public inbox for openembedded-core@lists.openembedded.org
 help / color / mirror / Atom feed
* [scarthgap][PATCH v2] meta/classes: fix missing vardeps for CVE status variables
@ 2026-01-19  8:44 Benjamin Robin (Schneider Electric)
  2026-02-07 17:31 ` [OE-core] " Yoann Congal
  0 siblings, 1 reply; 2+ messages in thread
From: Benjamin Robin (Schneider Electric) @ 2026-01-19  8:44 UTC (permalink / raw)
  To: openembedded-core
  Cc: Benjamin Robin (Schneider Electric), thomas.petazzoni,
	mathieu.dubois-briand, antonin.godard, kamel.bouhara,
	jeremie.dautheribes, jpewhacker

Several CVE helper functions (get_patched_cves() and decode_cve_status())
implicitly depend on the CVE_STATUS and CVE_CHECK_STATUSMAP variables, but
these were not declared in the vardeps of their callers.

On Scarthgap, the upstream fix (2cc43c72ff28aa39a417dd8d57cd7c8741c0e541)
cannot be cherry-picked cleanly, as it also requires BitBake changes.

As a workaround, explicitly add CVE_STATUS and CVE_CHECK_STATUSMAP to the
vardeps of all tasks invoking these helpers, ensuring correct task
re-execution when CVE status changes.

This keeps CVE-related metadata generation consistent without requiring
BitBake modifications.

Signed-off-by: Benjamin Robin (Schneider Electric) <benjamin.robin@bootlin.com>
---
changes in v2:
 - provide a clearer commit message

 meta/classes/create-spdx-2.2.bbclass | 1 +
 meta/classes/create-spdx-3.0.bbclass | 2 ++
 meta/classes/cve-check.bbclass       | 1 +
 meta/classes/vex.bbclass             | 1 +
 4 files changed, 5 insertions(+)

diff --git a/meta/classes/create-spdx-2.2.bbclass b/meta/classes/create-spdx-2.2.bbclass
index aaa2e78fe211..037193bb4b96 100644
--- a/meta/classes/create-spdx-2.2.bbclass
+++ b/meta/classes/create-spdx-2.2.bbclass
@@ -710,6 +710,7 @@ python do_create_spdx() {
 
             oe.sbom.write_doc(d, package_doc, pkg_arch, "packages", indent=get_json_indent(d))
 }
+do_create_spdx[vardeps] += "CVE_STATUS"
 do_create_spdx[vardepsexclude] += "BB_NUMBER_THREADS"
 # NOTE: depending on do_unpack is a hack that is necessary to get it's dependencies for archive the source
 addtask do_create_spdx after do_package do_packagedata do_unpack do_collect_spdx_deps before do_populate_sdk do_build do_rm_work
diff --git a/meta/classes/create-spdx-3.0.bbclass b/meta/classes/create-spdx-3.0.bbclass
index 6125e8b54794..388497054b09 100644
--- a/meta/classes/create-spdx-3.0.bbclass
+++ b/meta/classes/create-spdx-3.0.bbclass
@@ -159,6 +159,8 @@ do_create_spdx[vardeps] += "\
     SPDX_PROFILES \
     SPDX_NAMESPACE_PREFIX \
     SPDX_UUID_NAMESPACE \
+    CVE_STATUS \
+    CVE_CHECK_STATUSMAP \
     "
 
 addtask do_create_spdx after \
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index f5bbaa5d159a..3f4704fb4ec2 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -187,6 +187,7 @@ python do_cve_check () {
 }
 
 addtask cve_check before do_build
+do_cve_check[vardeps] += "CVE_STATUS CVE_CHECK_STATUSMAP"
 do_cve_check[depends] = "cve-update-nvd2-native:do_unpack"
 do_cve_check[nostamp] = "1"
 
diff --git a/meta/classes/vex.bbclass b/meta/classes/vex.bbclass
index 707e6f45a19a..45a15348724b 100644
--- a/meta/classes/vex.bbclass
+++ b/meta/classes/vex.bbclass
@@ -160,6 +160,7 @@ python do_generate_vex () {
 
     cve_write_data_json(d, cve_data, cves_status)
 }
+do_generate_vex[vardeps] += "CVE_STATUS CVE_CHECK_STATUSMAP"
 
 addtask generate_vex before do_build
 


^ permalink raw reply related	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2026-02-07 17:31 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-01-19  8:44 [scarthgap][PATCH v2] meta/classes: fix missing vardeps for CVE status variables Benjamin Robin (Schneider Electric)
2026-02-07 17:31 ` [OE-core] " Yoann Congal

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox