oe/spdx30_task: Add status notes to VEX relationship

Without the status note, we are losing the reason why the CVE is
considered vulnerable or fixed.
The information provided in CVE_STATUS is otherwise lost.

Signed-off-by: Benjamin Robin (Schneider Electric) <benjamin.robin@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

diff --git a/meta/lib/oe/sbom30.py b/meta/lib/oe/sbom30.py
index 5d020b934cc036cb78eccd9e54a50c64c6b89029..0f1f9281ad3237a3dacb0b27e5cff40d3025af06 100644 (file)
--- a/meta/lib/oe/sbom30.py
+++ b/meta/lib/oe/sbom30.py
@@ -704,7 +704,8 @@ class ObjectSet(oe.spdx30.SHACLObjectSet):
         )
         return self.add(v)
 
-    def new_vex_patched_relationship(self, from_, to):
+    def new_vex_patched_relationship(self, from_, to, notes: None):
+        props = {'security_statusNotes': notes} if notes else {}
         return self._new_relationship(
             oe.spdx30.security_VexFixedVulnAssessmentRelationship,
             from_,
@@ -712,9 +713,11 @@ class ObjectSet(oe.spdx30.SHACLObjectSet):
             to,
             spdxid_name="vex-fixed",
             security_vexVersion=VEX_VERSION,
+            **props,
         )
 
-    def new_vex_unpatched_relationship(self, from_, to):
+    def new_vex_unpatched_relationship(self, from_, to, notes: None):
+        props = {'security_statusNotes': notes} if notes else {}
         return self._new_relationship(
             oe.spdx30.security_VexAffectedVulnAssessmentRelationship,
             from_,
@@ -723,9 +726,11 @@ class ObjectSet(oe.spdx30.SHACLObjectSet):
             spdxid_name="vex-affected",
             security_vexVersion=VEX_VERSION,
             security_actionStatement="Mitigation action unknown",
+            **props,
         )
 
-    def new_vex_ignored_relationship(self, from_, to, *, impact_statement):
+    def new_vex_ignored_relationship(self, from_, to, *, impact_statement, notes: None):
+        props = {'security_statusNotes': notes} if notes else {}
         return self._new_relationship(
             oe.spdx30.security_VexNotAffectedVulnAssessmentRelationship,
             from_,
@@ -734,6 +739,7 @@ class ObjectSet(oe.spdx30.SHACLObjectSet):
             spdxid_name="vex-not-affected",
             security_vexVersion=VEX_VERSION,
             security_impactStatement=impact_statement,
+            **props,
         )
 
     def import_bitbake_build_objset(self):

diff --git a/meta/lib/oe/spdx30_tasks.py b/meta/lib/oe/spdx30_tasks.py
index a071d85e10eabbe4dbffb9742b1485acd5381cdc..ffedc1e25b59f8b2164b6e10bc5639f1a2f8a122 100644 (file)
--- a/meta/lib/oe/spdx30_tasks.py
+++ b/meta/lib/oe/spdx30_tasks.py
@@ -724,7 +724,8 @@ def create_recipe_spdx(d):
 
             if status == "Patched":
                 spdx_vex = recipe_objset.new_vex_patched_relationship(
-                    [spdx_cve_id], [recipe]
+                    [spdx_cve_id], [recipe],
+                    notes=": ".join(v for v in (detail, description) if v)
                 )
                 patches = []
                 for idx, filepath in enumerate(resources):
@@ -749,12 +750,16 @@ def create_recipe_spdx(d):
                     )
 
             elif status == "Unpatched":
-                recipe_objset.new_vex_unpatched_relationship([spdx_cve_id], [recipe])
+                recipe_objset.new_vex_unpatched_relationship(
+                    [spdx_cve_id], [recipe],
+                    notes=": ".join(v for v in (detail, description) if v)
+                )
             elif status == "Ignored":
                 spdx_vex = recipe_objset.new_vex_ignored_relationship(
                     [spdx_cve_id],
                     [recipe],
                     impact_statement=description,
+                    notes=detail,
                 )
 
                 vex_just_type = d.getVarFlag("CVE_CHECK_VEX_JUSTIFICATION", detail)