From f8525224cb825b1aad2be240731eabafdde7612d Mon Sep 17 00:00:00 2001 From: =?utf8?q?J=C3=B6rg=20Sommer?= Date: Tue, 3 Feb 2026 19:59:54 +0100 Subject: [PATCH] create-spdx-2.2.bbclass: Add CVE_CHECK_IGNORE to fixed CVEs MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit The list of CVEs fixed by patches goes to the field *sourceInfo* in the SBOM. But this list does not contain the CVEs marked for ignoring with the Bitbake variable *CVE_CHECK_IGNORE*. Many recipes (e.g. openssh, glibc, python) contain such entries and these are missing in the SBOM. Therefore, add them to the list. Signed-off-by: Jörg Sommer Signed-off-by: Mathieu Dubois-Briand Signed-off-by: Ross Burton Signed-off-by: Richard Purdie --- meta/classes/create-spdx-2.2.bbclass | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/meta/classes/create-spdx-2.2.bbclass b/meta/classes/create-spdx-2.2.bbclass index 0ffaeba0e9..65d10d86db 100644 --- a/meta/classes/create-spdx-2.2.bbclass +++ b/meta/classes/create-spdx-2.2.bbclass @@ -480,6 +480,11 @@ python do_create_spdx() { # save the CVEs fixed by patches to source information field in the SPDX. patched_cves = oe.cve_check.get_patched_cves(d) patched_cves = list(patched_cves) + + ignored_cves = d.getVar("CVE_CHECK_IGNORE") + if ignored_cves: + patched_cves.extend(ignored_cves.split()) + patched_cves = ' '.join(patched_cves) if patched_cves: recipe.sourceInfo = "CVEs fixed: " + patched_cves -- 2.47.3