<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux/poky.git/meta/classes, branch yocto-5.0.14</title>
<subtitle>Mirror of git.yoctoproject.org/poky</subtitle>
<id>https://git.enea.com/cgit/linux/poky.git/atom?h=yocto-5.0.14</id>
<link rel='self' href='https://git.enea.com/cgit/linux/poky.git/atom?h=yocto-5.0.14'/>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/'/>
<updated>2025-11-14T14:45:30+00:00</updated>
<entry>
<title>classes/create-spdx-2.2: Handle empty packages</title>
<updated>2025-11-14T14:45:30+00:00</updated>
<author>
<name>Joshua Watt</name>
<email>JPEWhacker@gmail.com</email>
</author>
<published>2025-11-07T13:14:51+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=d7d531e2698442ca3bee970727575267444ea640'/>
<id>urn:sha1:d7d531e2698442ca3bee970727575267444ea640</id>
<content type='text'>
When combining an SPDX document, the package list might be empty (e.g.
a baremetal image). Handle this case instead of erroring out

(From OE-Core rev: 1f7326799c33d2a734c58d360773b87d7b86b0ec)

Signed-off-by: Joshua Watt &lt;JPEWhacker@gmail.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
</content>
</entry>
<entry>
<title>classes/create-spdx-2.2: align DEPLOY_DIR_SPDX with SPDX_VERSION layout</title>
<updated>2025-11-14T14:45:30+00:00</updated>
<author>
<name>Kamel Bouhara (Schneider Electric)</name>
<email>kamel.bouhara@bootlin.com</email>
</author>
<published>2025-11-07T13:14:44+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=bf3b6c9965c85059a0a06f798b9dd6dc4149bd2a'/>
<id>urn:sha1:bf3b6c9965c85059a0a06f798b9dd6dc4149bd2a</id>
<content type='text'>
Upstream commit 544d46e4169a ("selftest/spdx: Fix for SPDX_VERSION addition")
updated the selftests to expect SPDX artifacts under:

    ${DEPLOY_DIR}/spdx/${SPDX_VERSION}/

However, in this branch the effective SPDX output was still being
written to:

    ${DEPLOY_DIR}/spdx/${PACKAGE_ARCH}/

without the version subdirectory. This caused SPDX selftests such as
test_spdx_tar to fail with missing file errors, e.g.:

    AssertionError: .../deploy/spdx/SPDX-1.1/core2-64/packages/tar.spdx.json does not exist

Update create-spdx-2.2.bbclass so that DEPLOY_DIR_SPDX includes
${SPDX_VERSION}, matching the expected deploy structure and restoring
successful SPDX selftests.

(From OE-Core rev: 8996d0899df5316742ba5fd73c351e8ca67dc90b)

Signed-off-by: Kamel Bouhara (Schneider Electric) &lt;kamel.bouhara@bootlin.com&gt;
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
</content>
</entry>
<entry>
<title>backport: SPDX 3.0 fixes and tasks from upstream version Walnascar</title>
<updated>2025-11-14T14:45:29+00:00</updated>
<author>
<name>Kamel Bouhara (Schneider Electric)</name>
<email>kamel.bouhara@bootlin.com</email>
</author>
<published>2025-11-07T13:14:35+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=11cd8498da86c61366e8701a8a49d60120c85248'/>
<id>urn:sha1:11cd8498da86c61366e8701a8a49d60120c85248</id>
<content type='text'>
Backports the SPDX 3.0 support and fixes from upstream walnascar
commit 49f47169953b807d430461ca33f3a2b076119712 into upstream
scarthgap.

(From OE-Core rev: 9c9b9545049a2f6e5c99edcb079275d29a4d1ac6)

Signed-off-by: Kamel Bouhara (Schneider Electric) &lt;kamel.bouhara@bootlin.com&gt;
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
</content>
</entry>
<entry>
<title>cve-check: Add missing call to exit_if_errors</title>
<updated>2025-08-22T12:59:54+00:00</updated>
<author>
<name>Philip Lorenz</name>
<email>philip.lorenz@bmw.de</email>
</author>
<published>2025-08-15T09:53:06+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=00ade479effbcd0a8574669252686bccd91a8f14'/>
<id>urn:sha1:00ade479effbcd0a8574669252686bccd91a8f14</id>
<content type='text'>
check_cves may raise the cve_status_not_in_db QA check. Call
exit_if_errors to make sure that the task is marked as failed when the
check is categorized as an error.

cve_status_not_in_db was in the meantime dropped in OE-Core
452e605b55ad61c08f4af7089a5a9c576ca28f7d so this change is only required
on scarthgap.

