Re: [OE-core] [scarthgap v2 00/11] backport: SPDX 3.0 support to Scarthgap

Tue, 18 Nov 2025 01:06:46 -0800 


> -----Original Message-----
> From: Kamel Bouhara <[email protected]>
> Sent: Thursday, October 23, 2025 13:06
> To: Marko, Peter (FT D EU SK BFS1) <[email protected]>
> Cc: [email protected]; [email protected]
> Subject: Re: [OE-core] [scarthgap v2 00/11] backport: SPDX 3.0 support to
> Scarthgap
> 
> On Thu, Oct 23, 2025 at 11:00:37AM +0200, Kamel Bouhara wrote:
> > On Wed, Oct 22, 2025 at 12:43:22PM +0000, Peter Marko via
> lists.openembedded.org wrote:
> > > Hello,
> > >
> >
> > Hello Peter,
> >
> > > I have tried this patch serias and I see ton of "missing or unknown CVE 
> > > status"
> warnings.
> > > Example for curl recipe:
> > > WARNING: curl-8.7.1-r0 do_create_spdx: Skipping CVE-2024-11053 - missing
> or unknown CVE status
> > > WARNING: curl-8.7.1-r0 do_create_spdx: Skipping CVE-2024-7264 - missing or
> unknown CVE status
> > > WARNING: curl-8.7.1-r0 do_create_spdx: Skipping CVE-2024-8096 - missing or
> unknown CVE status
> > > WARNING: curl-8.7.1-r0 do_create_spdx: Skipping CVE-2025-0167 - missing or
> unknown CVE status
> > > WARNING: curl-8.7.1-r0 do_create_spdx: Skipping CVE-2024-6197 - missing or
> unknown CVE status
> > > WARNING: curl-8.7.1-r0 do_create_spdx: Skipping CVE-2024-9681 - missing or
> unknown CVE status
> > > Looks like it is generated for every CVE patch in every recipe built.
> > >
> > > What I did is cherry-picking this series and adding following to my distro
> config and building my image:
> > > INHERIT_DISTRO:remove = "create-spdx"
> > > INHERIT_DISTRO:append = " create-spdx-3.0"
> > > When trying with pure poky, I added following to local.conf:
> > > INHERIT:remove = "create-spdx"
> > > INHERIT:append = " create-spdx-3.0"
> > >
> >
> > Thanks for testing and for the detailed feedback.
> >
> > I haven’t yet tested this backport series with a pure Poky setup, so
> > I’ll start there to reproduce the warnings you’re seeing.
> > Once I confirm how the CVE decoding behaves in that environment,
> > I’ll follow up with a fix or updated guidance.
> >
> > Thanks again for pointing this out.
> 
> Actually, I didn’t notice these warnings in my own tests on OE-Core
> Scarthgap, but they are there too.
> 
> They’re related to Marta’s cve-check changes (fb3f440b7d8), which added
> richer CVE metadata and product/vendor matching through
> decode_cve_status() and has_cve_product_match().
> 
> Since those updates aren’t fully backported in Scarthgap, some CVEs show
> as unknown during SPDX generation.

I think the problem is elsewhere - in commit "spdx30_tasks: adapt CVE handling 
to new cve-check API".
It does not handle patches in SRC_URI properly as they are not known to 
function decode_cve_status.

Also, it's not "some CVEs", but "all patched CVEs", which makes the VEX 
information in my opinion unusable.

I'll try to send a patch this week.

