spdx30: provide all CVE_STATUS, not only Patched status

In scarthgap, the `oe.cve_check.get_patched_cves()` method only returns CVEs with a "Patched" status. We want to retrieve all annotations, including those with an "Ignored" status. Therefore, to avoid modifying the current API, we integrate the logic for retrieving all CVE_STATUS values directly into `spdx30_task`. (From OE-Core rev: 9a204670b1c0daedf1ed8ff944f8e5443b39c8f7) Signed-off-by: Benjamin Robin (Schneider Electric) <benjamin.robin@bootlin.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
2026-01-01 13:58:04 +00:00 · 2025-11-21 10:54:09 +01:00 · 2025-11-21 10:54:09 +01:00 · 976648aa60
commit 976648aa60
parent 91ba7b5d66
1 changed files with 17 additions and 14 deletions
--- a/meta/lib/oe/spdx30_tasks.py
+++ b/meta/lib/oe/spdx30_tasks.py
@ -453,6 +453,22 @@ def set_purposes(d, element, *var_names, force_purposes=[]):
    ]


+def _get_cves_info(d):
+    patched_cves = oe.cve_check.get_patched_cves(d)
+    for cve_id in (d.getVarFlags("CVE_STATUS") or {}):
+        mapping, detail, description = oe.cve_check.decode_cve_status(d, cve_id)
+        if not mapping or not detail:
+            bb.warn(f"Skipping {cve_id} — missing or unknown CVE status")
+            continue
+        yield cve_id, mapping, detail, description
+        patched_cves.discard(cve_id)
+
+    # decode_cve_status is decoding CVE_STATUS, so patch files need to be hardcoded
+    for cve_id in patched_cves:
+        # fix-file-included is not available in scarthgap
+        yield cve_id, "Patched", "backported-patch", None
+
+
 def create_spdx(d):
    def set_var_field(var, obj, name, package=None):
        val = None
@ -502,20 +518,7 @@ def create_spdx(d):
    # Add CVEs
    cve_by_status = {}
    if include_vex != "none":
-        patched_cves = oe.cve_check.get_patched_cves(d)
-        for cve_id in patched_cves:
-            # decode_cve_status is decoding CVE_STATUS, so patch files need to be hardcoded
-            if cve_id in (d.getVarFlags("CVE_STATUS") or {}):
-                mapping, detail, description = oe.cve_check.decode_cve_status(d, cve_id)
-            else:
-                mapping = "Patched"
-                detail = "backported-patch"  # fix-file-included is not available in scarthgap
-                description = None
-
-            if not mapping or not detail:
-                bb.warn(f"Skipping {cve_id} — missing or unknown CVE status")
-                continue
-
+        for cve_id, mapping, detail, description in _get_cves_info(d):
            # If this CVE is fixed upstream, skip it unless all CVEs are
            # specified.
            if (