[v7,07/12] spdx30: Remove package VEX

Message ID	20260318134655.953233-8-JPEWhacker@gmail.com
State	Under Review
Headers	show Return-Path: <JPEWhacker@gmail.com> ip: 209.85.160.51, mailfrom: jpewhacker@gmail.com) From: Joshua Watt <jpewhacker@gmail.com> To: openembedded-core@lists.openembedded.org Cc: Joshua Watt <JPEWhacker@gmail.com> Subject: [OE-core][PATCH v7 07/12] spdx30: Remove package VEX Date: Wed, 18 Mar 2026 07:44:35 -0600 Message-ID: <20260318134655.953233-8-JPEWhacker@gmail.com> In-Reply-To: <20260318134655.953233-1-JPEWhacker@gmail.com> References: <20260310184058.533343-1-JPEWhacker@gmail.com> <20260318134655.953233-1-JPEWhacker@gmail.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	Add SPDX 3 Recipe Information \| expand [v7,00/12] Add SPDX 3 Recipe Information [v7,01/12] spdx3: Add recipe SPDX data [v7,02/12] spdx3: Add recipe SBoM task [v7,03/12] spdx3: Add is-native property [v7,04/12] spdx30: Include patch file information in VEX [v7,05/12] spdx: De-duplicate CreationInfo [v7,06/12] spdx_common: Check for dependent task in task flags [v7,07/12] spdx30: Remove package VEX [v7,08/12] spdx: Remove fatal errors for missing providers [v7,09/12] spdx3: Use common variable for vardeps [v7,10/12] glibc-testsuite: Do not generate SPDX [v7,11/12] spdx: Remove do_collect_spdx_deps task

Message ID

20260318134655.953233-8-JPEWhacker@gmail.com

State

Under Review

Headers

From: Joshua Watt <jpewhacker@gmail.com>
To: openembedded-core@lists.openembedded.org
Cc: Joshua Watt <JPEWhacker@gmail.com>
Subject: [OE-core][PATCH v7 07/12] spdx30: Remove package VEX
Date: Wed, 18 Mar 2026 07:44:35 -0600
Message-ID: <20260318134655.953233-8-JPEWhacker@gmail.com>
In-Reply-To: <20260318134655.953233-1-JPEWhacker@gmail.com>
References: <20260310184058.533343-1-JPEWhacker@gmail.com>
 <20260318134655.953233-1-JPEWhacker@gmail.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

Add SPDX 3 Recipe Information | expand

Commit Message

Joshua Watt March 18, 2026, 1:44 p.m. UTC

Removes VEX statements from packages. These are no longer necessary
since the VEX data is now attached to the recipes, which significantly
reduces the duplication of the data, and thus the size of the SPDX
output files.

Signed-off-by: Joshua Watt <JPEWhacker@gmail.com>
---
 meta/lib/oe/spdx30_tasks.py | 72 -------------------------------------
 1 file changed, 72 deletions(-)

diff --git a/meta/lib/oe/spdx30_tasks.py b/meta/lib/oe/spdx30_tasks.py
index aec47d4f81..5b651900c4 100644
--- a/meta/lib/oe/spdx30_tasks.py
+++ b/meta/lib/oe/spdx30_tasks.py
@@ -768,31 +768,6 @@  def create_spdx(d):
     debug_source_ids = set()
     source_hash_cache = {}
 
-    # Collect all VEX statements from the recipe
-    vex_statements = {}
-    vex_patches = {}
-    for rel in recipe_objset.foreach_filter(
-        oe.spdx30.Relationship,
-        relationshipType=oe.spdx30.RelationshipType.hasAssociatedVulnerability,
-    ):
-        for cve in rel.to:
-            vex_statements[cve] = []
-            vex_patches[cve] = []
-
-    for cve in vex_statements.keys():
-        for rel in recipe_objset.foreach_filter(
-            oe.spdx30.security_VexVulnAssessmentRelationship,
-            from_=cve,
-        ):
-            vex_statements[cve].append(rel)
-            if rel.relationshipType == oe.spdx30.RelationshipType.fixedIn:
-                for patch_rel in recipe_objset.foreach_filter(
-                    oe.spdx30.Relationship,
-                    relationshipType=oe.spdx30.RelationshipType.patchedBy,
-                    from_=rel,
-                ):
-                    vex_patches[cve].extend(patch_rel.to)
-
     # Write out the package SPDX data now. It is not complete as we cannot
     # write the runtime data, so write it to a staging area and a later task
     # will write out the final collection
@@ -931,53 +906,6 @@  def create_spdx(d):
                     [oe.sbom30.get_element_link_id(concluded_spdx_license)],
                 )
 
-            # Copy CVEs from recipe
-            if vex_statements:
-                pkg_objset.new_relationship(
-                    [spdx_package],
-                    oe.spdx30.RelationshipType.hasAssociatedVulnerability,
-                    sorted(
-                        oe.sbom30.get_element_link_id(cve)
-                        for cve in vex_statements.keys()
-                    ),
-                )
-
-            for cve, vexes in vex_statements.items():
-                for vex in vexes:
-                    if vex.relationshipType == oe.spdx30.RelationshipType.fixedIn:
-                        spdx_vex = pkg_objset.new_vex_patched_relationship(
-                            [oe.sbom30.get_element_link_id(cve)], [spdx_package]
-                        )
-                        if vex_patches[cve]:
-                            pkg_objset.new_scoped_relationship(
-                                spdx_vex,
-                                oe.spdx30.RelationshipType.patchedBy,
-                                oe.spdx30.LifecycleScopeType.build,
-                                [
-                                    oe.sbom30.get_element_link_id(p)
-                                    for p in vex_patches[cve]
-                                ],
-                            )
-
-                    elif vex.relationshipType == oe.spdx30.RelationshipType.affects:
-                        pkg_objset.new_vex_unpatched_relationship(
-                            [oe.sbom30.get_element_link_id(cve)], [spdx_package]
-                        )
-                    elif (
-                        vex.relationshipType == oe.spdx30.RelationshipType.doesNotAffect
-                    ):
-                        spdx_vex = pkg_objset.new_vex_ignored_relationship(
-                            [oe.sbom30.get_element_link_id(cve)],
-                            [spdx_package],
-                            impact_statement=vex.security_impactStatement,
-                        )
-
-                        if vex.security_justificationType:
-                            for v in spdx_vex:
-                                v.security_justificationType = (
-                                    vex.security_justificationType
-                                )
-
             bb.debug(1, "Adding package files to SPDX for package %s" % pkg_name)
             package_files = add_package_files(
                 d,

[v7,07/12] spdx30: Remove package VEX

Commit Message

Patch