CaROS/poky
3
1
Fork 0
mirror of https://git.yoctoproject.org/git/poky synced 2026-01-01 13:58:04 +00:00
Code Issues Packages Projects Releases Wiki Activity

spdx30: provide all CVE_STATUS, not only Patched status

Browse Source 
In scarthgap, the `oe.cve_check.get_patched_cves()` method only returns
CVEs with a "Patched" status. We want to retrieve all annotations,
including those with an "Ignored" status. Therefore, to avoid modifying
the current API, we integrate the logic for retrieving all CVE_STATUS
values ​​directly into `spdx30_task`.

(From OE-Core rev: 9a204670b1c0daedf1ed8ff944f8e5443b39c8f7)

Signed-off-by: Benjamin Robin (Schneider Electric) <benjamin.robin@bootlin.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
This commit is contained in:
Benjamin Robin (Schneider Electric) 2025-11-21 10:54:09 +01:00 committed by Steve Sakoman
parent 91ba7b5d66
commit 976648aa60
1 changed files with 17 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
meta/lib/oe/spdx30_tasks.py
View File

@ -453,6 +453,22 @@ def set_purposes(d, element, *var_names, force_purposes=[]):
] ]
def _get_cves_info(d):
patched_cves = oe.cve_check.get_patched_cves(d)
for cve_id in (d.getVarFlags("CVE_STATUS") or {}):
mapping, detail, description = oe.cve_check.decode_cve_status(d, cve_id)
if not mapping or not detail:
bb.warn(f"Skipping {cve_id} — missing or unknown CVE status")
continue
yield cve_id, mapping, detail, description
patched_cves.discard(cve_id)
# decode_cve_status is decoding CVE_STATUS, so patch files need to be hardcoded
for cve_id in patched_cves:
# fix-file-included is not available in scarthgap
yield cve_id, "Patched", "backported-patch", None
def create_spdx(d): def create_spdx(d):
def set_var_field(var, obj, name, package=None): def set_var_field(var, obj, name, package=None):
val = None val = None
@ -502,20 +518,7 @@ def create_spdx(d):
# Add CVEs # Add CVEs
cve_by_status = {} cve_by_status = {}
if include_vex != "none": if include_vex != "none":
patched_cves = oe.cve_check.get_patched_cves(d) for cve_id, mapping, detail, description in _get_cves_info(d):
for cve_id in patched_cves:
# decode_cve_status is decoding CVE_STATUS, so patch files need to be hardcoded
if cve_id in (d.getVarFlags("CVE_STATUS") or {}):
mapping, detail, description = oe.cve_check.decode_cve_status(d, cve_id)
else:
mapping = "Patched"
detail = "backported-patch" # fix-file-included is not available in scarthgap
description = None
if not mapping or not detail:
bb.warn(f"Skipping {cve_id} — missing or unknown CVE status")
continue
# If this CVE is fixed upstream, skip it unless all CVEs are # If this CVE is fixed upstream, skip it unless all CVEs are
# specified. # specified.
if ( if (