mbox series

[0/2] Check compiled files to filter kernel CVEs

Message ID 20250416142859.909037-1-daniel.turull@ericsson.com
Headers show
Series Check compiled files to filter kernel CVEs | expand

Message

Daniel Turull April 16, 2025, 2:28 p.m. UTC 
From: Daniel Turull <daniel.turull@ericsson.com>

Since kernel.org became a CNA, more information is available in the published CVEs,
including details about which files are affected by a given CVE.

This series adds functionality to fetch the database from kernel.org CNA information:
https://git.kernel.org/pub/scm/linux/security/vulns.git

To filter out CVEs that are not applicable, I developed a new bbclass that uses files
compiled with the build kernel configuration. This approach requires a compiled kernel,
which is why it's implemented as a new class rather than an extension of the existing
cve-check.

In the future, an alternative approach could involve incorporating the affected files
into SPDX rather than saving them independently and run an external tool to filter the
CVEs.

Comments and suggestions are welcome.

Daniel Turull

Daniel Turull (2):
  linux-vulns: fetch kernel.org CNA info
  cve-check-kernel: verify kernel CVEs using programFile from kernel.org
    CNA

 meta/classes/cve-check-kernel.bbclass     | 132 ++++++++++++++++++++++
 meta/conf/distro/include/maintainers.inc  |   1 +
 meta/recipes-core/meta/linux-vulns_git.bb |  42 +++++++
 3 files changed, 175 insertions(+)
 create mode 100644 meta/classes/cve-check-kernel.bbclass
 create mode 100644 meta/recipes-core/meta/linux-vulns_git.bb