(I'm resending this series because it was blocked for spam, sorry for the noise)
Currently only CVEs with "Patched" status are exported in SPDX 3.0 files. Moreover, CVE annotations provided by the CVE_STATUS_GROUPS variable are not exported, since previously this was only handled by cve-check.bbclass. Also the vex.bbclass is missing, which will helps users to extract all the information needed to do a CVE analysis outside of Yocto. These changes are realized since scarthgap Long Term Support ends in April 2028. Without these improvements, it is not possible to do a proper CVE analysis outside of Yocto, solely based on the SBOM, since there are missing CVE annotations in the artifact files. We want to be able to extract all CVE annotations provided by the CVE_STATUS and the CVE_STATUS_GROUPS variables. With this backport, great care has been taken to avoid breaking compatibility. This is why the get_patched_cves() API was not changed. Everything that was needed is implemented in the associated .bbclass: - Patch 1/5 modifies spdx30_tasks to extract all CVE status. This commit was not cherry-picked from master. - Patch 2/5 backports the vex.bbclass, but modify it a bit to use the old get_patched_cves() API. - Patch 3/5 and 4/5 are cherry-picked, these commits move the extraction of CVE_STATUS_GROUPS information to lib/oe/cve_check.py - Patch 5/5 is cherry-picked to backport a vex.bbclass improvement This series should be applied on top of [1]: [scarthgap] spdx30: fix cve status for patch files in VEX [1]: https://patchwork.yoctoproject.org/project/oe-core/list/?series=40606 Benjamin Robin (Schneider Electric) (5): spdx30: provide all CVE_STATUS, not only Patched status vex.bbclass: add a new class cve-check: extract extending CVE_STATUS to library function spdx: extend CVE_STATUS variables vex: fix rootfs manifest meta/classes/cve-check.bbclass | 17 +- meta/classes/spdx-common.bbclass | 5 + meta/classes/vex.bbclass | 319 +++++++++++++++++++++++++++++++ meta/lib/oe/cve_check.py | 22 +++ meta/lib/oe/spdx30_tasks.py | 31 +-- 5 files changed, 365 insertions(+), 29 deletions(-) create mode 100644 meta/classes/vex.bbclass -- 2.51.2
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#226657): https://lists.openembedded.org/g/openembedded-core/message/226657 Mute This Topic: https://lists.openembedded.org/mt/116405458/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
