Re: [OE-core] [PATCH v7 1/2] sbom-cve-check: Add class for post-build CVE analysis

Tue, 24 Mar 2026 03:12:35 -0700 

Hi,

On Tuesday, March 24, 2026 at 10:21 AM, Antonin Godard wrote:
> Hi,
> 
> Thanks for the new version. I'll suggest a simplification to how the databases
> are unpacked, since I understand this is a costly operation.
> 
> This gets rid of the do_install() task, and rsync-native dependency. What this
> does is let the BitBake fetcher handle the unpacking/checkout of the databases
> directly in the DEPLOYDIR. This simplifies the recipe and removes one copy
> operation, I think.

Thank you Antonin for this suggestion, really good idea.
This is a bit simpler and faster, and should be completely safe.

I am going to send a v8 with these changes after running various tests.

The only thing left to have something way faster (for the initial build)
would be to have a true support of shallow clone that can be updated.
But this will be implemented later :)

> diff --git 
> a/meta/recipes-devtools/sbom-cve-check/sbom-cve-check-update-db.inc 
> b/meta/recipes-devtools/sbom-cve-check/sbom-cve-check-update-db
> .inc
> index 5d7a07001c..6a968e941c 100644
> --- a/meta/recipes-devtools/sbom-cve-check/sbom-cve-check-update-db.inc
> +++ b/meta/recipes-devtools/sbom-cve-check/sbom-cve-check-update-db.inc
> @@ -9,13 +9,12 @@ require sbom-cve-check-config.inc
>  SBOM_CVE_CHECK_DB_NAME[doc] = "Database name, which is the Git repository 
> directory name. \
>      The git repository will be stored in ${SBOM_CVE_CHECK_DEPLOY_DB_DIR)/"
> 
> -DEPENDS += "rsync-native"
> -ALLOW_EMPTY:${PN} = "1"
> +deltask do_patch
> +deltask do_configure
> +deltask do_compile
> +deltask do_install
> +deltask do_populate_sysroot
> 
> -# In the install task, also deploy directly to ${DEPLOY_DIR} using rsync.
> -# This is an hack, we are not using do_deploy to prevent multiple 
> unnecessary copy of the CVE database.
> -do_install() {
> -    dst="${SBOM_CVE_CHECK_DEPLOY_DB_DIR}/${SBOM_CVE_CHECK_DB_NAME}"
> -    mkdir -p "$dst"
> -    rsync -aH --delete --link-dest="${S}/" "${S}/" "${dst}/"
> -}
> +UNPACKDIR = "${SBOM_CVE_CHECK_DEPLOY_DB_DIR}"
> +S = "${UNPACKDIR}"
> +BB_GIT_DEFAULT_DESTSUFFIX = "${SBOM_CVE_CHECK_DB_NAME}"


-- 
Benjamin Robin, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com




-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#233781): 
https://lists.openembedded.org/g/openembedded-core/message/233781
Mute This Topic: https://lists.openembedded.org/mt/118467893/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to