(From OE-Core rev: b3d12589c26f4e86b153bbdcda774985e4e046bd)

Signed-off-by: Philip Lorenz &lt;philip.lorenz@bmw.de&gt;
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
</content>
</entry>
<entry>
<title>spdx: add option to include only compiled sources</title>
<updated>2025-07-07T14:42:58+00:00</updated>
<author>
<name>Daniel Turull</name>
<email>daniel.turull@ericsson.com</email>
</author>
<published>2025-06-19T08:47:36+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=2366605a35443565e259d03791d7b662c6ea03e2'/>
<id>urn:sha1:2366605a35443565e259d03791d7b662c6ea03e2</id>
<content type='text'>
When SPDX_INCLUDE_COMPILED_SOURCES is enabled, only include the
source code files that are used during compilation.

It uses debugsource information generated during do_package.

This enables an external tool to use the SPDX information to disregard
vulnerabilities that are not compiled.

As example, when used with the default config with linux-yocto, the spdx size is
reduced from 156MB to 61MB.

Tested with bitbake world on oe-core.

(From OE-Core rev: c6a2f1fca76fae4c3ea471a0c63d0b453beea968)
Adapted to existing files for create-spdx-2.2

CC: Mathieu Dubois-Briand &lt;mathieu.dubois-briand@bootlin.com&gt;
CC: Joshua Watt &lt;JPEWhacker@gmail.com&gt;
(From OE-Core rev: a2866934e58fb377a73e87576c8594988a63ad1b)

Signed-off-by: Daniel Turull &lt;daniel.turull@ericsson.com&gt;
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
</content>
</entry>
<entry>
<title>cve-check.bbclass: Fix symlink handling also for text files</title>
<updated>2025-05-19T15:32:49+00:00</updated>
<author>
<name>Niko Mauno</name>
<email>niko.mauno@vaisala.com</email>
</author>
<published>2025-05-12T15:52:28+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=848da2f632f22fa4934d74838c731ed9352a1816'/>
<id>urn:sha1:848da2f632f22fa4934d74838c731ed9352a1816</id>
<content type='text'>
While backporting commit 7543e4e24a8b ("cve-check.bbclass: Mitigate
symlink related error") I failed to address the fact that in Scarthgap
this bbclass still generates also the text CVE file, in addition to the
JSON file.

In order to avoid the error that occurred with JSON files from
occurring now with CVE files:

  ERROR: core-image-base-1.0-r0 do_image_complete: Recipe core-image-base is trying to install files into a shared area when those files already exist. The files and the manifests listing them are:
    /home/poky/build/tmp/deploy/images/qemux86-64/.cve
      (matched in manifest-qemux86_64-core-image-minimal.image_complete)
  Please adjust the recipes so only one recipe provides a given file.

update the symlink handling for the text file variant too.

(From OE-Core rev: 81e702c85c62782dbedd5ca2a5e6569e6339dd60)

Signed-off-by: Niko Mauno &lt;niko.mauno@vaisala.com&gt;
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
</content>
</entry>
<entry>
<title>cve-check.bbclass: Mitigate symlink related error</title>
<updated>2025-03-15T13:40:08+00:00</updated>
<author>
<name>Niko Mauno</name>
<email>niko.mauno@vaisala.com</email>
</author>
<published>2025-03-10T14:37:43+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=7543e4e24a8bd61e1c9b172ea1ad0ed666b5e2b0'/>
<id>urn:sha1:7543e4e24a8bd61e1c9b172ea1ad0ed666b5e2b0</id>
<content type='text'>
According to Yocto reference manual, in description of the
IMAGE_LINK_NAME variable, it is said that

  It is possible to set this to "" to disable symlink creation,
  however, you also need to set :term:`IMAGE_NAME` to still have
  a reasonable value e.g.::

    IMAGE_LINK_NAME = ""
    IMAGE_NAME = "${IMAGE_BASENAME}${IMAGE_MACHINE_SUFFIX}${IMAGE_VERSION_SUFFIX}"

However, when using following additions in local.conf file:

  INHERIT += "cve-check"
  IMAGE_LINK_NAME = ""
  IMAGE_NAME = "${IMAGE_BASENAME}${IMAGE_MACHINE_SUFFIX}${IMAGE_VERSION_SUFFIX}"

the implicit symlink creation in cve_check_write_rootfs_manifest leads
to following build failure

  $ bitbake core-image-minimal core-image-base
  ...
  ERROR: core-image-base-1.0-r0 do_image_complete: Recipe core-image-base is trying to install files into a shared area when those files already exist. The files and the manifests listing them are:
    /home/poky/build/tmp/deploy/images/qemux86-64/.json
      (matched in manifest-qemux86_64-core-image-minimal.image_complete)
  Please adjust the recipes so only one recipe provides a given file.

