2 files changed, 20 insertions, 17 deletions
diff --git a/meta/conf/cve-check-map.conf b/meta/conf/cve-check-map.conf
index ac956379d1..fc49fe0a50 100644
--- a/meta/conf/cve-check-map.conf
+++ b/meta/conf/cve-check-map.conf
@@ -28,8 +28,12 @@ CVE_CHECK_STATUSMAP[cpe-incorrect] = "Ignored"
 CVE_CHECK_STATUSMAP[disputed] = "Ignored"
 # use when vulnerability depends on build or runtime configuration which is not used
 CVE_CHECK_STATUSMAP[not-applicable-config] = "Ignored"
+CVE_CHECK_VEX_JUSTIFICATION[not-applicable-config] = "vulnerableCodeNotPresent"
 # use when vulnerability affects other platform (e.g. Windows or Debian)
 CVE_CHECK_STATUSMAP[not-applicable-platform] = "Ignored"
+CVE_CHECK_VEX_JUSTIFICATION[not-applicable-platform] = "vulnerableCodeNotPresent"
 # use when upstream acknowledged the vulnerability but does not plan to fix it
 CVE_CHECK_STATUSMAP[upstream-wontfix] = "Ignored"
diff --git a/meta/lib/oe/spdx30_tasks.py b/meta/lib/oe/spdx30_tasks.py
index 5d9f3168d9..c352dab152 100644
--- a/meta/lib/oe/spdx30_tasks.py
+++ b/meta/lib/oe/spdx30_tasks.py
@@ -724,24 +724,23 @@ def create_spdx(d):
                            impact_statement=description,
                        )
-                        if detail in (
+                        vex_just_type = d.getVarFlag(
-                            "ignored",
+                            "CVE_CHECK_VEX_JUSTIFICATION", detail
-                            "cpe-incorrect",
+                        )
-                            "disputed",
+                        if vex_just_type:
-                            "upstream-wontfix",
+                            if (
-                        ):
+                                vex_just_type
-                            # VEX doesn't have justifications for this
+                                not in oe.spdx30.security_VexJustificationType.NAMED_INDIVIDUALS
-                            pass
+                            ):
-                        elif detail in (
+                                bb.fatal(
-                            "not-applicable-config",
+                                    f"Unknown vex justification '{vex_just_type}', detail '{detail}', for ignored {cve}"
-                            "not-applicable-platform",
-                        ):
-                            for v in spdx_vex:
-                                v.security_justificationType = (
-                                    oe.spdx30.security_VexJustificationType.vulnerableCodeNotPresent
                                )
-                        else:
-                            bb.fatal(f"Unknown detail '{detail}' for ignored {cve}")
+                            for v in spdx_vex:
+                                v.security_justificationType = oe.spdx30.security_VexJustificationType.NAMED_INDIVIDUALS[
+                                    vex_just_type
+                                ]
                    elif status == "Unknown":
                        bb.note(f"Skipping {cve} with status 'Unknown'")
                    else:

diff --git a/meta/conf/cve-check-map.conf b/meta/conf/cve-check-map.conf index ac956379d1..fc49fe0a50 100644 --- a/meta/conf/cve-check-map.conf +++ b/meta/conf/cve-check-map.conf
@@ -28,8 +28,12 @@ CVE_CHECK_STATUSMAP[cpe-incorrect] = "Ignored"
28	CVE_CHECK_STATUSMAP[disputed] = "Ignored"	28	CVE_CHECK_STATUSMAP[disputed] = "Ignored"
29	# use when vulnerability depends on build or runtime configuration which is not used	29	# use when vulnerability depends on build or runtime configuration which is not used
30	CVE_CHECK_STATUSMAP[not-applicable-config] = "Ignored"	30	CVE_CHECK_STATUSMAP[not-applicable-config] = "Ignored"
		31	CVE_CHECK_VEX_JUSTIFICATION[not-applicable-config] = "vulnerableCodeNotPresent"
		32
31	# use when vulnerability affects other platform (e.g. Windows or Debian)	33	# use when vulnerability affects other platform (e.g. Windows or Debian)
32	CVE_CHECK_STATUSMAP[not-applicable-platform] = "Ignored"	34	CVE_CHECK_STATUSMAP[not-applicable-platform] = "Ignored"
		35	CVE_CHECK_VEX_JUSTIFICATION[not-applicable-platform] = "vulnerableCodeNotPresent"
		36
33	# use when upstream acknowledged the vulnerability but does not plan to fix it	37	# use when upstream acknowledged the vulnerability but does not plan to fix it
34	CVE_CHECK_STATUSMAP[upstream-wontfix] = "Ignored"	38	CVE_CHECK_STATUSMAP[upstream-wontfix] = "Ignored"
35		39


diff --git a/meta/lib/oe/spdx30_tasks.py b/meta/lib/oe/spdx30_tasks.py index 5d9f3168d9..c352dab152 100644 --- a/meta/lib/oe/spdx30_tasks.py +++ b/meta/lib/oe/spdx30_tasks.py
@@ -724,24 +724,23 @@ def create_spdx(d):
724	impact_statement=description,	724	impact_statement=description,
725	)	725	)
726		726
727	if detail in (	727	vex_just_type = d.getVarFlag(
728	"ignored",	728	"CVE_CHECK_VEX_JUSTIFICATION", detail
729	"cpe-incorrect",	729	)
730	"disputed",	730	if vex_just_type:
731	"upstream-wontfix",	731	if (
732	):	732	vex_just_type
733	# VEX doesn't have justifications for this	733	not in oe.spdx30.security_VexJustificationType.NAMED_INDIVIDUALS
734	pass	734	):
735	elif detail in (	735	bb.fatal(
736	"not-applicable-config",	736	f"Unknown vex justification '{vex_just_type}', detail '{detail}', for ignored {cve}"
737	"not-applicable-platform",
738	):
739	for v in spdx_vex:
740	v.security_justificationType = (
741	oe.spdx30.security_VexJustificationType.vulnerableCodeNotPresent
742	)	737	)
743	else:	738
744	bb.fatal(f"Unknown detail '{detail}' for ignored {cve}")	739	for v in spdx_vex:
		740	v.security_justificationType = oe.spdx30.security_VexJustificationType.NAMED_INDIVIDUALS[
		741	vex_just_type
		742	]
		743
745	elif status == "Unknown":	744	elif status == "Unknown":
746	bb.note(f"Skipping {cve} with status 'Unknown'")	745	bb.note(f"Skipping {cve} with status 'Unknown'")
747	else:	746	else: