Hello Benjamin, Do you confirm that this time it is ready for review? Kind regards, Marta
On Fri, Nov 21, 2025 at 10:54 AM Benjamin Robin via lists.openembedded.org <[email protected]> wrote: > (I'm resending this series because it was blocked for spam, sorry for the > noise) > > Currently only CVEs with "Patched" status are exported in SPDX 3.0 files. > Moreover, CVE annotations provided by the CVE_STATUS_GROUPS variable are > not > exported, since previously this was only handled by cve-check.bbclass. > > Also the vex.bbclass is missing, which will helps users to extract all the > information needed to do a CVE analysis outside of Yocto. > > These changes are realized since scarthgap Long Term Support ends in April > 2028. Without these improvements, it is not possible to do a proper CVE > analysis outside of Yocto, solely based on the SBOM, since there are > missing > CVE annotations in the artifact files. We want to be able to extract all > CVE > annotations provided by the CVE_STATUS and the CVE_STATUS_GROUPS variables. > > With this backport, great care has been taken to avoid breaking > compatibility. > This is why the get_patched_cves() API was not changed. Everything that was > needed is implemented in the associated .bbclass: > - Patch 1/5 modifies spdx30_tasks to extract all CVE status. This commit > was > not cherry-picked from master. > - Patch 2/5 backports the vex.bbclass, but modify it a bit to use the old > get_patched_cves() API. > - Patch 3/5 and 4/5 are cherry-picked, these commits move the extraction > of > CVE_STATUS_GROUPS information to lib/oe/cve_check.py > - Patch 5/5 is cherry-picked to backport a vex.bbclass improvement > > This series should be applied on top of [1]: > [scarthgap] spdx30: fix cve status for patch files in VEX > > [1]: https://patchwork.yoctoproject.org/project/oe-core/list/?series=40606 > > Benjamin Robin (Schneider Electric) (5): > spdx30: provide all CVE_STATUS, not only Patched status > vex.bbclass: add a new class > cve-check: extract extending CVE_STATUS to library function > spdx: extend CVE_STATUS variables > vex: fix rootfs manifest > > meta/classes/cve-check.bbclass | 17 +- > meta/classes/spdx-common.bbclass | 5 + > meta/classes/vex.bbclass | 319 +++++++++++++++++++++++++++++++ > meta/lib/oe/cve_check.py | 22 +++ > meta/lib/oe/spdx30_tasks.py | 31 +-- > 5 files changed, 365 insertions(+), 29 deletions(-) > create mode 100644 meta/classes/vex.bbclass > > -- > 2.51.2 > > > > >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#226663): https://lists.openembedded.org/g/openembedded-core/message/226663 Mute This Topic: https://lists.openembedded.org/mt/116405458/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
