@@ -335,3 +335,111 @@ When analyzing CVEs, it is recommended to:
- follow public `open source security mailing lists <https://oss-security.openwall.org/wiki/mailing-lists>`__ for
discussions and advance notifications of CVE bugs and software releases with fixes.
+Linux kernel vulnerabilities
+============================
+
+Since the Linux kernel became a CVE Numbering Authority (CNA), the number of associated CVEs has increased dramatically. Security teams must address these CVEs to meet regulatory and customer requirements. Automation on identifying issue helps to reduce their workload.
+
+OpenEmbedded-core has two scripts that helps to characterize and filter CVEs that affects the Linux kernel, which use one of the following CVE sources:
+
+- https://git.kernel.org/pub/scm/linux/security/vulns.git
+- https://github.com/CVEProject/cvelistV5
+
+The scripts' location are:
+
+- ``openembedded-core/meta/recipes-kernel/linux/generate-cve-exclusions.py``
+- ``openembedded-core/scripts/contrib/improve_kernel_cve_report.py``
+
+generate-cve-exclusions.py
+--------------------------
+
+When updating a kernel recipe, a helper script needs to be run manually to update the CVE_STATUS for the kernel recipe. The script can be used for custom kernels. Run it as follows::
+
+ openembedded-core/meta/recipes-kernel/linux/generate-cve-exclusions.py <datadir> <version> > cve-exclusion_<kernel_version>.inc
+
+Example::
+
+ cd openembedded-core/meta/recipes-kernel/linux/
+ ./generate-cve-exclusions.py ~/cvelistV5 6.12.27 > cve-exclusion_6.12.inc
+
+Then the CVE information will automatically be added in the :ref:`ref-classes-cve-check` or :ref:`ref-classes-vex` report.
+
+improve_kernel_cve_report.py
+-----------------------------
+
+The script in ``openembedded-core/scripts/contrib/improve_kernel_cve_report.py`` leverages CVE kernel metadata and the :term:`SPDX_INCLUDE_COMPILED_SOURCES` to update the ``cve-summary.json``. It reduces CVE false positives by 70%-80% and provide detailed responses for all kernel-related CVEs, with the files used to build the kernel. The script is decoupled from the build and can be run outside BitBake.
+
+The script uses the output from :ref:`ref-classes-vex` or :ref:`ref-classes-cve-check` class as input, together with CVE information from the Linux kernel CNA to enrich the ``cve-summary.json``. It creates a new json file with updated CVE information. Optionally, it can also use the list of compiled files from the kernel :term:`SPDX` to ignore CVEs that are not affected because the files are not compiled.
+
+BitBake uses the debug information to extract the sources used to build a binary. Therefore, it needs to be configured in the kernel to extract the kernel compiled files. Enable it by adding the following in your ``local.conf`` or kernel recipe::
+
+ KERNEL_EXTRA_FEATURES:append = " features/debug/debug-kernel.scc"
+
+Or by editing your kernel configuration to include DWARF4 debug information.
+
+The sources for the kernel are stored under ``tmp/pkgdata/<MACHINE>/debugsources/linux-yocto-debugsources.json.zstd``. In order to include the information into the :term:`SPDX` file to filter out source files that are not included in the binaries, add the following in your ``local.conf``::
+
+ SPDX_INCLUDE_COMPILED_SOURCES:pn-linux-yocto = "1"
+
+Finally, store either the ``recipe-linux-yocto.spdx.json`` or the ``linux-yocto-debugsources.json.zstd`` outside the build directory.
+
+The :term:`SPDX` file is under ``tmp/deploy/spdx/3.0.1/<MACHINE>/recipes/recipe-linux-yocto.spdx.json``
+
+Once you have the input data, first you need to clone or fetch the latest CVE information from kernel.org::
+
+ git clone https://git.kernel.org/pub/scm/linux/security/vulns.git
+
+Finally, run the script by using one of the examples bellow. The most exact are the first two examples, using the old cve-summary.json to identify the kernel version.
+
+- Example using old-cve-report as input::
+
+ python3 openembedded-core/scripts/contrib/improve_kernel_cve_report.py --spdx tmp/deploy/spdx/3.0.1/qemux86_64/recipes/recipe-linux-yocto.spdx.json --datadir ./vulns --old-cve-report build/tmp/log/cve/cve-summary.json
+
+- Example using debug-sources file instead of SPDX kernel file::
+
+ python3 openembedded-core/scripts/contrib/improve_kernel_cve_report.py --debug-sources tmp/pkgdata/qemux86_64/debugsources/linux-yocto-debugsources.json.zstd --datadir ./vulns --old-cve-report build/tmp/log/cve/cve-summary.json
+
+- Example using the kernel-version::
+
+ python3 openembedded-core/scripts/contrib/improve_kernel_cve_report.py --spdx tmp/deploy/spdx/3.0.1/qemux86_64/recipes/recipe-linux-yocto.spdx.json --kernel-version 6.12.27 --datadir ./vulns
+
+Example of output for a CVE that the binary does not include the source code due to the kernel configuration::
+
+ {
+ "id": "CVE-2025-38384",
+ "status": "Ignored",
+ "detail": "not-applicable-config",
+ "summary": "In the Linux kernel, the following vulnerability has been resolved (...),
+ "description": "Source code not compiled by config. {'drivers/mtd/nand/spi/core.c'}"
+ },
+
+Example of output for a CVE not in range::
+
+ {
+ "id": "CVE-2025-40017",
+ "status": "Patched",
+ "detail": "fixed-version",
+ "summary": "In the Linux kernel, the following vulnerability has been resolved (...),
+ "description": "only affects 6.15 onwards"
+ }
+
+Example of output for a CVE that is vulnerable::
+
+ {
+ "id": "CVE-2024-58093",
+ "status": "Unpatched",
+ "detail": "version-in-range",
+ "summary": "In the Linux kernel, the following vulnerability has been resolved (...),
+ "description": "Needs backporting (fixed from 6.15)"
+ }
+
+Example of output for a CVE rejected by the Linux CNA::
+
+ {
+ "id": "CVE-2025-38380",
+ "status": "Ignored",
+ "detail": "rejected",
+ "summary": "In the Linux kernel, the following vulnerability has been resolved (...),
+ "description": "Rejected by CNA"
+ }
+