From: Jörg Sommer <joerg.sommer@navimatix.de>
Date: Tue, 3 Feb 2026 18:59:54 +0000 (+0100)
Subject: create-spdx-2.2.bbclass: Add CVE_CHECK_IGNORE to fixed CVEs
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f8525224cb825b1aad2be240731eabafdde7612d;p=thirdparty%2Fopenembedded%2Fopenembedded-core-contrib.git

create-spdx-2.2.bbclass: Add CVE_CHECK_IGNORE to fixed CVEs

The list of CVEs fixed by patches goes to the field *sourceInfo* in the
SBOM. But this list does not contain the CVEs marked for ignoring with the
Bitbake variable *CVE_CHECK_IGNORE*. Many recipes (e.g. openssh, glibc,
python) contain such entries and these are missing in the SBOM. Therefore,
add them to the list.

Signed-off-by: Jörg Sommer <joerg.sommer@navimatix.de>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
---

diff --git a/meta/classes/create-spdx-2.2.bbclass b/meta/classes/create-spdx-2.2.bbclass
index 0ffaeba0e9..65d10d86db 100644
--- a/meta/classes/create-spdx-2.2.bbclass
+++ b/meta/classes/create-spdx-2.2.bbclass
@@ -480,6 +480,11 @@ python do_create_spdx() {
     # save the CVEs fixed by patches to source information field in the SPDX.
     patched_cves = oe.cve_check.get_patched_cves(d)
     patched_cves = list(patched_cves)
+
+    ignored_cves = d.getVar("CVE_CHECK_IGNORE")
+    if ignored_cves:
+        patched_cves.extend(ignored_cves.split())
+
     patched_cves = ' '.join(patched_cves)
     if patched_cves:
         recipe.sourceInfo = "CVEs fixed: " + patched_cves