Peter

> 
> @Joshua: would you suggest we suppress these warnings in Scarthgap, or
> should we handle this case differently to better align with the upstream
> behavior?
> 
> >
> > Kamel
> >
> > > Inheriting cve-check did not help.
> > > When building oe-core master, I don't experience such warnings.
> > > So it looks like something is missing in this backport series.
> > >
> > > Peter
> > >
> > > > -----Original Message-----
> > > > From: [email protected] <openembedded-
> > > > [email protected]> On Behalf Of Kamel Bouhara via
> > > > lists.openembedded.org
> > > > Sent: Monday, October 20, 2025 9:10
> > > > To: [email protected]
> > > > Cc: [email protected]; [email protected]; Miquel
> Raynal
> > > > <[email protected]>; [email protected];
> > > > [email protected]; Pascal Eberhard <[email protected]>;
> > > > Kamel Bouhara <[email protected]>
> > > > Subject: [OE-core] [scarthgap v2 00/11] backport: SPDX 3.0 support to
> Scarthgap
> > > >
> > > > Hello,
> > > >
> > > > This v2 series backports SPDX 3.0 support from the upstream Walnascar
> > > > branch to Scarthgap (Yocto Project 5.0 LTS), including the corresponding
> > > > test suite and fixes for integration issues found during testing.
> > > >
> > > > The motivation remains the same as in v1, to bring complete SPDX 3.0
> > > > support to the latest LTS release, ensuring that long-term supported
> > > > builds benefit SBOM generation capabilities. Scarthgap is under
> > > > maintenance until 2028, and SPDX 3.0 is now an essential part of
> > > > compliance workflows.
> > > >
> > > > Kamel
> > > >
> > > > Hongxu Jia (1):
> > > >   oeqa/selftest: Add SPDX 3.0 include source case for work-share
> > > >
> > > > Joshua Watt (7):
> > > >   classes-global/license: Move functions to library code
> > > >   lib/license: Move package license skip to library
> > > >   lib: oe: license: Add missing import
> > > >   classes-recipe/image: Add image file manifest
> > > >   selftest: spdx: Add SPDX 3.0 test cases
> > > >   lib: oeqa: spdx: Add tests for extra options
> > > >   spdx 3.0: Rework how SPDX aliases are linked
> > > >
> > > > Kamel Bouhara (Schneider Electric) (3):
> > > >   backport: SPDX 3.0 fixes and tasks from upstream version Walnascar
> > > >   spdx30_tasks: fix FetchData attribute in add_download_files
> > > >   spdx30_tasks: adapt CVE handling to new cve-check API
> > > >
> > > >  meta/classes-global/base.bbclass              |   41 +-
> > > >  meta/classes-global/license.bbclass           |  165 -
> > > >  .../create-spdx-image-3.0.bbclass             |   85 +
> > > >  .../create-spdx-sdk-3.0.bbclass               |   74 +
> > > >  meta/classes-recipe/image.bbclass             |   58 +
> > > >  meta/classes-recipe/license_image.bbclass     |   14 +-
> > > >  meta/classes-recipe/nospdx.bbclass            |   13 +
> > > >  meta/classes/create-spdx-3.0.bbclass          |  200 +
> > > >  meta/classes/spdx-common.bbclass              |   99 +
> > > >  meta/lib/oe/__init__.py                       |    2 +-
> > > >  meta/lib/oe/license.py                        |  203 +
> > > >  meta/lib/oe/sbom30.py                         | 1096 ++++
> > > >  meta/lib/oe/spdx30.py                         | 5593 +++++++++++++++++
> > > >  meta/lib/oe/spdx30_tasks.py                   | 1343 ++++
> > > >  meta/lib/oe/spdx_common.py                    |  244 +
> > > >  meta/lib/oeqa/selftest/cases/spdx.py          |  248 +-
> > > >  16 files changed, 9262 insertions(+), 216 deletions(-)
> > > >  create mode 100644 meta/classes-recipe/create-spdx-image-3.0.bbclass
> > > >  create mode 100644 meta/classes-recipe/create-spdx-sdk-3.0.bbclass
> > > >  create mode 100644 meta/classes-recipe/nospdx.bbclass
> > > >  create mode 100644 meta/classes/create-spdx-3.0.bbclass
> > > >  create mode 100644 meta/classes/spdx-common.bbclass
> > > >  create mode 100644 meta/lib/oe/sbom30.py
> > > >  create mode 100644 meta/lib/oe/spdx30.py
> > > >  create mode 100644 meta/lib/oe/spdx30_tasks.py
> > > >  create mode 100644 meta/lib/oe/spdx_common.py
> > > >
> > > > --
> > > > 2.43.0
> > >
> >
> > >
> > > 
> > >
> >
> >
> > --
> > Kamel Bouhara, Bootlin
> > Embedded Linux and kernel engineering
> > https://bootlin.com
> 
> --
> Kamel Bouhara, Bootlin
> Embedded Linux and kernel engineering
> https://bootlin.com

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#226512): 
https://lists.openembedded.org/g/openembedded-core/message/226512
Mute This Topic: https://lists.openembedded.org/mt/115849813/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to