lib: spdx30_tasks: Handle patched CVEs

The code to iterate over patched CVEs (e.g. those patched by a .patch
file in SRC_URI) was accidentally omitted when writing the SPDX 3
handling. Add it in now

[YOCTO #15789]

Signed-off-by: Joshua Watt <JPEWhacker@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

diff --git a/meta/lib/oe/spdx30_tasks.py b/meta/lib/oe/spdx30_tasks.py
index e3e5dbc742764585df855441f3cbc790971fde74..e20bb0c86f3b0ed537499b1dc1149873f1c9fa9b 100644 (file)
--- a/meta/lib/oe/spdx30_tasks.py
+++ b/meta/lib/oe/spdx30_tasks.py
@@ -498,6 +498,16 @@ def create_spdx(d):
     # Add CVEs
     cve_by_status = {}
     if include_vex != "none":
+        for cve in oe.cve_check.get_patched_cves(d):
+            spdx_cve = build_objset.new_cve_vuln(cve)
+            build_objset.set_element_alias(spdx_cve)
+
+            cve_by_status.setdefault("Patched", {})[cve] = (
+                spdx_cve,
+                "patched",
+                "",
+            )
+
         for cve in d.getVarFlags("CVE_STATUS") or {}:
             decoded_status = oe.cve_check.decode_cve_status(d, cve)