Re: [OE-core] [PATCH] sbom-cve-check: set PV from upstream tags and ensure version checks are correct

Fri, 08 May 2026 12:20:43 -0700 

These recipes are intended to be used with ${AUTOREV} (e.g. in nightly CVE 
metrics jobs).
Tag in SRCREV breaks that feature and thus this part of this patch should be 
rejected.

Peter

> -----Original Message-----
> From: [email protected] <openembedded-
> [email protected]> On Behalf Of Alexander Kanavin via
> lists.openembedded.org
> Sent: Friday, May 8, 2026 3:31 PM
> To: [email protected]
> Cc: Alexander Kanavin <[email protected]>
> Subject: [OE-core] [PATCH] sbom-cve-check: set PV from upstream tags and 
> ensure
> version checks are correct
> 
> From: Alexander Kanavin <[email protected]>
> 
> These recipes didn't set PV, which by default is 1.0. This isn't correct:
> upstream does provide date-based tags that can be used to perform version
> upgrades.
> 
> Correct SRCREV in one of the recipes to point to the next tagged commit,
> as existing SRCREV was pointing to a non-tagged commit between 03.19 and 03.20
> tags.
> 
> Signed-off-by: Alexander Kanavin <[email protected]>
> ---
>  ...b => sbom-cve-check-update-cvelist-native_2026-03-19.bb} | 4 ++--
>  ...> sbom-cve-check-update-nvd-native_2026.03.20-010002.bb} | 6 +++---
>  2 files changed, 5 insertions(+), 5 deletions(-)
>  rename meta/recipes-devtools/sbom-cve-check/{sbom-cve-check-update-cvelist-
> native.bb => sbom-cve-check-update-cvelist-native_2026-03-19.bb} (79%)
>  rename meta/recipes-devtools/sbom-cve-check/{sbom-cve-check-update-nvd-
> native.bb => sbom-cve-check-update-nvd-native_2026.03.20-010002.bb} (70%)
> 
> diff --git 
> a/meta/recipes-devtools/sbom-cve-check/sbom-cve-check-update-cvelist-
> native.bb 
> b/meta/recipes-devtools/sbom-cve-check/sbom-cve-check-update-cvelist-
> native_2026-03-19.bb
> similarity index 79%
> rename from meta/recipes-devtools/sbom-cve-check/sbom-cve-check-update-
> cvelist-native.bb
> rename to meta/recipes-devtools/sbom-cve-check/sbom-cve-check-update-cvelist-
> native_2026-03-19.bb
> index 3387122165..850537e777 100644
> --- a/meta/recipes-devtools/sbom-cve-check/sbom-cve-check-update-cvelist-
> native.bb
> +++ b/meta/recipes-devtools/sbom-cve-check/sbom-cve-check-update-cvelist-
> native_2026-03-19.bb
> @@ -3,10 +3,10 @@ LICENSE = "MIT"
>  LIC_FILES_CHKSUM =
> "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302"
> 
>  HOMEPAGE = "https://github.com/CVEProject/cvelistV5";
> -SRC_URI =
> "git://github.com/CVEProject/cvelistV5.git;branch=main;protocol=https;destsuffix="
> +SRC_URI =
> "git://github.com/CVEProject/cvelistV5.git;branch=main;protocol=https;tag=${PV}_ba
> seline;destsuffix="
>  SBOM_CVE_CHECK_DB_NAME = "cvelist"
> 
> -# 2026-03-19_baseline
>  SRCREV = "ada54ee3cc8380820aa45e4996910bdc9dcb94e7"
> +UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>.+)_baseline"
> 
>  require sbom-cve-check-update-db.inc
> diff --git a/meta/recipes-devtools/sbom-cve-check/sbom-cve-check-update-nvd-
> native.bb b/meta/recipes-devtools/sbom-cve-check/sbom-cve-check-update-nvd-
> native_2026.03.20-010002.bb
> similarity index 70%
> rename from meta/recipes-devtools/sbom-cve-check/sbom-cve-check-update-nvd-
> native.bb
> rename to meta/recipes-devtools/sbom-cve-check/sbom-cve-check-update-nvd-
> native_2026.03.20-010002.bb
> index c868ba09c1..d1290ba8e3 100644
> --- a/meta/recipes-devtools/sbom-cve-check/sbom-cve-check-update-nvd-native.bb
> +++ b/meta/recipes-devtools/sbom-cve-check/sbom-cve-check-update-nvd-
> native_2026.03.20-010002.bb
> @@ -3,10 +3,10 @@ LICENSE = "cve-tou"
>  LIC_FILES_CHKSUM = "file://LICENSES/cve-
> tou.md;md5=bc5bbf146f01e20ece63d83c8916d8fb"
> 
>  HOMEPAGE = "https://github.com/fkie-cad/nvd-json-data-feeds";
> -SRC_URI = "git://github.com/fkie-cad/nvd-json-data-
> feeds.git;branch=main;protocol=https;destsuffix="
> +SRC_URI = "git://github.com/fkie-cad/nvd-json-data-
> feeds.git;branch=main;protocol=https;tag=v${PV};destsuffix="
>  SBOM_CVE_CHECK_DB_NAME = "nvd-fkie"
> 
> -# v2026.03.19-010002
> -SRCREV = "49f8bbe1b0b0884e16bdc37ab68db997085570a7"
> +SRCREV = "71a7984884a918f7f1464a0efe25ba4a24c569ca"
> +UPSTREAM_CHECK_GITTAGREGEX = "v(?P<pver>.+)"
> 
>  require sbom-cve-check-update-db.inc
> --
> 2.47.3


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#236735): 
https://lists.openembedded.org/g/openembedded-core/message/236735
Mute This Topic: https://lists.openembedded.org/mt/119214254/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to