classes/sbom-cve-check: add variable to control the scope of the CVE scan

Unless told otherwise, sbom-cve-check will only report on issues found
in target recipes.  Whilst this is the behaviour we want for image-based
scanning, it's not the designed bevhaviour for recipe-based scanning.

Add a new variable SBOM_CVE_CHECK_SCAN_SCOPE that is used as the value
passed with --export-process-native.  Default this to "target" so the
normal behaviour is unchanged, but set it to "both" in the
sbom-cve-check-recipe class.

[1] https://sbom-cve-check.readthedocs.io/en/latest/export.html#export-options

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

diff --git a/meta/classes/sbom-cve-check-common.bbclass b/meta/classes/sbom-cve-check-common.bbclass
index 3db189d60de7c6ebb913df92b0c01ac0d6ef3859..6963ad71c617d0640a5e1814b509a3b2e3ebd3b1 100644 (file)
--- a/meta/classes/sbom-cve-check-common.bbclass
+++ b/meta/classes/sbom-cve-check-common.bbclass
@@ -6,6 +6,10 @@ require conf/sbom-cve-check-config.inc
 
 SBOM_CVE_CHECK_DEPLOYDIR = "${WORKDIR}/sbom-cve-check/image-deploy"
 
+SBOM_CVE_CHECK_SCAN_SCOPE ?= "target"
+SBOM_CVE_CHECK_SCAN_SCOPE[doc] = "Whether to scan target and native, just target, or just native. \
+    Valid values are both, target, native."
+
 SBOM_CVE_CHECK_EXTRA_ARGS[doc] = "Allow to specify extra arguments to sbom-cve-check. \
     For example to add export flags for filtering (e.g., only export vulnerable CVEs). \
 "
@@ -54,6 +58,7 @@ def run_sbom_cve_check(d, sbom_path, export_base_name, export_link_name=None):
 
     dl_db_dir = d.getVar("SBOM_CVE_CHECK_DEPLOY_DB_DIR")
     out_deploy_dir = d.getVar("SBOM_CVE_CHECK_DEPLOYDIR")
+    scan_scope = d.getVar("SBOM_CVE_CHECK_SCAN_SCOPE")
 
     export_files = []
     for export_var in d.getVar("SBOM_CVE_CHECK_EXPORT_VARS").split():
@@ -70,7 +75,9 @@ def run_sbom_cve_check(d, sbom_path, export_base_name, export_link_name=None):
         d.expand("${STAGING_BINDIR_NATIVE}/sbom-cve-check"),
         "--sbom-path",
         sbom_path,
-        "--disable-auto-updates"
+        "--disable-auto-updates",
+        "--export-process-native",
+        scan_scope,
     ]
 
     for export_type, export_file, export_link in export_files:

diff --git a/meta/classes/sbom-cve-check-recipe.bbclass b/meta/classes/sbom-cve-check-recipe.bbclass
index 904ce57f5cc7d0fca6e0e223e4b509413171f0e5..c80b8ac83ff0b0d356064cbc26931fffa02362a5 100644 (file)
--- a/meta/classes/sbom-cve-check-recipe.bbclass
+++ b/meta/classes/sbom-cve-check-recipe.bbclass
@@ -9,6 +9,9 @@
 
 inherit sbom-cve-check-common
 
+# Recipe-based scanning should cover both target and native components.
+SBOM_CVE_CHECK_SCAN_SCOPE = "both"
+
 python do_sbom_cve_check_recipe() {
     """
     Task: Run sbom-cve-check analysis on a recipe SBOM.