spdx: Update spdx to include 'Ignored' CVEs

usercw88 · usercw88 · commit e3ac5d171f5a · 2025-11-07T08:51:30.000-06:00
Signed-off-by: Can Wong &lt;can.wong@emerson.com&gt;
diff --git a/meta/classes/create-spdx-2.2.bbclass b/meta/classes/create-spdx-2.2.bbclass
@@ -605,6 +605,16 @@ python do_create_spdx() {
     if patched_cves:
         recipe.sourceInfo = "CVEs fixed: " + patched_cves
 
+    ignored_cves = oe.cve_check.get_ignored_cves(d)
+    ignored_cves = list(ignored_cves)
+    ignored_cves = ' '.join(ignored_cves)
+    if ignored_cves:
+        if patched_cves:
+            recipe.sourceInfo += "; "
+        else:
+            recipe.sourceInfo = ""
+        recipe.sourceInfo += "CVEs ignored: " + ignored_cves
+
     cpe_ids = oe.cve_check.get_cpe_ids(d.getVar("CVE_PRODUCT"), d.getVar("CVE_VERSION"))
     if cpe_ids:
         for cpe_id in cpe_ids:
diff --git a/meta/lib/oe/cve_check.py b/meta/lib/oe/cve_check.py
@@ -140,6 +140,19 @@ def get_patched_cves(d):
     return patched_cves
 
 
+def get_ignored_cves(d):
+    """
+    Get CVEs that are marked as ignore using the "CVE_STATUS" flag.
+    """
+    ignored_cves = set()
+    for cve in (d.getVarFlags("CVE_STATUS") or {}):
+        decoded_status, _, _ = decode_cve_status(d, cve)
+        if decoded_status == "Ignored":
+            bb.debug(2, "CVE %s is ignored" % cve)
+            ignored_cves.add(cve)
+    return ignored_cves
+
+
 def get_cpe_ids(cve_product, version):
     """
     Get list of CPE identifiers for the given product and version
