From: "Kamel Bouhara (Schneider Electric)" <[email protected]>
Changes to cve-check (see poky commit fb3f440b7d8,
"cve-check: annotate CVEs during analysis") modified the
get_patched_cves() API to return a set of CVE IDs instead of a
dictionary of CVE metadata.
The SPDX 3 backport still expected a dictionary and attempted to call
.items(), leading to:
AttributeError: 'set' object has no attribute 'items'
This patch updates the SPDX3 code to iterate directly over the CVE IDs
and use `oe.cve_check.decode_cve_status()` to retrieve the mapping,
detail, and description for each CVE. This restores compatibility with
the updated CVE API and matches the behavior of SPDX3 handling on
Walnascar.
A warning is logged if a CVE has missing or unknown status.
Signed-off-by: Kamel Bouhara (Schneider Electric) <[email protected]>
---
meta/lib/oe/spdx30_tasks.py | 29 ++++++++++++-----------------
1 file changed, 12 insertions(+), 17 deletions(-)
diff --git a/meta/lib/oe/spdx30_tasks.py b/meta/lib/oe/spdx30_tasks.py
index f6e6e545dc..6b0aa137c4 100644
--- a/meta/lib/oe/spdx30_tasks.py
+++ b/meta/lib/oe/spdx30_tasks.py
@@ -502,34 +502,29 @@ def create_spdx(d):
cve_by_status = {}
if include_vex != "none":
patched_cves = oe.cve_check.get_patched_cves(d)
- for cve, patched_cve in patched_cves.items():
- decoded_status = {
- "mapping": patched_cve["abbrev-status"],
- "detail": patched_cve["status"],
- "description": patched_cve.get("justification", None)
- }
+ for cve_id in patched_cves:
+ mapping, detail, description = oe.cve_check.decode_cve_status(d,
cve_id)
+
+ if not mapping or not detail:
+ bb.warn(f"Skipping {cve_id} — missing or unknown CVE status")
+ continue
# If this CVE is fixed upstream, skip it unless all CVEs are
# specified.
if (
include_vex != "all"
- and "detail" in decoded_status
- and decoded_status["detail"]
- in (
- "fixed-version",
- "cpe-stable-backport",
- )
+ and "detail" in ("fixed-version", "cpe-stable-backport")
):
- bb.debug(1, "Skipping %s since it is already fixed upstream" %
cve)
+ bb.debug(1, "Skipping %s since it is already fixed upstream" %
cve_id)
continue
- spdx_cve = build_objset.new_cve_vuln(cve)
+ spdx_cve = build_objset.new_cve_vuln(cve_id)
build_objset.set_element_alias(spdx_cve)
- cve_by_status.setdefault(decoded_status["mapping"], {})[cve] = (
+ cve_by_status.setdefault(mapping, {})[cve_id] = (
spdx_cve,
- decoded_status["detail"],
- decoded_status["description"],
+ detail,
+ description,
)
cpe_ids = oe.cve_check.get_cpe_ids(d.getVar("CVE_PRODUCT"),
d.getVar("CVE_VERSION"))
--
2.43.0
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#226051):
https://lists.openembedded.org/g/openembedded-core/message/226051
Mute This Topic: https://lists.openembedded.org/mt/116169989/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
