Skip to content

changelog.sh: do not check every recipe for CVEs#159

Merged
ideaship merged 1 commit intomainfrom
jogo_optimize_cve_collection
Feb 9, 2026
Merged

changelog.sh: do not check every recipe for CVEs#159
ideaship merged 1 commit intomainfrom
jogo_optimize_cve_collection

Conversation

@KanjiMonster
Copy link
Contributor

"bitbake -s" actually does not take any arguments, and prints the versions of all recipes available. This is a much larger list than the recipes actually used for building the image.

Since the cve report contains only CVEs for recipes used in the image, this causes a lot of checks for CVEs for which the answer will always be empty.

So instead iterate over $packages which only contains the recipe names of recipes included in the image. This significantly speeds up the CVE collection.

In a non-scientific test this sped up collecting the package versions and CVEs of one release from ~16 minutes to ~1 minute, so it should reduce generating a changelog with CVEs by about half an hour.

"bitbake -s" actually does not take any arguments, and prints the
versions of all recipes available. This is a much larger list than the
recipes actually used for building the image.

Since the cve report contains only CVEs for recipes used in the image,
this causes a lot of checks for CVEs for which the answer will always be
empty.

So instead iterate over $packages which only contains the recipe names
of recipes included in the image. This significantly speeds up the CVE
collection.

In a non-scientific test this sped up collecting the package versions
and CVEs of one release from ~16 minutes to ~1 minute, so it should
reduce generating a changelog with CVEs by about half an hour.

Signed-off-by: Jonas Gorski <jonas.gorski@bisdn.de>
@KanjiMonster KanjiMonster requested a review from ideaship February 6, 2026 14:28
@KanjiMonster
Copy link
Contributor Author

Now the main time sink is pulling the cve database, which can take more than 30 minutes, depending on the mood of the nist cve database server.

@ideaship ideaship merged commit ca0d65e into main Feb 9, 2026
3 checks passed
@ideaship ideaship deleted the jogo_optimize_cve_collection branch February 9, 2026 08:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants