diff options
| author | Peter Marko <peter.marko@siemens.com> | 2025-11-18 13:08:39 +0100 |
|---|---|---|
| committer | Steve Sakoman <steve@sakoman.com> | 2025-11-26 07:50:35 -0800 |
| commit | c06e4e6e609892f3c121893a0e02e9765bafcaff (patch) | |
| tree | f83ea861097632dc920eae97800c6a81eaf420ae /meta/lib | |
| parent | 7e8674996b0164b07e56bc066d0fba790e627061 (diff) | |
| download | poky-c06e4e6e609892f3c121893a0e02e9765bafcaff.tar.gz | |
spdx30: fix cve status for patch files in VEX
This commit fixes commit 08595b39b46ef2bf3a928d4528292ee31a990c98
which adapts vex creation between function create_spdx where all changes
were backported and funtion get_patched_cves where changes were not
backported.
CVE patches were previously ignored as they cannot be decoded from
CVE_STATUS variables and each caused a warning like:
WARNING: ncurses-native-6.4-r0 do_create_spdx: Skipping CVE-2023-50495 — missing or unknown CVE status
Master branch uses fix-file-included for CVE patches however since
cve-check-map.conf was not part of spdx-3.0 backport, closest one
available (backported-patch) was implemented.
(From OE-Core rev: 8d14b2bb02861612130f02c445392f34090ba5d9)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Diffstat (limited to 'meta/lib')
| -rw-r--r-- | meta/lib/oe/spdx30_tasks.py | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/meta/lib/oe/spdx30_tasks.py b/meta/lib/oe/spdx30_tasks.py index 6b0aa137c4..8115088ab8 100644 --- a/meta/lib/oe/spdx30_tasks.py +++ b/meta/lib/oe/spdx30_tasks.py | |||
| @@ -503,7 +503,13 @@ def create_spdx(d): | |||
| 503 | if include_vex != "none": | 503 | if include_vex != "none": |
| 504 | patched_cves = oe.cve_check.get_patched_cves(d) | 504 | patched_cves = oe.cve_check.get_patched_cves(d) |
| 505 | for cve_id in patched_cves: | 505 | for cve_id in patched_cves: |
| 506 | mapping, detail, description = oe.cve_check.decode_cve_status(d, cve_id) | 506 | # decode_cve_status is decoding CVE_STATUS, so patch files need to be hardcoded |
| 507 | if cve_id in (d.getVarFlags("CVE_STATUS") or {}): | ||
| 508 | mapping, detail, description = oe.cve_check.decode_cve_status(d, cve_id) | ||
| 509 | else: | ||
| 510 | mapping = "Patched" | ||
| 511 | detail = "backported-patch" # fix-file-included is not available in scarthgap | ||
| 512 | description = None | ||
| 507 | 513 | ||
| 508 | if not mapping or not detail: | 514 | if not mapping or not detail: |
| 509 | bb.warn(f"Skipping {cve_id} — missing or unknown CVE status") | 515 | bb.warn(f"Skipping {cve_id} — missing or unknown CVE status") |
