1 files changed, 17 insertions, 18 deletions
diff --git a/meta/lib/oe/spdx30_tasks.py b/meta/lib/oe/spdx30_tasks.py
index beeafc2bb7..c352dab152 100644
--- a/meta/lib/oe/spdx30_tasks.py
+++ b/meta/lib/oe/spdx30_tasks.py
@@ -552,7 +552,7 @@ def create_spdx(d):
    )
    build_objset.new_relationship(
        source_files,
-        oe.spdx30.RelationshipType.hasConcludedLicense,
+        oe.spdx30.RelationshipType.hasDeclaredLicense,
        [oe.sbom30.get_element_link_id(recipe_spdx_license)],
    )
@@ -724,24 +724,23 @@ def create_spdx(d):
                            impact_statement=description,
                        )
-                        if detail in (
+                        vex_just_type = d.getVarFlag(
-                            "ignored",
+                            "CVE_CHECK_VEX_JUSTIFICATION", detail
-                            "cpe-incorrect",
+                        )
-                            "disputed",
+                        if vex_just_type:
-                            "upstream-wontfix",
+                            if (
-                        ):
+                                vex_just_type
-                            # VEX doesn't have justifications for this
+                                not in oe.spdx30.security_VexJustificationType.NAMED_INDIVIDUALS
-                            pass
+                            ):
-                        elif detail in (
+                                bb.fatal(
-                            "not-applicable-config",
+                                    f"Unknown vex justification '{vex_just_type}', detail '{detail}', for ignored {cve}"
-                            "not-applicable-platform",
-                        ):
-                            for v in spdx_vex:
-                                v.security_justificationType = (
-                                    oe.spdx30.security_VexJustificationType.vulnerableCodeNotPresent
                                )
-                        else:
-                            bb.fatal(f"Unknown detail '{detail}' for ignored {cve}")
+                            for v in spdx_vex:
+                                v.security_justificationType = oe.spdx30.security_VexJustificationType.NAMED_INDIVIDUALS[
+                                    vex_just_type
+                                ]
                    elif status == "Unknown":
                        bb.note(f"Skipping {cve} with status 'Unknown'")
                    else:

diff --git a/meta/lib/oe/spdx30_tasks.py b/meta/lib/oe/spdx30_tasks.py index beeafc2bb7..c352dab152 100644 --- a/meta/lib/oe/spdx30_tasks.py +++ b/meta/lib/oe/spdx30_tasks.py
@@ -552,7 +552,7 @@ def create_spdx(d):
552	)	552	)
553	build_objset.new_relationship(	553	build_objset.new_relationship(
554	source_files,	554	source_files,
555	oe.spdx30.RelationshipType.hasConcludedLicense,	555	oe.spdx30.RelationshipType.hasDeclaredLicense,
556	[oe.sbom30.get_element_link_id(recipe_spdx_license)],	556	[oe.sbom30.get_element_link_id(recipe_spdx_license)],
557	)	557	)
558		558
@@ -724,24 +724,23 @@ def create_spdx(d):
724	impact_statement=description,	724	impact_statement=description,
725	)	725	)
726		726
727	if detail in (	727	vex_just_type = d.getVarFlag(
728	"ignored",	728	"CVE_CHECK_VEX_JUSTIFICATION", detail
729	"cpe-incorrect",	729	)
730	"disputed",	730	if vex_just_type:
731	"upstream-wontfix",	731	if (
732	):	732	vex_just_type
733	# VEX doesn't have justifications for this	733	not in oe.spdx30.security_VexJustificationType.NAMED_INDIVIDUALS
734	pass	734	):
735	elif detail in (	735	bb.fatal(
736	"not-applicable-config",	736	f"Unknown vex justification '{vex_just_type}', detail '{detail}', for ignored {cve}"
737	"not-applicable-platform",
738	):
739	for v in spdx_vex:
740	v.security_justificationType = (
741	oe.spdx30.security_VexJustificationType.vulnerableCodeNotPresent
742	)	737	)
743	else:	738
744	bb.fatal(f"Unknown detail '{detail}' for ignored {cve}")	739	for v in spdx_vex:
		740	v.security_justificationType = oe.spdx30.security_VexJustificationType.NAMED_INDIVIDUALS[
		741	vex_just_type
		742	]
		743
745	elif status == "Unknown":	744	elif status == "Unknown":
746	bb.note(f"Skipping {cve} with status 'Unknown'")	745	bb.note(f"Skipping {cve} with status 'Unknown'")
747	else:	746	else: