diff options
| author | Benjamin Robin (Schneider Electric) <benjamin.robin@bootlin.com> | 2025-11-21 10:54:09 +0100 |
|---|---|---|
| committer | Steve Sakoman <steve@sakoman.com> | 2025-12-01 07:34:55 -0800 |
| commit | 976648aa6087a8bd815bf9b1e2bae3d1e8f3600b (patch) | |
| tree | 32443697d9d49f0e9c12dbb68e9c01b80844e73d /meta | |
| parent | 91ba7b5d6613c8ea493c9eb7e592c30d5a0bf335 (diff) | |
| download | poky-976648aa6087a8bd815bf9b1e2bae3d1e8f3600b.tar.gz | |
spdx30: provide all CVE_STATUS, not only Patched status
In scarthgap, the `oe.cve_check.get_patched_cves()` method only returns
CVEs with a "Patched" status. We want to retrieve all annotations,
including those with an "Ignored" status. Therefore, to avoid modifying
the current API, we integrate the logic for retrieving all CVE_STATUS
values directly into `spdx30_task`.
(From OE-Core rev: 9a204670b1c0daedf1ed8ff944f8e5443b39c8f7)
Signed-off-by: Benjamin Robin (Schneider Electric) <benjamin.robin@bootlin.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Diffstat (limited to 'meta')
| -rw-r--r-- | meta/lib/oe/spdx30_tasks.py | 31 |
1 files changed, 17 insertions, 14 deletions
diff --git a/meta/lib/oe/spdx30_tasks.py b/meta/lib/oe/spdx30_tasks.py index 0fa9a7d724..e425958991 100644 --- a/meta/lib/oe/spdx30_tasks.py +++ b/meta/lib/oe/spdx30_tasks.py | |||
| @@ -453,6 +453,22 @@ def set_purposes(d, element, *var_names, force_purposes=[]): | |||
| 453 | ] | 453 | ] |
| 454 | 454 | ||
| 455 | 455 | ||
| 456 | def _get_cves_info(d): | ||
| 457 | patched_cves = oe.cve_check.get_patched_cves(d) | ||
| 458 | for cve_id in (d.getVarFlags("CVE_STATUS") or {}): | ||
| 459 | mapping, detail, description = oe.cve_check.decode_cve_status(d, cve_id) | ||
| 460 | if not mapping or not detail: | ||
| 461 | bb.warn(f"Skipping {cve_id} — missing or unknown CVE status") | ||
| 462 | continue | ||
| 463 | yield cve_id, mapping, detail, description | ||
| 464 | patched_cves.discard(cve_id) | ||
| 465 | |||
| 466 | # decode_cve_status is decoding CVE_STATUS, so patch files need to be hardcoded | ||
| 467 | for cve_id in patched_cves: | ||
| 468 | # fix-file-included is not available in scarthgap | ||
| 469 | yield cve_id, "Patched", "backported-patch", None | ||
| 470 | |||
| 471 | |||
| 456 | def create_spdx(d): | 472 | def create_spdx(d): |
| 457 | def set_var_field(var, obj, name, package=None): | 473 | def set_var_field(var, obj, name, package=None): |
| 458 | val = None | 474 | val = None |
| @@ -502,20 +518,7 @@ def create_spdx(d): | |||
| 502 | # Add CVEs | 518 | # Add CVEs |
| 503 | cve_by_status = {} | 519 | cve_by_status = {} |
| 504 | if include_vex != "none": | 520 | if include_vex != "none": |
| 505 | patched_cves = oe.cve_check.get_patched_cves(d) | 521 | for cve_id, mapping, detail, description in _get_cves_info(d): |
| 506 | for cve_id in patched_cves: | ||
| 507 | # decode_cve_status is decoding CVE_STATUS, so patch files need to be hardcoded | ||
| 508 | if cve_id in (d.getVarFlags("CVE_STATUS") or {}): | ||
| 509 | mapping, detail, description = oe.cve_check.decode_cve_status(d, cve_id) | ||
| 510 | else: | ||
| 511 | mapping = "Patched" | ||
| 512 | detail = "backported-patch" # fix-file-included is not available in scarthgap | ||
| 513 | description = None | ||
| 514 | |||
| 515 | if not mapping or not detail: | ||
| 516 | bb.warn(f"Skipping {cve_id} — missing or unknown CVE status") | ||
| 517 | continue | ||
| 518 | |||
| 519 | # If this CVE is fixed upstream, skip it unless all CVEs are | 522 | # If this CVE is fixed upstream, skip it unless all CVEs are |
| 520 | # specified. | 523 | # specified. |
| 521 | if ( | 524 | if ( |