From 5d7d2981bdbb0e3c1d02c037f8dcf79cffead00d Mon Sep 17 00:00:00 2001
From: Joshua Watt <JPEWhacker@gmail.com>
Date: Wed, 5 Mar 2025 14:00:30 -0700
Subject: lib: sbom30: Add action statement for affected VEX statements

VEX Affected relationships have a mandatory action statement that
indicates the mitigation for a vulnerability. Since we don't track this
add a statement indicating that no mitigation is known.

(From OE-Core rev: 39545c955474a43d11a45d74a88a5999b02cb8b3)

Signed-off-by: Joshua Watt <JPEWhacker@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
---
 meta/lib/oe/sbom30.py | 1 +
 1 file changed, 1 insertion(+)

(limited to 'meta/lib')

diff --git a/meta/lib/oe/sbom30.py b/meta/lib/oe/sbom30.py
index 0595ebd41c..227ac51877 100644
--- a/meta/lib/oe/sbom30.py
+++ b/meta/lib/oe/sbom30.py
@@ -685,6 +685,7 @@ class ObjectSet(oe.spdx30.SHACLObjectSet):
             to,
             spdxid_name="vex-affected",
             security_vexVersion=VEX_VERSION,
+            security_actionStatement="Mitigation action unknown",
         )
 
     def new_vex_ignored_relationship(self, from_, to, *, impact_statement):
-- 
cgit v1.2.3-54-g00ecf