From: Benjamin Robin (Schneider Electric) <benjamin.robin@bootlin.com>
Date: Fri, 21 Nov 2025 09:54:12 +0000 (+0100)
Subject: spdx: extend CVE_STATUS variables
X-Git-Tag: 2024-04.15-scarthgap~42
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=23a4e02542252657fa45fd4a605aec0af9178e0b;p=thirdparty%2Fopenembedded%2Fopenembedded-core.git

spdx: extend CVE_STATUS variables

If spdx is generated without inheriting cve/vex classes (which is poky
default), only explicitly set CVE_STATUS fields are handled.
Calculated ones (e.g. from CVE_STATUS_GROUPS) are ignored.

Fix this by expanding the CVE_STATUS in spdx classes.

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit ead9c6a8770463c21210a57cc5320f44f7754dd3)
Signed-off-by: Benjamin Robin (Schneider Electric) <benjamin.robin@bootlin.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---

diff --git a/meta/classes/spdx-common.bbclass b/meta/classes/spdx-common.bbclass
index 36feb56807..713a7fc651 100644
--- a/meta/classes/spdx-common.bbclass
+++ b/meta/classes/spdx-common.bbclass
@@ -37,6 +37,11 @@ SPDX_CUSTOM_ANNOTATION_VARS ??= ""
 
 SPDX_MULTILIB_SSTATE_ARCHS ??= "${SSTATE_ARCHS}"
 
+python () {
+    from oe.cve_check import extend_cve_status
+    extend_cve_status(d)
+}
+
 def create_spdx_source_deps(d):
     import oe.spdx_common