summaryrefslogtreecommitdiffstats
path: root/meta/lib
diff options
context:
space:
mode:
authorPeter Marko <peter.marko@siemens.com>2025-11-18 13:08:39 +0100
committerSteve Sakoman <steve@sakoman.com>2025-11-26 07:50:35 -0800
commitc06e4e6e609892f3c121893a0e02e9765bafcaff (patch)
treef83ea861097632dc920eae97800c6a81eaf420ae /meta/lib
parent7e8674996b0164b07e56bc066d0fba790e627061 (diff)
downloadpoky-c06e4e6e609892f3c121893a0e02e9765bafcaff.tar.gz
spdx30: fix cve status for patch files in VEX
This commit fixes commit 08595b39b46ef2bf3a928d4528292ee31a990c98 which adapts vex creation between function create_spdx where all changes were backported and funtion get_patched_cves where changes were not backported. CVE patches were previously ignored as they cannot be decoded from CVE_STATUS variables and each caused a warning like: WARNING: ncurses-native-6.4-r0 do_create_spdx: Skipping CVE-2023-50495 — missing or unknown CVE status Master branch uses fix-file-included for CVE patches however since cve-check-map.conf was not part of spdx-3.0 backport, closest one available (backported-patch) was implemented. (From OE-Core rev: 8d14b2bb02861612130f02c445392f34090ba5d9) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
Diffstat (limited to 'meta/lib')
-rw-r--r--meta/lib/oe/spdx30_tasks.py8
1 files changed, 7 insertions, 1 deletions
diff --git a/meta/lib/oe/spdx30_tasks.py b/meta/lib/oe/spdx30_tasks.py
index 6b0aa137c4..8115088ab8 100644
--- a/meta/lib/oe/spdx30_tasks.py
+++ b/meta/lib/oe/spdx30_tasks.py
@@ -503,7 +503,13 @@ def create_spdx(d):
503 if include_vex != "none": 503 if include_vex != "none":
504 patched_cves = oe.cve_check.get_patched_cves(d) 504 patched_cves = oe.cve_check.get_patched_cves(d)
505 for cve_id in patched_cves: 505 for cve_id in patched_cves:
506 mapping, detail, description = oe.cve_check.decode_cve_status(d, cve_id) 506 # decode_cve_status is decoding CVE_STATUS, so patch files need to be hardcoded
507 if cve_id in (d.getVarFlags("CVE_STATUS") or {}):
508 mapping, detail, description = oe.cve_check.decode_cve_status(d, cve_id)
509 else:
510 mapping = "Patched"
511 detail = "backported-patch" # fix-file-included is not available in scarthgap
512 description = None
507 513
508 if not mapping or not detail: 514 if not mapping or not detail:
509 bb.warn(f"Skipping {cve_id} — missing or unknown CVE status") 515 bb.warn(f"Skipping {cve_id} — missing or unknown CVE status")