From: Jörg Sommer <[email protected]> The list of CVEs fixed by patches goes to the field *sourceInfo* in the SBOM. But this list does not contain the CVEs marked for ignoring with the Bitbake variable *CVE_CHECK_IGNORE*. Many recipes (e.g. openssh, glibc, python) contain such entries and these are missing in the SBOM. Therefore, add them to the list.
Signed-off-by: Jörg Sommer <[email protected]> --- meta/classes/create-spdx-2.2.bbclass | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/meta/classes/create-spdx-2.2.bbclass b/meta/classes/create-spdx-2.2.bbclass index 0ffaeba0e9..65d10d86db 100644 --- a/meta/classes/create-spdx-2.2.bbclass +++ b/meta/classes/create-spdx-2.2.bbclass @@ -480,6 +480,11 @@ python do_create_spdx() { # save the CVEs fixed by patches to source information field in the SPDX. patched_cves = oe.cve_check.get_patched_cves(d) patched_cves = list(patched_cves) + + ignored_cves = d.getVar("CVE_CHECK_IGNORE") + if ignored_cves: + patched_cves.extend(ignored_cves.split()) + patched_cves = ' '.join(patched_cves) if patched_cves: recipe.sourceInfo = "CVEs fixed: " + patched_cves -- 2.51.0
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#230468): https://lists.openembedded.org/g/openembedded-core/message/230468 Mute This Topic: https://lists.openembedded.org/mt/117621227/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
