@@ -28,8 +28,12 @@ CVE_CHECK_STATUSMAP[cpe-incorrect] = "Ignored"
CVE_CHECK_STATUSMAP[disputed] = "Ignored"
# use when vulnerability depends on build or runtime configuration which is not used
CVE_CHECK_STATUSMAP[not-applicable-config] = "Ignored"
+CVE_CHECK_VEX_JUSTIFICATION[not-applicable-config] = "vulnerableCodeNotPresent"
+
# use when vulnerability affects other platform (e.g. Windows or Debian)
CVE_CHECK_STATUSMAP[not-applicable-platform] = "Ignored"
+CVE_CHECK_VEX_JUSTIFICATION[not-applicable-platform] = "vulnerableCodeNotPresent"
+
# use when upstream acknowledged the vulnerability but does not plan to fix it
CVE_CHECK_STATUSMAP[upstream-wontfix] = "Ignored"
@@ -719,24 +719,23 @@ def create_spdx(d):
impact_statement=description,
)
- if detail in (
- "ignored",
- "cpe-incorrect",
- "disputed",
- "upstream-wontfix",
- ):
- # VEX doesn't have justifications for this
- pass
- elif detail in (
- "not-applicable-config",
- "not-applicable-platform",
- ):
- for v in spdx_vex:
- v.security_justificationType = (
- oe.spdx30.security_VexJustificationType.vulnerableCodeNotPresent
+ vex_just_type = d.getVarFlag(
+ "CVE_CHECK_VEX_JUSTIFICATION", detail
+ )
+ if vex_just_type:
+ if (
+ vex_just_type
+ not in oe.spdx30.security_VexJustificationType.NAMED_INDIVIDUALS
+ ):
+ bb.fatal(
+ f"Unknown vex justification '{vex_just_type}', detail '{detail}', for ignored {cve}"
)
- else:
- bb.fatal(f"Unknown detail '{detail}' for ignored {cve}")
+
+ for v in spdx_vex:
+ v.security_justificationType = oe.spdx30.security_VexJustificationType.NAMED_INDIVIDUALS[
+ vex_just_type
+ ]
+
else:
bb.fatal(f"Unknown {cve} status '{status}'")