spdx30_tasks: adapt CVE handling to new cve-check API

Changes to cve-check (see poky commit fb3f440b7d8, "cve-check: annotate CVEs during analysis") modified the get_patched_cves() API to return a set of CVE IDs instead of a dictionary of CVE metadata. The SPDX 3 backport still expected a dictionary and attempted to call .items(), leading to: AttributeError: 'set' object has no attribute 'items' This patch updates the SPDX3 code to iterate directly over the CVE IDs and use `oe.cve_check.decode_cve_status()` to retrieve the mapping, detail, and description for each CVE. This restores compatibility with the updated CVE API and matches the behavior of SPDX3 handling on Walnascar. A warning is logged if a CVE has missing or unknown status. (From OE-Core rev: 55fdeea44ffbecb705f7900bfa85ab88e1191878) Signed-off-by: Kamel Bouhara (Schneider Electric) <kamel.bouhara@bootlin.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
2026-04-02 02:49:11 +00:00 · 2025-11-07 14:14:49 +01:00 · 2025-11-07 14:14:49 +01:00 · 5b74a8f1a5
commit 5b74a8f1a5
parent 71aca87ca7
1 changed files with 12 additions and 17 deletions
--- a/meta/lib/oe/spdx30_tasks.py
+++ b/meta/lib/oe/spdx30_tasks.py
@ -502,34 +502,29 @@ def create_spdx(d):
    cve_by_status = {}
    if include_vex != "none":
        patched_cves = oe.cve_check.get_patched_cves(d)
-        for cve, patched_cve in patched_cves.items():
-            decoded_status = {
-                "mapping": patched_cve["abbrev-status"],
-                "detail": patched_cve["status"],
-                "description": patched_cve.get("justification", None)
-            }
+        for cve_id in patched_cves:
+            mapping, detail, description = oe.cve_check.decode_cve_status(d, cve_id)
+
+            if not mapping or not detail:
+                bb.warn(f"Skipping {cve_id} — missing or unknown CVE status")
+                continue

            # If this CVE is fixed upstream, skip it unless all CVEs are
            # specified.
            if (
                include_vex != "all"
-                and "detail" in decoded_status
-                and decoded_status["detail"]
-                in (
-                    "fixed-version",
-                    "cpe-stable-backport",
-                )
+                and "detail" in ("fixed-version", "cpe-stable-backport")
            ):
-                bb.debug(1, "Skipping %s since it is already fixed upstream" % cve)
+                bb.debug(1, "Skipping %s since it is already fixed upstream" % cve_id)
                continue

-            spdx_cve = build_objset.new_cve_vuln(cve)
+            spdx_cve = build_objset.new_cve_vuln(cve_id)
            build_objset.set_element_alias(spdx_cve)

-            cve_by_status.setdefault(decoded_status["mapping"], {})[cve] = (
+            cve_by_status.setdefault(mapping, {})[cve_id] = (
                spdx_cve,
-                decoded_status["detail"],
-                decoded_status["description"],
+                detail,
+                description,
            )

    cpe_ids = oe.cve_check.get_cpe_ids(d.getVar("CVE_PRODUCT"), d.getVar("CVE_VERSION"))