diff mbox series

lib: sbom30: Add action statement for affected VEX statements

Message ID 20250305210030.4034059-1-JPEWhacker@gmail.com
State Accepted, archived
Commit 39545c955474a43d11a45d74a88a5999b02cb8b3
Headers show
Series lib: sbom30: Add action statement for affected VEX statements | expand

Commit Message

Joshua Watt March 5, 2025, 9 p.m. UTC 
VEX Affected relationships have a mandatory action statement that
indicates the mitigation for a vulnerability. Since we don't track this
add a statement indicating that no mitigation is known.

Signed-off-by: Joshua Watt <JPEWhacker@gmail.com>
---
 meta/lib/oe/sbom30.py | 1 +
 1 file changed, 1 insertion(+)
diff mbox series

Patch

diff --git a/meta/lib/oe/sbom30.py b/meta/lib/oe/sbom30.py
index 0595ebd41ca..227ac518770 100644
--- a/meta/lib/oe/sbom30.py
+++ b/meta/lib/oe/sbom30.py
@@ -685,6 +685,7 @@  class ObjectSet(oe.spdx30.SHACLObjectSet):
             to,
             spdxid_name="vex-affected",
             security_vexVersion=VEX_VERSION,
+            security_actionStatement="Mitigation action unknown",
         )
 
     def new_vex_ignored_relationship(self, from_, to, *, impact_statement):