lib: sbom30: Add action statement for affected VEX statements

VEX Affected relationships have a mandatory action statement that
indicates the mitigation for a vulnerability. Since we don't track this
add a statement indicating that no mitigation is known.

Signed-off-by: Joshua Watt <JPEWhacker@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

diff --git a/meta/lib/oe/sbom30.py b/meta/lib/oe/sbom30.py
index 0595ebd41ca1885e7d99a3c26c54b44b29e4e9b9..227ac5187708c8af57a684d34c12a73c0d4d5524 100644 (file)
--- a/meta/lib/oe/sbom30.py
+++ b/meta/lib/oe/sbom30.py
@@ -685,6 +685,7 @@ class ObjectSet(oe.spdx30.SHACLObjectSet):
             to,
             spdxid_name="vex-affected",
             security_vexVersion=VEX_VERSION,
+            security_actionStatement="Mitigation action unknown",
         )
 
     def new_vex_ignored_relationship(self, from_, to, *, impact_statement):