From: Joshua Watt <JPEWhacker@gmail.com>
Date: Wed, 5 Mar 2025 21:00:30 +0000 (-0700)
Subject: lib: sbom30: Add action statement for affected VEX statements
X-Git-Tag: yocto-5.2~305
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=39545c955474a43d11a45d74a88a5999b02cb8b3;p=thirdparty%2Fopenembedded%2Fopenembedded-core-contrib.git

lib: sbom30: Add action statement for affected VEX statements

VEX Affected relationships have a mandatory action statement that
indicates the mitigation for a vulnerability. Since we don't track this
add a statement indicating that no mitigation is known.

Signed-off-by: Joshua Watt <JPEWhacker@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
---

diff --git a/meta/lib/oe/sbom30.py b/meta/lib/oe/sbom30.py
index 0595ebd41ca..227ac518770 100644
--- a/meta/lib/oe/sbom30.py
+++ b/meta/lib/oe/sbom30.py
@@ -685,6 +685,7 @@ class ObjectSet(oe.spdx30.SHACLObjectSet):
             to,
             spdxid_name="vex-affected",
             security_vexVersion=VEX_VERSION,
+            security_actionStatement="Mitigation action unknown",
         )
 
     def new_vex_ignored_relationship(self, from_, to, *, impact_statement):