diff mbox series

[v2] create-spdx-3.0: rerun do_create_recipe_spdx on patch changes

Message ID 20260417172857.8469-1-peter.marko@siemens.com
State Accepted, archived
Commit 70de7e952ba6cebf7d0b4a36b66978f5a9a99b0b
Headers show
Series [v2] create-spdx-3.0: rerun do_create_recipe_spdx on patch changes | expand

Commit Message

Peter Marko April 17, 2026, 5:28 p.m. UTC 
From: Peter Marko <peter.marko@siemens.com>

Valkyrie patchmetrics from 2026-04-17 is showing two CVEs where patches
were merged the day before (2026-04-16) - inetutils/CVE-2026-32746 and
re2c/CVE-2026-2903.
Root-cause is that the CVE patches are evaluated in task
do_create_recipe_spdx which does not have any dependency on SRC_URI nor
content of the patches, so it is taken from sstate-cache which contains
old (stale) data.

Signed-off-by: Peter Marko <peter.marko@siemens.com>
---
v2: reworked from scheduling after do_patch to using file-checksums flag

 meta/classes/create-spdx-3.0.bbclass | 1 +
 1 file changed, 1 insertion(+)
diff mbox series

Patch

diff --git a/meta/classes/create-spdx-3.0.bbclass b/meta/classes/create-spdx-3.0.bbclass
index 432adb14cd..56fd01fd53 100644
--- a/meta/classes/create-spdx-3.0.bbclass
+++ b/meta/classes/create-spdx-3.0.bbclass
@@ -201,6 +201,7 @@  do_create_recipe_spdx[file-checksums] += "${SPDX3_DEP_FILES}"
 do_create_recipe_spdx[cleandirs] = "${SPDXRECIPEDEPLOY}"
 do_create_recipe_spdx[deptask] += "do_create_recipe_spdx"
 do_create_recipe_spdx[vardeps] += "${SPDX3_VAR_DEPS}"
+do_create_recipe_spdx[file-checksums] = "${@bb.fetch.get_checksum_file_list(d)}"
 
 python do_create_recipe_spdx_setscene () {
     sstate_setscene(d)