On Mon Jan 19, 2026 at 9:44 AM CET, Benjamin Robin via lists.openembedded.org wrote: > Several CVE helper functions (get_patched_cves() and decode_cve_status()) > implicitly depend on the CVE_STATUS and CVE_CHECK_STATUSMAP variables, but > these were not declared in the vardeps of their callers. > > On Scarthgap, the upstream fix (2cc43c72ff28aa39a417dd8d57cd7c8741c0e541) > cannot be cherry-picked cleanly, as it also requires BitBake changes. > > As a workaround, explicitly add CVE_STATUS and CVE_CHECK_STATUSMAP to the > vardeps of all tasks invoking these helpers, ensuring correct task > re-execution when CVE status changes. > > This keeps CVE-related metadata generation consistent without requiring > BitBake modifications. > > Signed-off-by: Benjamin Robin (Schneider Electric) > <[email protected]> > --- > changes in v2: > - provide a clearer commit message > > meta/classes/create-spdx-2.2.bbclass | 1 + > meta/classes/create-spdx-3.0.bbclass | 2 ++ > meta/classes/cve-check.bbclass | 1 + > meta/classes/vex.bbclass | 1 + > 4 files changed, 5 insertions(+)
Thanks for this v2. I appreciate it. Regards, -- Yoann Congal Smile ECS
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#230673): https://lists.openembedded.org/g/openembedded-core/message/230673 Mute This Topic: https://lists.openembedded.org/mt/117341946/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
