On Tue, Nov 18, 2025 at 09:06:23AM +0000, Marko, Peter wrote: > > > > -----Original Message----- > > From: Kamel Bouhara <[email protected]> > > Sent: Thursday, October 23, 2025 13:06 > > To: Marko, Peter (FT D EU SK BFS1) <[email protected]> > > Cc: [email protected]; [email protected] > > Subject: Re: [OE-core] [scarthgap v2 00/11] backport: SPDX 3.0 support to > > Scarthgap > > > > On Thu, Oct 23, 2025 at 11:00:37AM +0200, Kamel Bouhara wrote: > > > On Wed, Oct 22, 2025 at 12:43:22PM +0000, Peter Marko via > > lists.openembedded.org wrote: > > > > Hello, > > > > > > > > > > Hello Peter, > > > > > > > I have tried this patch serias and I see ton of "missing or unknown CVE > > > > status" > > warnings. > > > > Example for curl recipe: > > > > WARNING: curl-8.7.1-r0 do_create_spdx: Skipping CVE-2024-11053 - missing > > or unknown CVE status > > > > WARNING: curl-8.7.1-r0 do_create_spdx: Skipping CVE-2024-7264 - missing > > > > or > > unknown CVE status > > > > WARNING: curl-8.7.1-r0 do_create_spdx: Skipping CVE-2024-8096 - missing > > > > or > > unknown CVE status > > > > WARNING: curl-8.7.1-r0 do_create_spdx: Skipping CVE-2025-0167 - missing > > > > or > > unknown CVE status > > > > WARNING: curl-8.7.1-r0 do_create_spdx: Skipping CVE-2024-6197 - missing > > > > or > > unknown CVE status > > > > WARNING: curl-8.7.1-r0 do_create_spdx: Skipping CVE-2024-9681 - missing > > > > or > > unknown CVE status > > > > Looks like it is generated for every CVE patch in every recipe built. > > > > > > > > What I did is cherry-picking this series and adding following to my > > > > distro > > config and building my image: > > > > INHERIT_DISTRO:remove = "create-spdx" > > > > INHERIT_DISTRO:append = " create-spdx-3.0" > > > > When trying with pure poky, I added following to local.conf: > > > > INHERIT:remove = "create-spdx" > > > > INHERIT:append = " create-spdx-3.0" > > > > > > > > > > Thanks for testing and for the detailed feedback. > > > > > > I haven’t yet tested this backport series with a pure Poky setup, so > > > I’ll start there to reproduce the warnings you’re seeing. > > > Once I confirm how the CVE decoding behaves in that environment, > > > I’ll follow up with a fix or updated guidance. > > > > > > Thanks again for pointing this out. > > > > Actually, I didn’t notice these warnings in my own tests on OE-Core > > Scarthgap, but they are there too. > > > > They’re related to Marta’s cve-check changes (fb3f440b7d8), which added > > richer CVE metadata and product/vendor matching through > > decode_cve_status() and has_cve_product_match(). > > > > Since those updates aren’t fully backported in Scarthgap, some CVEs show > > as unknown during SPDX generation. > > I think the problem is elsewhere - in commit "spdx30_tasks: adapt CVE > handling to new cve-check API". > It does not handle patches in SRC_URI properly as they are not known to > function decode_cve_status. > > Also, it's not "some CVEs", but "all patched CVEs", which makes the VEX > information in my opinion unusable.
