| Message ID | 20251118120839.603554-1-peter.marko@siemens.com |
|---|---|
| State | Accepted |
| Delegated to: | Steve Sakoman |
| Headers | show |
| Series | [scarthgap] spdx30: fix cve status for patch files in VEX | expand |
On Tue, Nov 18, 2025 at 01:08:39PM +0100, Peter Marko wrote: > From: Peter Marko <peter.marko@siemens.com> > > This commit fixes commit 08595b39b46ef2bf3a928d4528292ee31a990c98 > which adapts vex creation between function create_spdx where all changes > were backported and funtion get_patched_cves where changes were not > backported. > > CVE patches were previously ignored as they cannot be decoded from > CVE_STATUS variables and each caused a warning like: > WARNING: ncurses-native-6.4-r0 do_create_spdx: Skipping CVE-2023-50495 — missing or unknown CVE status > > Master branch uses fix-file-included for CVE patches however since > cve-check-map.conf was not part of spdx-3.0 backport, closest one > available (backported-patch) was implemented. > Hi Peter, I tested it and this looks good to me, it fixes the missing/unknown CVE status warnings. Thanks for preparing the patch. Greetings, Kamel > Signed-off-by: Peter Marko <peter.marko@siemens.com> > --- > meta/lib/oe/spdx30_tasks.py | 8 +++++++- > 1 file changed, 7 insertions(+), 1 deletion(-) > > diff --git a/meta/lib/oe/spdx30_tasks.py b/meta/lib/oe/spdx30_tasks.py > index 6b0aa137c4..8115088ab8 100644 > --- a/meta/lib/oe/spdx30_tasks.py > +++ b/meta/lib/oe/spdx30_tasks.py > @@ -503,7 +503,13 @@ def create_spdx(d): > if include_vex != "none": > patched_cves = oe.cve_check.get_patched_cves(d) > for cve_id in patched_cves: > - mapping, detail, description = oe.cve_check.decode_cve_status(d, cve_id) > + # decode_cve_status is decoding CVE_STATUS, so patch files need to be hardcoded > + if cve_id in (d.getVarFlags("CVE_STATUS") or {}): > + mapping, detail, description = oe.cve_check.decode_cve_status(d, cve_id) > + else: > + mapping = "Patched" > + detail = "backported-patch" # fix-file-included is not available in scarthgap > + description = None > > if not mapping or not detail: > bb.warn(f"Skipping {cve_id} — missing or unknown CVE status") -- Kamel Bouhara, Bootlin Embedded Linux and kernel engineering https://bootlin.com
diff --git a/meta/lib/oe/spdx30_tasks.py b/meta/lib/oe/spdx30_tasks.py index 6b0aa137c4..8115088ab8 100644 --- a/meta/lib/oe/spdx30_tasks.py +++ b/meta/lib/oe/spdx30_tasks.py @@ -503,7 +503,13 @@ def create_spdx(d): if include_vex != "none": patched_cves = oe.cve_check.get_patched_cves(d) for cve_id in patched_cves: - mapping, detail, description = oe.cve_check.decode_cve_status(d, cve_id) + # decode_cve_status is decoding CVE_STATUS, so patch files need to be hardcoded + if cve_id in (d.getVarFlags("CVE_STATUS") or {}): + mapping, detail, description = oe.cve_check.decode_cve_status(d, cve_id) + else: + mapping = "Patched" + detail = "backported-patch" # fix-file-included is not available in scarthgap + description = None if not mapping or not detail: bb.warn(f"Skipping {cve_id} — missing or unknown CVE status")