{"id":48503960,"url":"https://github.com/bootlin/meta-sbom-cve-check","last_synced_at":"2026-04-07T15:37:11.345Z","repository":{"id":336429455,"uuid":"1118881939","full_name":"bootlin/meta-sbom-cve-check","owner":"bootlin","description":"Yocto layer for sbom-cve-check","archived":false,"fork":false,"pushed_at":"2026-02-13T14:09:02.000Z","size":15,"stargazers_count":1,"open_issues_count":0,"forks_count":1,"subscribers_count":1,"default_branch":"main","last_synced_at":"2026-02-13T22:54:11.658Z","etag":null,"topics":["cve-scanning","yocto-layer"],"latest_commit_sha":null,"homepage":"","language":"BitBake","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/bootlin.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-12-18T12:17:49.000Z","updated_at":"2026-02-13T14:09:06.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/bootlin/meta-sbom-cve-check","commit_stats":null,"previous_names":["bootlin/meta-sbom-cve-check"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/bootlin/meta-sbom-cve-check","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bootlin%2Fmeta-sbom-cve-check","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bootlin%2Fmeta-sbom-cve-check/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bootlin%2Fmeta-sbom-cve-check/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bootlin%2Fmeta-sbom-cve-check/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/bootlin","download_url":"https://codeload.github.com/bootlin/meta-sbom-cve-check/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bootlin%2Fmeta-sbom-cve-check/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31518632,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-07T03:10:19.677Z","status":"ssl_error","status_checked_at":"2026-04-07T03:10:13.982Z","response_time":105,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cve-scanning","yocto-layer"],"created_at":"2026-04-07T15:37:10.572Z","updated_at":"2026-04-07T15:37:11.325Z","avatar_url":"https://github.com/bootlin.png","language":"BitBake","funding_links":[],"categories":[],"sub_categories":[],"readme":"# meta-sbom-cve-check\n\nThis layer integrates the [sbom-cve-check](https://github.com/bootlin/sbom-cve-check)\nutility into Yocto builds. It allows you to run the CVE analysis on the SPDX\nSoftware Bill of Materials (SBOM) generated by Yocto.\n\n## Features\n\n- Provides `sbom-cve-check` as a native build-time utility\n- Adds optionally a `do_sbom_cve_check` BitBake task that:\n  * Run the CVE analysis on generated SBOM,\n  * Deploys export files into the image deploy directory.\n\n## Using sbom-cve-check native tool\n\n### Requirements\n\n- Yocto / OpenEmbedded build environment\n- This layer is included in bblayers.conf\n\n### Running sbom-cve-check from Yocto\n\nTo run `sbom-cve-check` from Yocto sysroot:\n\n1. Clone and include this layer in your `bblayers.conf`:\n\n```\n$ git clone https://github.com/bootlin/meta-sbom-cve-check.git layers/meta-sbom-cve-check\n```\n\n2. Build the native tool:\n\n```\nbitbake python3-sbom-cve-check-native -caddto_recipe_sysroot\n```\n\n3. Run the tool like that, for example, to see the help:\n\n```\noe-run-native python3-sbom-cve-check-native sbom-cve-check --help\n```\n\n## Using sbom-cve-check task\n\n### Requirements\n\n- Yocto / OpenEmbedded build environment\n- This layer is included in bblayers.conf\n- The `vex` class needs to be enabled globally\n- Currently only SPDX3 is supported by the `sbom-cve-check` class\n- On Scarthgap: SPDX2.2 needs to be disabled and SPDX3 enabled\n\n### Enabling the task\n\nTo run a CVE analysis on the built image:\n\n1. Clone and include this layer in your `bblayers.conf`.\n\n2. Enable the `vex` class globally, typically in your `local.conf`:\n\n```\nINHERIT += \"vex\"\n```\n\n3. Enable `sbom-cve-check` class from your image recipe:\n\n```\ninherit sbom-cve-check\n```\n\nAlternatively the class can be inherited in all image recipes automatically using `IMAGE_CLASSES`, typically in your `local.conf`:\n\n```\nIMAGE_CLASSES += \"sbom-cev-check\"\n```\n\n4. Optionally configure CVE analysis by using the following variables:\n\n - `SBOM_CVE_CHECK_EXTRA_ARGS`: Allow to specify extra arguments to\n   `sbom-cve-check`. For example to add filtering options.\n\n - `SBOM_CVE_CHECK_EXPORT_VARS`: List of variables that declare export files to\n   generate. By default equal to `SBOM_CVE_CHECK_EXPORT_FILE`.\n\n   Each variable must have the following flags set:\n    - `[type]`: The type of export, which corresponds to the value set to the\n      `--export-type` option flag (e.g., `csv` or `spdx3`).\n    - `[ext]`: The file extension of the exported file that is going to be\n      generated.\n\n - `SBOM_CVE_CHECK_EXPORT_FILE`: Default export file configuration.\n   The `[type]` flag is set by default to `spdx3`, and the `[ext]` flag is set\n   by default to `.cve-check.spdx.json`.\n\n5. Build your target image.\n\n   The resulting exported file, which is an SPDX3 file, will be available in the\n   deploy directory, with this default name: `${IMAGE_NAME}.cve-check.spdx.json`\n\n## Support\n\nFor issues or contributions, please open an issue or pull request on GitHub.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbootlin%2Fmeta-sbom-cve-check","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fbootlin%2Fmeta-sbom-cve-check","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbootlin%2Fmeta-sbom-cve-check/lists"}