diff options
| author | Kamel Bouhara (Schneider Electric) <kamel.bouhara@bootlin.com> | 2025-11-07 14:14:49 +0100 |
|---|---|---|
| committer | Steve Sakoman <steve@sakoman.com> | 2025-11-14 06:45:30 -0800 |
| commit | 5b74a8f1a54d62d2cf2330bef6ffad3508540a91 (patch) | |
| tree | cd1371673347b2ccfb2ed24ef9ba6c809f6e713e /meta | |
| parent | 71aca87ca73e4a6e47b121702e99e59e426e713b (diff) | |
| download | poky-5b74a8f1a54d62d2cf2330bef6ffad3508540a91.tar.gz | |
spdx30_tasks: adapt CVE handling to new cve-check API
Changes to cve-check (see poky commit fb3f440b7d8,
"cve-check: annotate CVEs during analysis") modified the
get_patched_cves() API to return a set of CVE IDs instead of a
dictionary of CVE metadata.
The SPDX 3 backport still expected a dictionary and attempted to call
.items(), leading to:
AttributeError: 'set' object has no attribute 'items'
This patch updates the SPDX3 code to iterate directly over the CVE IDs
and use `oe.cve_check.decode_cve_status()` to retrieve the mapping,
detail, and description for each CVE. This restores compatibility with
the updated CVE API and matches the behavior of SPDX3 handling on
Walnascar.
A warning is logged if a CVE has missing or unknown status.
(From OE-Core rev: 55fdeea44ffbecb705f7900bfa85ab88e1191878)
Signed-off-by: Kamel Bouhara (Schneider Electric) <kamel.bouhara@bootlin.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Diffstat (limited to 'meta')
| -rw-r--r-- | meta/lib/oe/spdx30_tasks.py | 29 |
1 files changed, 12 insertions, 17 deletions
diff --git a/meta/lib/oe/spdx30_tasks.py b/meta/lib/oe/spdx30_tasks.py index f6e6e545dc..6b0aa137c4 100644 --- a/meta/lib/oe/spdx30_tasks.py +++ b/meta/lib/oe/spdx30_tasks.py | |||
| @@ -502,34 +502,29 @@ def create_spdx(d): | |||
| 502 | cve_by_status = {} | 502 | cve_by_status = {} |
| 503 | if include_vex != "none": | 503 | if include_vex != "none": |
| 504 | patched_cves = oe.cve_check.get_patched_cves(d) | 504 | patched_cves = oe.cve_check.get_patched_cves(d) |
| 505 | for cve, patched_cve in patched_cves.items(): | 505 | for cve_id in patched_cves: |
| 506 | decoded_status = { | 506 | mapping, detail, description = oe.cve_check.decode_cve_status(d, cve_id) |
| 507 | "mapping": patched_cve["abbrev-status"], | 507 | |
| 508 | "detail": patched_cve["status"], | 508 | if not mapping or not detail: |
| 509 | "description": patched_cve.get("justification", None) | 509 | bb.warn(f"Skipping {cve_id} — missing or unknown CVE status") |
| 510 | } | 510 | continue |
| 511 | 511 | ||
| 512 | # If this CVE is fixed upstream, skip it unless all CVEs are | 512 | # If this CVE is fixed upstream, skip it unless all CVEs are |
| 513 | # specified. | 513 | # specified. |
| 514 | if ( | 514 | if ( |
| 515 | include_vex != "all" | 515 | include_vex != "all" |
| 516 | and "detail" in decoded_status | 516 | and "detail" in ("fixed-version", "cpe-stable-backport") |
| 517 | and decoded_status["detail"] | ||
| 518 | in ( | ||
| 519 | "fixed-version", | ||
| 520 | "cpe-stable-backport", | ||
| 521 | ) | ||
| 522 | ): | 517 | ): |
| 523 | bb.debug(1, "Skipping %s since it is already fixed upstream" % cve) | 518 | bb.debug(1, "Skipping %s since it is already fixed upstream" % cve_id) |
| 524 | continue | 519 | continue |
| 525 | 520 | ||
| 526 | spdx_cve = build_objset.new_cve_vuln(cve) | 521 | spdx_cve = build_objset.new_cve_vuln(cve_id) |
| 527 | build_objset.set_element_alias(spdx_cve) | 522 | build_objset.set_element_alias(spdx_cve) |
| 528 | 523 | ||
| 529 | cve_by_status.setdefault(decoded_status["mapping"], {})[cve] = ( | 524 | cve_by_status.setdefault(mapping, {})[cve_id] = ( |
| 530 | spdx_cve, | 525 | spdx_cve, |
| 531 | decoded_status["detail"], | 526 | detail, |
| 532 | decoded_status["description"], | 527 | description, |
| 533 | ) | 528 | ) |
| 534 | 529 | ||
| 535 | cpe_ids = oe.cve_check.get_cpe_ids(d.getVar("CVE_PRODUCT"), d.getVar("CVE_VERSION")) | 530 | cpe_ids = oe.cve_check.get_cpe_ids(d.getVar("CVE_PRODUCT"), d.getVar("CVE_VERSION")) |