@@ -346,15 +346,47 @@ issues helps to reduce their workload.
:term:`OpenEmbedded-Core (OE-Core)` has two scripts that help to characterize
and filter CVEs affecting the Linux kernel:
-- ``openembedded-core/meta/recipes-kernel/linux/generate-cve-exclusions.py``
+- ``openembedded-core/scripts/contrib/generate-cve-exclusions.py``
- ``openembedded-core/scripts/contrib/improve_kernel_cve_report.py``
-``generate-cve-exclusions.py``
+The usage of these scripts can be automated with ``.bbclass`` files:
+
+- ``openembedded-core/meta/classes/generate-cve-exclusions.bbclass``
+- ``openembedded-core/meta/classes/improve_kernel_cve_report.bbclass``
+
+``generate-cve-exclusions``
------------------------------
-When updating a kernel recipe, a helper script needs to be run manually to
-update the :term:`CVE_STATUS` for the kernel recipe. The script can be used
-for custom kernels.
+The kernel recipe requires :term:`CVE_STATUS` variable.
+
+Two methods are available to generate the CVE exclusions for the kernel:
+
+- The class ``generate-cve-exclusions.bbclass`` can be inherited in the
+ kernel recipe to automatically set the variable :term:`CVE_STATUS`
+ during the build, based on ``https://github.com/CVEProject/cvelistV5``.
+
+First, modify your kernel recipe to inherit the class::
+
+ inherit generate-cve-exclusions
+
+Then, you can invoke the ``generate-cve-exclusions`` task to generate
+the CVE exclusions for the kernel version being built.
+
+.. code-block:: shell
+
+ $ bitbake -c generate-cve-exclusions <linux-recipe>
+
+The task will create a new folder named ``cvelistV5`` under the kernel
+working directory.
+
+This folder will contain an updated version of ``https://github.com/CVEProject/cvelistV5``.
+
+It will also store a ``.json`` file which contains the update for
+:term:`CVE_STATUS` variable for the kernel version being built.
+
+- A script named ``generate-cve-exclusions.py`` that can be run manually
+ to generate the CVE exclusions file that can be included in the kernel
+ recipe:
First we need to get an updated version of the CVE information from the
`CVE Project`. Run it as follows:
@@ -391,7 +423,7 @@ Don't forget to update your kernel recipe with::
Then the CVE information will automatically be added in the
:ref:`ref-classes-cve-check` or :ref:`ref-classes-vex` report.
-``improve_kernel_cve_report.py``
+``improve_kernel_cve_report``
--------------------------------
The ``openembedded-core/scripts/contrib/improve_kernel_cve_report.py`` script
@@ -442,8 +474,22 @@ Finally, store either the ``recipe-linux-yocto.spdx.json`` or the
The :term:`SPDX` file is under
``tmp/deploy/spdx/<spdx_version>/<MACHINE>/recipes/recipe-linux-yocto.spdx.json``
-Once you have the input data, first you need to clone or fetch the latest CVE
-information from https://git.kernel.org:
+Once you have the input data, you will have two options to run the script:
+
+- Use the ``.bbclass`` file ``improve_kernel_cve_report.bbclass`` to
+ automatically run the script during the build. This class can be
+ inherited in the image recipe as follows::
+
+ inherit improve_kernel_cve_report
+
+ The class will run the script after the ``cve-check`` task and
+ generate a new version of it with a new entry in
+ ``tmp/deploy/images/machine/`` finishing with
+ ``.rootfs.scouted.json``.
+
+- Run manually the script ``improve_kernel_cve_report.py`` as follows:
+
+First, you need to clone or fetch the latest CVE information from https://git.kernel.org:
.. code-block:: shell
Update the documentation to add the description for: *generate-cve-exclusions.bbclass *improve_kernel_cve_report.bbclass This .bbclass haven't been merged yet in openembedded-core. This doesn't need to be merged until the two following PR are validated: *PR for generate-cve-exclusions.bbclass: https://lists.openembedded.org/g/openembedded-core/message/228924 *PR for improve_kernel_cve_report.bbclass: https://lists.openembedded.org/g/openembedded-core/message/228932 Request to set the documentation up-to-date: https://lists.openembedded.org/g/openembedded-core/message/229041 Signed-off-by: ValentinBoudevin <valentin.boudevin@gmail.com> --- documentation/dev-manual/vulnerabilities.rst | 62 +++++++++++++++++--- 1 file changed, 54 insertions(+), 8 deletions(-)