From: Kamel Bouhara (Schneider Electric) <kamel.bouhara@bootlin.com>
Date: Fri, 7 Nov 2025 13:14:49 +0000 (+0100)
Subject: spdx30_tasks: adapt CVE handling to new cve-check API
X-Git-Tag: 2024-04.14-scarthgap~5
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=55fdeea44ffbecb705f7900bfa85ab88e1191878;p=thirdparty%2Fopenembedded%2Fopenembedded-core.git

spdx30_tasks: adapt CVE handling to new cve-check API

Changes to cve-check (see poky commit fb3f440b7d8,
"cve-check: annotate CVEs during analysis") modified the
get_patched_cves() API to return a set of CVE IDs instead of a
dictionary of CVE metadata.

The SPDX 3 backport still expected a dictionary and attempted to call
.items(), leading to:

    AttributeError: 'set' object has no attribute 'items'

This patch updates the SPDX3 code to iterate directly over the CVE IDs
and use `oe.cve_check.decode_cve_status()` to retrieve the mapping,
detail, and description for each CVE. This restores compatibility with
the updated CVE API and matches the behavior of SPDX3 handling on
Walnascar.

A warning is logged if a CVE has missing or unknown status.

Signed-off-by: Kamel Bouhara (Schneider Electric) <kamel.bouhara@bootlin.com>
---

diff --git a/meta/lib/oe/spdx30_tasks.py b/meta/lib/oe/spdx30_tasks.py
index f6e6e545dc..6b0aa137c4 100644
--- a/meta/lib/oe/spdx30_tasks.py
+++ b/meta/lib/oe/spdx30_tasks.py
@@ -502,34 +502,29 @@ def create_spdx(d):
     cve_by_status = {}
     if include_vex != "none":
         patched_cves = oe.cve_check.get_patched_cves(d)
-        for cve, patched_cve in patched_cves.items():
-            decoded_status = {
-                "mapping": patched_cve["abbrev-status"],
-                "detail": patched_cve["status"],
-                "description": patched_cve.get("justification", None)
-            }
+        for cve_id in patched_cves:
+            mapping, detail, description = oe.cve_check.decode_cve_status(d, cve_id)
+
+            if not mapping or not detail:
+                bb.warn(f"Skipping {cve_id} — missing or unknown CVE status")
+                continue
 
             # If this CVE is fixed upstream, skip it unless all CVEs are
             # specified.
             if (
                 include_vex != "all"
-                and "detail" in decoded_status
-                and decoded_status["detail"]
-                in (
-                    "fixed-version",
-                    "cpe-stable-backport",
-                )
+                and "detail" in ("fixed-version", "cpe-stable-backport")
             ):
-                bb.debug(1, "Skipping %s since it is already fixed upstream" % cve)
+                bb.debug(1, "Skipping %s since it is already fixed upstream" % cve_id)
                 continue
 
-            spdx_cve = build_objset.new_cve_vuln(cve)
+            spdx_cve = build_objset.new_cve_vuln(cve_id)
             build_objset.set_element_alias(spdx_cve)
 
-            cve_by_status.setdefault(decoded_status["mapping"], {})[cve] = (
+            cve_by_status.setdefault(mapping, {})[cve_id] = (
                 spdx_cve,
-                decoded_status["detail"],
-                decoded_status["description"],
+                detail,
+                description,
             )
 
     cpe_ids = oe.cve_check.get_cpe_ids(d.getVar("CVE_PRODUCT"), d.getVar("CVE_VERSION"))