spdx30: Allow VEX Justification to be configurable

Instead of hard coding the VEX justifications for "Ignored" CVE status, add a map that configures what justification should be used for each status. This allows other justifications to be easily added, and also ensures that status fields added externally (by downstream) can set an appropriate justification if necessary. (From OE-Core rev: c0fa3d92cefa74fa57c6c48c94acc64aa454e781) Signed-off-by: Joshua Watt <JPEWhacker@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Joshua Watt <JPEWhacker@gmail.com> 2025-07-02 10:43:28 -0600
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2025-07-03 10:40:17 +0100
commit: 860aedadc9244e5979bb3750e321cab4c4cf3063 (patch)
tree: e15c781899b296593a5e0b56d445263176a2941f /meta/lib/oe
parent: 2fef1b9af036e575b80b7b5135c0362a49647199 (diff)
download: poky-860aedadc9244e5979bb3750e321cab4c4cf3063.tar.gz
1 files changed, 16 insertions, 17 deletions
diff --git a/meta/lib/oe/spdx30_tasks.py b/meta/lib/oe/spdx30_tasks.py
index 5d9f3168d9..c352dab152 100644
--- a/meta/lib/oe/spdx30_tasks.py
+++ b/meta/lib/oe/spdx30_tasks.py
@@ -724,24 +724,23 @@ def create_spdx(d):
                            impact_statement=description,
                        )
-                        if detail in (
+                        vex_just_type = d.getVarFlag(
-                            "ignored",
+                            "CVE_CHECK_VEX_JUSTIFICATION", detail
-                            "cpe-incorrect",
+                        )
-                            "disputed",
+                        if vex_just_type:
-                            "upstream-wontfix",
+                            if (
-                        ):
+                                vex_just_type
-                            # VEX doesn't have justifications for this
+                                not in oe.spdx30.security_VexJustificationType.NAMED_INDIVIDUALS
-                            pass
+                            ):
-                        elif detail in (
+                                bb.fatal(
-                            "not-applicable-config",
+                                    f"Unknown vex justification '{vex_just_type}', detail '{detail}', for ignored {cve}"
-                            "not-applicable-platform",
-                        ):
-                            for v in spdx_vex:
-                                v.security_justificationType = (
-                                    oe.spdx30.security_VexJustificationType.vulnerableCodeNotPresent
                                )
-                        else:
-                            bb.fatal(f"Unknown detail '{detail}' for ignored {cve}")
+                            for v in spdx_vex:
+                                v.security_justificationType = oe.spdx30.security_VexJustificationType.NAMED_INDIVIDUALS[
+                                    vex_just_type
+                                ]
                    elif status == "Unknown":
                        bb.note(f"Skipping {cve} with status 'Unknown'")
                    else:
author	Joshua Watt <JPEWhacker@gmail.com>	2025-07-02 10:43:28 -0600
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2025-07-03 10:40:17 +0100
commit	860aedadc9244e5979bb3750e321cab4c4cf3063 (patch)
tree	e15c781899b296593a5e0b56d445263176a2941f /meta/lib/oe
parent	2fef1b9af036e575b80b7b5135c0362a49647199 (diff)
download	poky-860aedadc9244e5979bb3750e321cab4c4cf3063.tar.gz

diff --git a/meta/lib/oe/spdx30_tasks.py b/meta/lib/oe/spdx30_tasks.py index 5d9f3168d9..c352dab152 100644 --- a/meta/lib/oe/spdx30_tasks.py +++ b/meta/lib/oe/spdx30_tasks.py
@@ -724,24 +724,23 @@ def create_spdx(d):
724	impact_statement=description,	724	impact_statement=description,
725	)	725	)
726		726
727	if detail in (	727	vex_just_type = d.getVarFlag(
728	"ignored",	728	"CVE_CHECK_VEX_JUSTIFICATION", detail
729	"cpe-incorrect",	729	)
730	"disputed",	730	if vex_just_type:
731	"upstream-wontfix",	731	if (
732	):	732	vex_just_type
733	# VEX doesn't have justifications for this	733	not in oe.spdx30.security_VexJustificationType.NAMED_INDIVIDUALS
734	pass	734	):
735	elif detail in (	735	bb.fatal(
736	"not-applicable-config",	736	f"Unknown vex justification '{vex_just_type}', detail '{detail}', for ignored {cve}"
737	"not-applicable-platform",
738	):
739	for v in spdx_vex:
740	v.security_justificationType = (
741	oe.spdx30.security_VexJustificationType.vulnerableCodeNotPresent
742	)	737	)
743	else:	738
744	bb.fatal(f"Unknown detail '{detail}' for ignored {cve}")	739	for v in spdx_vex:
		740	v.security_justificationType = oe.spdx30.security_VexJustificationType.NAMED_INDIVIDUALS[
		741	vex_just_type
		742	]
		743
745	elif status == "Unknown":	744	elif status == "Unknown":
746	bb.note(f"Skipping {cve} with status 'Unknown'")	745	bb.note(f"Skipping {cve} with status 'Unknown'")
747	else:	746	else: