diff --git a/meta/conf/cve-check-map.conf b/meta/conf/cve-check-map.conf index ac956379d1..fc49fe0a50 100644 --- a/meta/conf/cve-check-map.conf +++ b/meta/conf/cve-check-map.conf @@ -28,8 +28,12 @@ CVE_CHECK_STATUSMAP[cpe-incorrect] = "Ignored" CVE_CHECK_STATUSMAP[disputed] = "Ignored" # use when vulnerability depends on build or runtime configuration which is not used CVE_CHECK_STATUSMAP[not-applicable-config] = "Ignored" +CVE_CHECK_VEX_JUSTIFICATION[not-applicable-config] = "vulnerableCodeNotPresent" + # use when vulnerability affects other platform (e.g. Windows or Debian) CVE_CHECK_STATUSMAP[not-applicable-platform] = "Ignored" +CVE_CHECK_VEX_JUSTIFICATION[not-applicable-platform] = "vulnerableCodeNotPresent" + # use when upstream acknowledged the vulnerability but does not plan to fix it CVE_CHECK_STATUSMAP[upstream-wontfix] = "Ignored" diff --git a/meta/lib/oe/spdx30_tasks.py b/meta/lib/oe/spdx30_tasks.py index 5d9f3168d9..c352dab152 100644 --- a/meta/lib/oe/spdx30_tasks.py +++ b/meta/lib/oe/spdx30_tasks.py @@ -724,24 +724,23 @@ def create_spdx(d): impact_statement=description, ) - if detail in ( - "ignored", - "cpe-incorrect", - "disputed", - "upstream-wontfix", - ): - # VEX doesn't have justifications for this - pass - elif detail in ( - "not-applicable-config", - "not-applicable-platform", - ): - for v in spdx_vex: - v.security_justificationType = ( - oe.spdx30.security_VexJustificationType.vulnerableCodeNotPresent + vex_just_type = d.getVarFlag( + "CVE_CHECK_VEX_JUSTIFICATION", detail + ) + if vex_just_type: + if ( + vex_just_type + not in oe.spdx30.security_VexJustificationType.NAMED_INDIVIDUALS + ): + bb.fatal( + f"Unknown vex justification '{vex_just_type}', detail '{detail}', for ignored {cve}" ) - else: - bb.fatal(f"Unknown detail '{detail}' for ignored {cve}") + + for v in spdx_vex: + v.security_justificationType = oe.spdx30.security_VexJustificationType.NAMED_INDIVIDUALS[ + vex_just_type + ] + elif status == "Unknown": bb.note(f"Skipping {cve} with status 'Unknown'") else: