create-spdx-2.2.bbclass: Add CVE_CHECK_IGNORE to fixed CVEs

The list of CVEs fixed by patches goes to the field *sourceInfo* in the
SBOM. But this list does not contain the CVEs marked for ignoring with the
Bitbake variable *CVE_CHECK_IGNORE*. Many recipes (e.g. openssh, glibc,
python) contain such entries and these are missing in the SBOM. Therefore,
add them to the list.

Signed-off-by: Jörg Sommer <joerg.sommer@navimatix.de>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

diff --git a/meta/classes/create-spdx-2.2.bbclass b/meta/classes/create-spdx-2.2.bbclass
index 0ffaeba0e9b141ee364b5f9962cfe3a1a1d1e860..65d10d86dbf2e1dcdea448c2f2ead3758a3da6a3 100644 (file)
--- a/meta/classes/create-spdx-2.2.bbclass
+++ b/meta/classes/create-spdx-2.2.bbclass
@@ -480,6 +480,11 @@ python do_create_spdx() {
     # save the CVEs fixed by patches to source information field in the SPDX.
     patched_cves = oe.cve_check.get_patched_cves(d)
     patched_cves = list(patched_cves)
+
+    ignored_cves = d.getVar("CVE_CHECK_IGNORE")
+    if ignored_cves:
+        patched_cves.extend(ignored_cves.split())
+
     patched_cves = ' '.join(patched_cves)
     if patched_cves:
         recipe.sourceInfo = "CVEs fixed: " + patched_cves