From: Benjamin Robin (Schneider Electric) Date: Mon, 20 Apr 2026 07:44:40 +0000 (+0200) Subject: oe/spdx30_task: Add status notes to VEX relationship X-Git-Tag: yocto-6.0~51 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=df6d882611f2b8650bcdd9feeebf46f29ae6ba34;p=thirdparty%2Fopenembedded%2Fopenembedded-core.git oe/spdx30_task: Add status notes to VEX relationship Without the status note, we are losing the reason why the CVE is considered vulnerable or fixed. The information provided in CVE_STATUS is otherwise lost. Signed-off-by: Benjamin Robin (Schneider Electric) Signed-off-by: Richard Purdie --- diff --git a/meta/lib/oe/sbom30.py b/meta/lib/oe/sbom30.py index 5d020b934c..0f1f9281ad 100644 --- a/meta/lib/oe/sbom30.py +++ b/meta/lib/oe/sbom30.py @@ -704,7 +704,8 @@ class ObjectSet(oe.spdx30.SHACLObjectSet): ) return self.add(v) - def new_vex_patched_relationship(self, from_, to): + def new_vex_patched_relationship(self, from_, to, notes: None): + props = {'security_statusNotes': notes} if notes else {} return self._new_relationship( oe.spdx30.security_VexFixedVulnAssessmentRelationship, from_, @@ -712,9 +713,11 @@ class ObjectSet(oe.spdx30.SHACLObjectSet): to, spdxid_name="vex-fixed", security_vexVersion=VEX_VERSION, + **props, ) - def new_vex_unpatched_relationship(self, from_, to): + def new_vex_unpatched_relationship(self, from_, to, notes: None): + props = {'security_statusNotes': notes} if notes else {} return self._new_relationship( oe.spdx30.security_VexAffectedVulnAssessmentRelationship, from_, @@ -723,9 +726,11 @@ class ObjectSet(oe.spdx30.SHACLObjectSet): spdxid_name="vex-affected", security_vexVersion=VEX_VERSION, security_actionStatement="Mitigation action unknown", + **props, ) - def new_vex_ignored_relationship(self, from_, to, *, impact_statement): + def new_vex_ignored_relationship(self, from_, to, *, impact_statement, notes: None): + props = {'security_statusNotes': notes} if notes else {} return self._new_relationship( oe.spdx30.security_VexNotAffectedVulnAssessmentRelationship, from_, @@ -734,6 +739,7 @@ class ObjectSet(oe.spdx30.SHACLObjectSet): spdxid_name="vex-not-affected", security_vexVersion=VEX_VERSION, security_impactStatement=impact_statement, + **props, ) def import_bitbake_build_objset(self): diff --git a/meta/lib/oe/spdx30_tasks.py b/meta/lib/oe/spdx30_tasks.py index a071d85e10..ffedc1e25b 100644 --- a/meta/lib/oe/spdx30_tasks.py +++ b/meta/lib/oe/spdx30_tasks.py @@ -724,7 +724,8 @@ def create_recipe_spdx(d): if status == "Patched": spdx_vex = recipe_objset.new_vex_patched_relationship( - [spdx_cve_id], [recipe] + [spdx_cve_id], [recipe], + notes=": ".join(v for v in (detail, description) if v) ) patches = [] for idx, filepath in enumerate(resources): @@ -749,12 +750,16 @@ def create_recipe_spdx(d): ) elif status == "Unpatched": - recipe_objset.new_vex_unpatched_relationship([spdx_cve_id], [recipe]) + recipe_objset.new_vex_unpatched_relationship( + [spdx_cve_id], [recipe], + notes=": ".join(v for v in (detail, description) if v) + ) elif status == "Ignored": spdx_vex = recipe_objset.new_vex_ignored_relationship( [spdx_cve_id], [recipe], impact_statement=description, + notes=detail, ) vex_just_type = d.getVarFlag("CVE_CHECK_VEX_JUSTIFICATION", detail)