In scarthgap, the `oe.cve_check.get_patched_cves()` method only returns CVEs with a "Patched" status. We want to retrieve all annotations, including those with an "Ignored" status. Therefore, to avoid modifying the current API, we integrate the logic for retrieving all CVE_STATUS values directly into `spdx30_task`.
Signed-off-by: Benjamin Robin (Schneider Electric) <[email protected]> --- meta/lib/oe/spdx30_tasks.py | 31 +++++++++++++++++-------------- 1 file changed, 17 insertions(+), 14 deletions(-) diff --git a/meta/lib/oe/spdx30_tasks.py b/meta/lib/oe/spdx30_tasks.py index 8115088ab8ef..e6f2beb06f4e 100644 --- a/meta/lib/oe/spdx30_tasks.py +++ b/meta/lib/oe/spdx30_tasks.py @@ -452,6 +452,22 @@ def set_purposes(d, element, *var_names, force_purposes=[]): ] +def _get_cves_info(d): + patched_cves = oe.cve_check.get_patched_cves(d) + for cve_id in (d.getVarFlags("CVE_STATUS") or {}): + mapping, detail, description = oe.cve_check.decode_cve_status(d, cve_id) + if not mapping or not detail: + bb.warn(f"Skipping {cve_id} — missing or unknown CVE status") + continue + yield cve_id, mapping, detail, description + patched_cves.discard(cve_id) + + # decode_cve_status is decoding CVE_STATUS, so patch files need to be hardcoded + for cve_id in patched_cves: + # fix-file-included is not available in scarthgap + yield cve_id, "Patched", "backported-patch", None + + def create_spdx(d): def set_var_field(var, obj, name, package=None): val = None @@ -501,20 +517,7 @@ def create_spdx(d): # Add CVEs cve_by_status = {} if include_vex != "none": - patched_cves = oe.cve_check.get_patched_cves(d) - for cve_id in patched_cves: - # decode_cve_status is decoding CVE_STATUS, so patch files need to be hardcoded - if cve_id in (d.getVarFlags("CVE_STATUS") or {}): - mapping, detail, description = oe.cve_check.decode_cve_status(d, cve_id) - else: - mapping = "Patched" - detail = "backported-patch" # fix-file-included is not available in scarthgap - description = None - - if not mapping or not detail: - bb.warn(f"Skipping {cve_id} — missing or unknown CVE status") - continue - + for cve_id, mapping, detail, description in _get_cves_info(d): # If this CVE is fixed upstream, skip it unless all CVEs are # specified. if ( -- 2.51.2
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#226658): https://lists.openembedded.org/g/openembedded-core/message/226658 Mute This Topic: https://lists.openembedded.org/mt/116405459/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
