplify the activation and configuration of sbom-cve-check, a
> configuration fragment is provided with recommended default values.
>
> `sbom-cve-check` is configured to run without requiring network access.
> If a user needs network access during execution (e.g., to download
> annotation databases), they can set `SBOM_CVE_CHECK_ALLOW_NETWORK`
> to "1".
>
> The CVE analysis runs only if either the original SBOM changes or the
> CVE databases are updated. In the two CVE database-fetching recipes, a
> file in the sysroot is written, containing the Git revision of the
> fetched CVE database.
>
> `sbom-cve-check` is executed with the generated VEX manifest only if
> enabled and if `SPDX_INCLUDE_VEX` is set to a value other than "all".
> When `SPDX_INCLUDE_VEX=all`, the SPDX 3.0 file already contains all the
> necessary information for CVE analysis, making the VEX manifest
> redundant.
>
> Signed-off-by: Benjamin Robin <[email protected]>
> ---
> meta/classes-recipe/sbom-cve-check.bbclass | 121
> +++++++++++++++++++++
> meta/conf/distro/include/maintainers.inc | 2 +
> meta/conf/fragments/yocto/sbom-cve-check.conf | 14 +++
> meta/recipes-core/meta/sbom-cve-check-config.inc | 4 +
> .../meta/sbom-cve-check-update-cvelist-native.bb | 12 ++
> .../recipes-core/meta/sbom-cve-check-update-db.inc | 28 +++++
> .../meta/sbom-cve-check-update-nvd-native.bb | 12 ++
> 7 files changed, 193 insertions(+)
>
>
Hello,
That looks cleaner than the previous version. How long does the intiial
build take with
this fetcher?
Kind regards,
Marta
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#233615):
https://lists.openembedded.org/g/openembedded-core/message/233615
Mute This Topic: https://lists.openembedded.org/mt/118402422/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