I see your point. My current SPDX3 patch treats all CVEs from get_patched_cves() the same, which includes those from SRC_URI and leads to losing VEX information. > > I'll try to send a patch this week. Ok thanks. > > Peter > > > > > @Joshua: would you suggest we suppress these warnings in Scarthgap, or > > should we handle this case differently to better align with the upstream > > behavior? > > > > > > > > Kamel > > > > > > > Inheriting cve-check did not help. > > > > When building oe-core master, I don't experience such warnings. > > > > So it looks like something is missing in this backport series. > > > > > > > > Peter > > > > > > > > > -----Original Message----- > > > > > From: [email protected] <openembedded- > > > > > [email protected]> On Behalf Of Kamel Bouhara via > > > > > lists.openembedded.org > > > > > Sent: Monday, October 20, 2025 9:10 > > > > > To: [email protected] > > > > > Cc: [email protected]; [email protected]; Miquel > > Raynal > > > > > <[email protected]>; [email protected]; > > > > > [email protected]; Pascal Eberhard <[email protected]>; > > > > > Kamel Bouhara <[email protected]> > > > > > Subject: [OE-core] [scarthgap v2 00/11] backport: SPDX 3.0 support to > > Scarthgap > > > > > > > > > > Hello, > > > > > > > > > > This v2 series backports SPDX 3.0 support from the upstream Walnascar > > > > > branch to Scarthgap (Yocto Project 5.0 LTS), including the > > > > > corresponding > > > > > test suite and fixes for integration issues found during testing. > > > > > > > > > > The motivation remains the same as in v1, to bring complete SPDX 3.0 > > > > > support to the latest LTS release, ensuring that long-term supported > > > > > builds benefit SBOM generation capabilities. Scarthgap is under > > > > > maintenance until 2028, and SPDX 3.0 is now an essential part of > > > > > compliance workflows. > > > > > > > > > > Kamel > > > > > > > > > > Hongxu Jia (1): > > > > > oeqa/selftest: Add SPDX 3.0 include source case for work-share > > > > > > > > > > Joshua Watt (7): > > > > > classes-global/license: Move functions to library code > > > > > lib/license: Move package license skip to library > > > > > lib: oe: license: Add missing import > > > > > classes-recipe/image: Add image file manifest > > > > > selftest: spdx: Add SPDX 3.0 test cases > > > > > lib: oeqa: spdx: Add tests for extra options > > > > > spdx 3.0: Rework how SPDX aliases are linked > > > > > > > > > > Kamel Bouhara (Schneider Electric) (3): > > > > > backport: SPDX 3.0 fixes and tasks from upstream version Walnascar > > > > > spdx30_tasks: fix FetchData attribute in add_download_files > > > > > spdx30_tasks: adapt CVE handling to new cve-check API > > > > > > > > > > meta/classes-global/base.bbclass | 41 +- > > > > > meta/classes-global/license.bbclass | 165 - > > > > > .../create-spdx-image-3.0.bbclass | 85 + > > > > > .../create-spdx-sdk-3.0.bbclass | 74 + > > > > > meta/classes-recipe/image.bbclass | 58 + > > > > > meta/classes-recipe/license_image.bbclass | 14 +- > > > > > meta/classes-recipe/nospdx.bbclass | 13 + > > > > > meta/classes/create-spdx-3.0.bbclass | 200 + > > > > > meta/classes/spdx-common.bbclass | 99 + > > > > > meta/lib/oe/__init__.py | 2 +- > > > > > meta/lib/oe/license.py | 203 + > > > > > meta/lib/oe/sbom30.py | 1096 ++++ > > > > > meta/lib/oe/spdx30.py | 5593 > > > > > +++++++++++++++++ > > > > > meta/lib/oe/spdx30_tasks.py | 1343 ++++ > > > > > meta/lib/oe/spdx_common.py | 244 + > > > > > meta/lib/oeqa/selftest/cases/spdx.py | 248 +- > > > > > 16 files changed, 9262 insertions(+), 216 deletions(-) > > > > > create mode 100644 meta/classes-recipe/create-spdx-image-3.0.bbclass > > > > > create mode 100644 meta/classes-recipe/create-spdx-sdk-3.0.bbclass > > > > > create mode 100644 meta/classes-recipe/nospdx.bbclass > > > > > create mode 100644 meta/classes/create-spdx-3.0.bbclass > > > > > create mode 100644 meta/classes/spdx-common.bbclass > > > > > create mode 100644 meta/lib/oe/sbom30.py > > > > > create mode 100644 meta/lib/oe/spdx30.py > > > > > create mode 100644 meta/lib/oe/spdx30_tasks.py > > > > > create mode 100644 meta/lib/oe/spdx_common.py > > > > > > > > > > -- > > > > > 2.43.0 > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > Kamel Bouhara, Bootlin > > > Embedded Linux and kernel engineering > > > https://bootlin.com > > > > -- > > Kamel Bouhara, Bootlin > > Embedded Linux and kernel engineering > > https://bootlin.com -- Kamel Bouhara, Bootlin Embedded Linux and kernel engineering https://bootlin.com
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#226524): https://lists.openembedded.org/g/openembedded-core/message/226524 Mute This Topic: https://lists.openembedded.org/mt/115849813/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
