diff mbox series

[2/2] spdx30: handle Unknown CVE_STATUS

Message ID 20250331111128.317469-2-peter.marko@siemens.com
State Accepted, archived
Commit 2d3081ef63c8a54df62a2a08bd36008c20eed65a
Headers show
Series [1/2] create-spdx-3.0: make create_spdx depend on CVE_STATUS | expand

Commit Message

Marko, Peter March 31, 2025, 11:11 a.m. UTC 
From: Peter Marko <peter.marko@siemens.com>

CVE_STATUS can be also "Unknown" since oe-core commit
d25f1817752bc8a84c40dcbef75f7559801ce15e

When this status type is used, build fails with e.g.
ERROR: openssl-3.4.1-r0 do_create_spdx: Unknown CVE-2025-0001 status 'Unknown'

Since this is now a valid status, it needs to be handled.
It cannot be mapped to any VEX status (see below), so just skip it.
Possible VEX statuses are: NOT AFFECTED, AFFECTED, FIXED, and UNDER INVESTIGATION.

Signed-off-by: Peter Marko <peter.marko@siemens.com>
cc: Marta Rybczynska <rybczynska@gmail.com>
---
 meta/lib/oe/spdx30_tasks.py | 2 ++
 1 file changed, 2 insertions(+)
diff mbox series

Patch

diff --git a/meta/lib/oe/spdx30_tasks.py b/meta/lib/oe/spdx30_tasks.py
index 52329760b6..ba965821f8 100644
--- a/meta/lib/oe/spdx30_tasks.py
+++ b/meta/lib/oe/spdx30_tasks.py
@@ -724,6 +724,8 @@  def create_spdx(d):
                                 )
                         else:
                             bb.fatal(f"Unknown detail '{detail}' for ignored {cve}")
+                    elif status == "Unknown":
+                        bb.note(f"Skipping {cve} with status 'Unknown'")
                     else:
                         bb.fatal(f"Unknown {cve} status '{status}'")