From 1ff496546279d8a97df5ec475007cfb095c2a0bc Mon Sep 17 00:00:00 2001
From: Joshua Watt <JPEWhacker@gmail.com>
Date: Thu, 6 Mar 2025 14:20:07 -0700
Subject: [PATCH] lib: spdx30_tasks: Handle patched CVEs

The code to iterate over patched CVEs (e.g. those patched by a .patch
file in SRC_URI) was accidentally omitted when writing the SPDX 3
handling. Add it in now

[YOCTO #15789]

Signed-off-by: Joshua Watt <JPEWhacker@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
---
 meta/lib/oe/spdx30_tasks.py | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/meta/lib/oe/spdx30_tasks.py b/meta/lib/oe/spdx30_tasks.py
index e3e5dbc7427..e20bb0c86f3 100644
--- a/meta/lib/oe/spdx30_tasks.py
+++ b/meta/lib/oe/spdx30_tasks.py
@@ -498,6 +498,16 @@ def create_spdx(d):
     # Add CVEs
     cve_by_status = {}
     if include_vex != "none":
+        for cve in oe.cve_check.get_patched_cves(d):
+            spdx_cve = build_objset.new_cve_vuln(cve)
+            build_objset.set_element_alias(spdx_cve)
+
+            cve_by_status.setdefault("Patched", {})[cve] = (
+                spdx_cve,
+                "patched",
+                "",
+            )
+
         for cve in d.getVarFlags("CVE_STATUS") or {}:
             decoded_status = oe.cve_check.decode_cve_status(d, cve)
 
-- 
2.47.3