From patchwork Mon Nov 3 16:26:41 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Kamel Bouhara X-Patchwork-Id: 73538 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2F409CCFA0C for ; Mon, 3 Nov 2025 16:27:34 +0000 (UTC) Received: from smtpout-02.galae.net (smtpout-02.galae.net [185.246.84.56]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.1646.1762187252912400101 for ; Mon, 03 Nov 2025 08:27:33 -0800 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: body hash did not verify" header.i=@bootlin.com header.s=dkim header.b=DhtIw9iE; spf=pass (domain: bootlin.com, ip: 185.246.84.56, mailfrom: kamel.bouhara@bootlin.com) Received: from smtpout-01.galae.net (smtpout-01.galae.net [212.83.139.233]) by smtpout-02.galae.net (Postfix) with ESMTPS id 9976F1A185D for ; Mon, 3 Nov 2025 16:27:31 +0000 (UTC) Received: from mail.galae.net (mail.galae.net [212.83.136.155]) by smtpout-01.galae.net (Postfix) with ESMTPS id 6F90E60628; Mon, 3 Nov 2025 16:27:31 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) by localhost (Mailerdaemon) with ESMTPSA id 8637610B5017B; Mon, 3 Nov 2025 17:27:30 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bootlin.com; s=dkim; t=1762187251; h=from:subject:date:message-id:to:cc:mime-version:content-type: content-transfer-encoding:in-reply-to:references; bh=yjQMTFDRqvt249qh/UJA356++r9VLDac8ztWKC7lOwY=; b=DhtIw9iE0ABEu3ZGYw6lrksgoJY409CrIal/6HyAC0hmSoyJZEDX7exQUNBJXuwsgI2MUx +zooE2PGyNZO9tj0yBjdK9145u+EL+ctRIz52ced3ikRoqWYE6E5uJLEB06wqRj2e95w67 5W2aZ/gTcniNmx/dsOjbj5Q/gAWUWkNdfeAv1ALFrnaF1lnLKZWG4wDGZc55mOoYkH+PN+ nmAXGmUvvOhCERzDrFZs7oWUvOPeC/guoXXp/ewUAh2drLbi66gq6AFAI0LDe+IXVXST/T 4e/COVc056B9+GzSiqqU86C1lUdMqWufWRuJF+mHVl9S7NN4BKovGbiHzzwr9g== From: Kamel Bouhara To: openembedded-core@lists.openembedded.org Cc: JPEWhacker@gmail.com, thomas.petazzoni@bootlin.com, Miquel Raynal , mathieu.dubois-briand@bootlin.com, antonin.godard@bootlin.com, Pascal Eberhard , "Kamel Bouhara (Schneider Electric)" Subject: [scarthgap v3 15/16] spdx30_tasks: adapt CVE handling to new cve-check API Date: Mon, 3 Nov 2025 17:26:41 +0100 Message-ID: <20251103162654.1714239-16-kamel.bouhara@bootlin.com> X-Mailer: git-send-email 2.51.0 In-Reply-To: <20251103162654.1714239-1-kamel.bouhara@bootlin.com> References: <20251103162654.1714239-1-kamel.bouhara@bootlin.com> MIME-Version: 1.0 X-Last-TLS-Session-Version: TLSv1.3 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 03 Nov 2025 16:27:34 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/225682 From: "Kamel Bouhara (Schneider Electric)" Changes to cve-check (see poky commit fb3f440b7d8, "cve-check: annotate CVEs during analysis") modified the get_patched_cves() API to return a set of CVE IDs instead of a dictionary of CVE metadata. The SPDX 3 backport still expected a dictionary and attempted to call .items(), leading to: AttributeError: 'set' object has no attribute 'items' This patch updates the SPDX3 code to iterate directly over the CVE IDs and use `oe.cve_check.decode_cve_status()` to retrieve the mapping, detail, and description for each CVE. This restores compatibility with the updated CVE API and matches the behavior of SPDX3 handling on Walnascar. A warning is logged if a CVE has missing or unknown status. Signed-off-by: Kamel Bouhara (Schneider Electric) --- meta/lib/oe/spdx30_tasks.py | 29 ++++++++++++----------------- 1 file changed, 12 insertions(+), 17 deletions(-) diff --git a/meta/lib/oe/spdx30_tasks.py b/meta/lib/oe/spdx30_tasks.py index f6e6e545dc..6b0aa137c4 100644 --- a/meta/lib/oe/spdx30_tasks.py +++ b/meta/lib/oe/spdx30_tasks.py @@ -502,34 +502,29 @@ def create_spdx(d): cve_by_status = {} if include_vex != "none": patched_cves = oe.cve_check.get_patched_cves(d) - for cve, patched_cve in patched_cves.items(): - decoded_status = { - "mapping": patched_cve["abbrev-status"], - "detail": patched_cve["status"], - "description": patched_cve.get("justification", None) - } + for cve_id in patched_cves: + mapping, detail, description = oe.cve_check.decode_cve_status(d, cve_id) + + if not mapping or not detail: + bb.warn(f"Skipping {cve_id} — missing or unknown CVE status") + continue # If this CVE is fixed upstream, skip it unless all CVEs are # specified. if ( include_vex != "all" - and "detail" in decoded_status - and decoded_status["detail"] - in ( - "fixed-version", - "cpe-stable-backport", - ) + and "detail" in ("fixed-version", "cpe-stable-backport") ): - bb.debug(1, "Skipping %s since it is already fixed upstream" % cve) + bb.debug(1, "Skipping %s since it is already fixed upstream" % cve_id) continue - spdx_cve = build_objset.new_cve_vuln(cve) + spdx_cve = build_objset.new_cve_vuln(cve_id) build_objset.set_element_alias(spdx_cve) - cve_by_status.setdefault(decoded_status["mapping"], {})[cve] = ( + cve_by_status.setdefault(mapping, {})[cve_id] = ( spdx_cve, - decoded_status["detail"], - decoded_status["description"], + detail, + description, ) cpe_ids = oe.cve_check.get_cpe_ids(d.getVar("CVE_PRODUCT"), d.getVar("CVE_VERSION"))