Mitigate the issue by creating the symlink only in case IMAGE_LINK_NAME
has not been set to empty string.

(From OE-Core rev: 64bfec359bd909761ce0a6a716286d938ed162d1)

(From OE-Core rev: 35e210e3ebe21f1f4466760076b7140618af536e)

Signed-off-by: Niko Mauno &lt;niko.mauno@vaisala.com&gt;
Signed-off-by: Mathieu Dubois-Briand &lt;mathieu.dubois-briand@bootlin.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
</content>
</entry>
<entry>
<title>cve_check: Use a local copy of the database during builds</title>
<updated>2024-11-09T13:53:57+00:00</updated>
<author>
<name>Richard Purdie</name>
<email>richard.purdie@linuxfoundation.org</email>
</author>
<published>2024-08-14T12:02:01+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=35e6556f78078da32510974decf3d24070f6836a'/>
<id>urn:sha1:35e6556f78078da32510974decf3d24070f6836a</id>
<content type='text'>
Rtaher than trying to use a sqlite database over NFS from DL_DIR, work from
a local copy in STAGING DIR after fetching.

(From OE-Core rev: 57de6545695ac11816d670959d9e63666de08e3d)

Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
(cherry picked from commit 03596904392d257572a905a182b92c780d636744)
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
</content>
</entry>
<entry>
<title>cve-check: add support for cvss v4.0</title>
<updated>2024-11-09T13:53:57+00:00</updated>
<author>
<name>Peter Marko</name>
<email>peter.marko@siemens.com</email>
</author>
<published>2024-10-25T20:17:42+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=74d6b31f9f47e4f03f956357b3f9bf5dee09052a'/>
<id>urn:sha1:74d6b31f9f47e4f03f956357b3f9bf5dee09052a</id>
<content type='text'>
https://nvd.nist.gov/general/news/cvss-v4-0-official-support

CVSS v4.0 was released in November 2023
NVD announced support for it in June 2024

Current stats are:
* cvss v4 provided, but also v3, so cve-check showed a value
sqlite&gt; select count(*) from nvd where scorev4 != 0.0 and scorev3 != 0.0;
2069
* only cvss v4 provided, so cve-check did not show any
sqlite&gt; select count(*) from nvd where scorev4 != 0.0 and scorev3 = 0.0;
260

(From OE-Core rev: 358dbfcd80ae1fa414d294c865dd293670c287f0)

(From OE-Core rev: 290407b3785bce2d22212a7ab9d3a349c8935cc0)

Signed-off-by: Peter Marko &lt;peter.marko@siemens.com&gt;
Signed-off-by: Mathieu Dubois-Briand &lt;mathieu.dubois-briand@bootlin.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
</content>
</entry>
<entry>
<title>create-sdpx-2.2.bbclass: Switch from exists to isfile checking debugsrc</title>
<updated>2024-09-25T12:07:47+00:00</updated>
<author>
<name>Mark Hatle</name>
<email>mark.hatle@amd.com</email>
</author>
<published>2024-09-17T20:03:10+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=40eac6fe629d2f5c7256da90896d717770952a1f'/>
<id>urn:sha1:40eac6fe629d2f5c7256da90896d717770952a1f</id>
<content type='text'>
While debugsrc is almost always a file (or link), there are apparently
cases where a directory could be returned from the dwarfsrcfiles
processing.  When this happens, the hashing fails and an error results
when building the SPDX documents.

(From OE-Core rev: cc24c32795e6894387a6e7ebc9b1d9f4215621f0)

Signed-off-by: Mark Hatle &lt;mark.hatle@amd.com&gt;
Signed-off-by: Mark Hatle &lt;mark.hatle@kernel.crashing.org&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
(cherry picked from commit 02e262c291c0b2066132b4cb2ca5fda8145284a9)
Signed-off-by: Mark Hatle &lt;mark.hatle@kernel.crashing.org&gt;
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
</content>
</entry>
</feed>
